Microsoft Used Its Patents To Take Down Trickbot Network
Microsoft and other software and services companies this week described their efforts in taking down the Trickbot criminal network.
The years-long effort involved working with the courts, software security firms and telcos to eliminate the hosting of Trickbot. Microsoft's software patents also came into play as a legal means to close it down.
"With this civil action, we have leveraged a new legal strategy that allows us to enforce copyright law to prevent Microsoft infrastructure, in this case our software code, from being used to commit crime," explained Tom Burt, corporate vice president for customer security and trust, in a Monday Microsoft announcement. "As copyright law is more common than computer crime law, this new approach helps us pursue bad actors in more jurisdictions around the world."
Microsoft has a Digital Crimes Unit that collaborates with various law enforcement agencies, as well as with security solutions partners. Its efforts over the years have resulted in "23 malware and nation-state domain disruptions, resulting in over 500 million devices rescued from cybercriminals," according to the announcement.
Partners Against Crime
In the Trickbot case, Microsoft worked with the Financial Services Information Sharing and Analysis Center, which served as a "co-plaintiff in our legal action." The Financial Services Information Sharing and Analysis Center is a U.S.-headquartered consortium of financial institutions that was formed to defend financial services infrastructures around the globe.
Microsoft's Digital Crimes Unit and its Microsoft Defender team worked with various software security solution providers to take down Trickbot, namely, "ESET, Lumen's Black Lotus Labs, NTT and Symantec, a division of Broadcom." Trickbot analysis by the Microsoft Defender team can be found in this Microsoft post.
Trickbot is a criminal network that was initially used to infiltrate online banking accounts. It later shifted to delivering ransomware to organizations, especially the Ryuk ransomware. More recently, Trickbot has been detected near networks that are associated with political elections, and Microsoft's announcement claimed that the Trickbot takedown will help protect "election infrastructure from ransomware attacks."
In a perhaps related announcement, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently announced a joint cybersecurity advisory on attacks against government networks, as well as other organizational networks. These government agency attacks are leveraging unpatched software vulnerabilities, including the Windows Server Netlogon flaw (CVE-2020-1472) that was addressed by Microsoft's August security patch release.
The CISA-FBI announcement suggested that election targeting could be part of the motivation behind the increased malicious activity against government networks:
CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.
The attackers could leverage publicized security vulnerabilities in various virtual private networks (VPNs) and management solutions to gain a foothold, the announcement suggested, and it cited the following CVEs as possible, although not confirmed, avenues:
Next, the attackers are using the Windows Server Netlogon security vulnerability to gain credentials, and then using VPNs and the Remote Desktop Protocol for remote attack purposes.
After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.
Organizations should keep up to date with software patches, including VPNs and domain controllers, according to the CISA-FBI announcement. They should implement multifactor authentication on all VPN connections. Patch management should include auditing, and all outbound network connections should be monitored. The announcement included some very painful advice to follow should Active Directory admin accounts be found to be compromised.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.