US Cyber Command and the private sector disrupt Trickbot.
KrebsOnSecurity reported last week that unknown operators were disrupting the Trickbot botnet, and these operators turned out to be US Cyber Command, the Washington Post reports. Cyber Command had been concerned that Trickbot’s use in deploying ransomware made it a potential threat to the November elections. Anonymous US officials told the Post that the operation was part of Cyber Command's strategy of persistent engagement, which was honed during the 2018 midterm elections. While the operation wasn't expected to deal a lasting blow to Trickbot, it did create some friction for the attackers during the lead-up to the elections. One official told the Post, "At a time when ransomware is eating the world, this is an operation against one of the biggest and most active threat streams. Is this permanent? Of course not."
The disruption took the form of hacking Trickbot's command-and-control servers and sending updates to infected systems that set their new command-and-control addresses to 127.0.0.1 (localhost), effectively severing communication with the criminals' servers. This happened twice—first on September 22nd, and again on October 1st. In both cases, the crooks recovered relatively quickly, but Alex Holden from Hold Security told KrebsOnSecurity that the disruptions caused a great deal of frustration for the criminals. Additionally, Krebs said someone was stuffing Trickbot's databases of stolen information with millions of phony records, creating further confusion.
During the same time period, Microsoft and industry partners also took action against Trickbot, obtaining a court order from the United States District Court for the Eastern District of Virginia to disable key infrastructure used by the botnet. The New York Times says Microsoft and its partners had been unaware of US Cyber Command's activities against the Trickbot, and that the two actions don't appear to have been coordinated.
Tom Burt, Microsoft's Corporate Vice President of Customer Security & Trust, described the effort in a blog post on Monday:
"During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.
"To execute this action, Microsoft formed an international group of industry and telecommunications providers. Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world.
"This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place."
Like Cyber Command, Microsoft and its partners don't expect the disruption to be permanent, but their goal was to hamper the botnet's operations ahead of the US elections. As Lumen's Black Lotus Labs explained, "While our work might not remove the threat posed by TrickBot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted."