At a glance.
- Disrupting Trickbot.
- Five Eyes plus two call for backdoors that would be responsive to warrants.
- Pakistan moves against TikTok on grounds of "indecency."
The complicated disruption of Trickbot.
Anticipating an assault on the upcoming election, US Cyber Command and Microsoft launched separate attacks on Trickbot’s million-strong global botnet, the New York Times and KrebsOnSecurity report. Trickbot, which has for the most part served as a ransomware distribution system, has not yet been deployed against electoral infrastructure, but could be used on registration and reporting systems. Last week the CyberWire discussed temporary interruptions of unknown origin to the credential-stealing, ransomware-spreading Moscow-linked malware. According to officials who spoke to the Washington Post on condition of anonymity, Cyber Command was behind the commotion. Their offensive stormed Trickbot servers, bringing phony records as a housewarming gift, and freed captive devices. The campaign may have been a failure, a distraction, or a shot across Moscow’s bow.
Microsoft, for its part, saddled up with Slovak software firm ESET, Symantec, Lumen’s Black Lotus Labs, the Financial Services Information Sharing and Analysis Center, and NTT Limited to plot the botnet and execute a legally-sanctioned “technical action,” according to WeLiveSecurity, Microsoft, and KrebsOnSecurity. ESET contributed “analysis, statistical information, and known command and control server domain names and IPs” to the effort. Microsoft set an interesting precedent in the process, successfully obtaining a court order to seize infected servers on claims of copyright and trademark law violations. The company argued that the threat actors “physically alter and corrupt Microsoft products,” resulting in irremediable harm to the business’s “reputation, brands, and customer goodwill.”
Corporate Vice President of Customer Security and Trust Tom Burt, who said Microsoft had been planning the move since April, announced, “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.” Some experts maintain the disruption is limited and likely temporary since the botnet is diffuse and dynamic. Swiss botnet monitoring firm Feodo Tracker shows numerous tricked-out servers still online. Threat analysts at Intel 471 say they have “not seen any significant impact on Trickbot’s infrastructure and ability to communicate.” Bloomberg offered a different perspective, claiming, “It will likely take months or years for the criminals to recover, if at all.” Trickbot perps are considering a one-thousand-four-hundred percent ransomware demand raise in retaliation, according to Security Boulevard.
We received comment from Nozomi on the takedown. Nozomi Advisor and Former US Department of Homeland Security Undersecretary Suzanne Spaulding sees the operation as an example of whole-of-nation, public-private action, albeit one more coincidental than coordinated:
“The Microsoft take-down is an example of exactly the kind of whole-of-nation, even whole-of world, approach we need. The private sector working with government at all levels, including state and local governments who've been victims and multiple federal entities, including the courts, as well as international partners, all coming together to identify and disrupt the bad guys. Microsoft has done previous botnet take-downs but this one is particularly important in the midst of the 2020 election because ransomware is a threat that CISA Director Chris Krebs says keeps him up at night. If malicious actors were able to disrupt the election, by locking up voter registration databases or systems involved in vote tabulation or reporting, they could undermine public confidence in the legitimacy of the election.”
Nozomi's co-founder, Andrea Carcano, offered observations on the role of trademark law and other civil statutes in effecting such takedowns:
“This isn’t the first time that Microsoft has leverag[ed] trademark laws to chase down botnets operators. They used the tactic back in 2011 to takedown Rustock. IoT botnets are among the fastest growing categories of attacks, and Trickbot alone has impacted millions of computers. While botnet operators are using every trick in the book to expand their malicious activity, defenders for obvious reasons have to comply with the law when implementing the countermeasures. But as Microsoft’s actions show, this doesn't mean that you cannot be creative with the technical and non-technical tools available. The beauty of this latest approach is that while defenders have to suffer the asymmetry of attackers operating behind the limits of the law, by taking the case to court, Microsoft gained a legal advantage to regain control.
"In general, it can be quite challenging to disrupt the malicious activities of botnets. And Microsoft has a history of stepping up with aggressive countermeasures. In March, Microsoft called on its technical and legal partners in 35 countries to disrupt Necurs, a popular hybrid peer-to-peer botnet. By analyzing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6+ million unique domains that would be created within the next 25 months. Microsoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure. By proactively getting in front of Necurs, Microsoft was able to significantly disrupted the botnet.”
International statement calls for backdoors.
On Sunday representatives of the Five Eyes, India, and Japan issued a joint "International Statement" on "End-To-End Encryption and Public Safety." The statement affirmed support for strong encryption, but deplored "counter-productive and dangerous approaches that would materially weaken or limit security systems," and then called upon companies to design systems so that law enforcement could, with proper authorization, access encrypted communications.
Pakistan outlaws TikTok for ethical reasons.
Last Friday Islamabad banned TikTok due to its “immoral and indecent” content, TechCrunch reports, following what the Pakistan Telecommunication Authority (PTA) referred to as a “number of complaints from different segments of the society.” Should the platform take action against offending content, the PTA will reconsider its decision.