Microsoft Used Its Patents To Take Down Trickbot Network -- Redmondmag.com

Microsoft Used Its Patents To Take Down Trickbot Network

By Kurt Mackie
10/13/2020

Related: Microsoft and Partners Continue To Block Trickbot To Protect Elections

Microsoft and other software and services companies this week described their efforts in taking down the Trickbot criminal network.

The years-long effort involved working with the courts, software security firms and telcos to eliminate the hosting of Trickbot. Microsoft's software patents also came into play as a legal means to close it down.

"With this civil action, we have leveraged a new legal strategy that allows us to enforce copyright law to prevent Microsoft infrastructure, in this case our software code, from being used to commit crime," explained Tom Burt, corporate vice president for customer security and trust, in a Monday Microsoft announcement. "As copyright law is more common than computer crime law, this new approach helps us pursue bad actors in more jurisdictions around the world."

Microsoft has a Digital Crimes Unit that collaborates with various law enforcement agencies, as well as with security solutions partners. Its efforts over the years have resulted in "23 malware and nation-state domain disruptions, resulting in over 500 million devices rescued from cybercriminals," according to the announcement.

Partners Against Crime
In the Trickbot case, Microsoft worked with the Financial Services Information Sharing and Analysis Center, which served as a "co-plaintiff in our legal action." The Financial Services Information Sharing and Analysis Center is a U.S.-headquartered consortium of financial institutions that was formed to defend financial services infrastructures around the globe.

Microsoft's Digital Crimes Unit and its Microsoft Defender team worked with various software security solution providers to take down Trickbot, namely, "ESET, Lumen's Black Lotus Labs, NTT and Symantec, a division of Broadcom." Trickbot analysis by the Microsoft Defender team can be found in this Microsoft post.

Trickbot is a criminal network that was initially used to infiltrate online banking accounts. It later shifted to delivering ransomware to organizations, especially the Ryuk ransomware. More recently, Trickbot has been detected near networks that are associated with political elections, and Microsoft's announcement claimed that the Trickbot takedown will help protect "election infrastructure from ransomware attacks."

CISA-FBI Warning
In a perhaps related announcement, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently announced a joint cybersecurity advisory on attacks against government networks, as well as other organizational networks. These government agency attacks are leveraging unpatched software vulnerabilities, including the Windows Server Netlogon flaw (CVE-2020-1472) that was addressed by Microsoft's August security patch release.

The CISA-FBI announcement suggested that election targeting could be part of the motivation behind the increased malicious activity against government networks:

CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.

The attackers could leverage publicized security vulnerabilities in various virtual private networks (VPNs) and management solutions to gain a foothold, the announcement suggested, and it cited the following CVEs as possible, although not confirmed, avenues:

Citrix NetScaler CVE-2019-19781
MobileIron CVE-2020-15505
Pulse Secure CVE-2019-11510
Palo Alto Networks CVE-2020-2021
F5 BIG-IP CVE-2020-5902

Next, the attackers are using the Windows Server Netlogon security vulnerability to gain credentials, and then using VPNs and the Remote Desktop Protocol for remote attack purposes.

After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.

Organizations should keep up to date with software patches, including VPNs and domain controllers, according to the CISA-FBI announcement. They should implement multifactor authentication on all VPN connections. Patch management should include auditing, and all outbound network connections should be monitored. The announcement included some very painful advice to follow should Active Directory admin accounts be found to be compromised.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Exploring Alternatives to Microsoft Publisher

Depending on what you need, there are some good alternatives once Publisher loses support in 2026.
To Support OpenAI, Microsoft Taps Oracle for More Cloud Power

Frenemies Oracle and Microsoft are combining their respective cloud platforms to give generative AI wunderkind OpenAI more room to innovate.
After Making Windows Recall Opt-In, Microsoft Yanks Feature from PCs Entirely

Microsoft is putting the brakes on its Windows Recall feature that was designed to "retrace users' steps."
PowerShell's Bright Future

A couple of seasoned PowerShell vets break down how they see the powerful tool's next stage of evolution.
Lax Credential Hygiene at Root of Snowflake Breach: Researchers

Security researchers at Google subsidiary Mandiant have traced the months-long Snowflake security breach to an attack group taking advantage of old credentials and weak authentication methods.