Tech

Microsoft abolishes large botnets before 2020 elections

Prior to the 2020 elections, Microsoft received a court order to seize a server that the company claims to be part of a Trickbot botnet, according to the Washington Post.

Tom Bart, vice president of customer security and trust at Microsoft, said botnets could be run by Russian-speaking criminals and used to launch ransomware attacks for election security. He told Post that it poses a “theoretical but realistic” threat. Ransomware is a type of malware that hijacks computer networks and usually holds data hostage in exchange for some payment. However, an attacker can waive the ransom factor and permanently lock the user out of his computer. While ransom attacks on voting machines, election managers, or political movements are unprecedented, cybercriminal gangs have recently targeted large institutions such as local governments, state governments, and hospitals.

In a blog post, Microsoft wrote in a blog post that it tried to monitor Trickbot-infected computers to determine how compromised devices were communicating with each other and obfuscate those communications. This analysis was also able to determine the IP address of the command and control server that distributes and directs Trickbot.

On Monday, the company obtained a restraint order against eight US service providers for Trickbot infringing Microsoft’s trademark. This allowed these IP addresses to be taken offline, and an estimated 1 million Trickbot-infected devices became useless and unrecoverable for users running botnets. According to the blog post:

By observing the infected computers connecting to the command and control servers and receiving instructions, we were able to determine the exact IP addresses of those servers. This evidence caused the court to disable Microsoft and its partners’ IP addresses, prevent access to content stored on command and control servers, suspend all services to botnet operators, and make purchases by Trickbot operators. Or lease an additional server.

Trickbot itself is not a type of ransomware. A Trojan horse that hijacks web browsers to steal login credentials and is often used to target banks. It can be used to deliver ransomware such as Ryuk, which has infamously targeted the Alabama hospital system. Cybersecurity firm Kapersky estimates that Ryuk and other ransomware variants were used in at least 174 attacks on local governments in 2019.

Microsoft wasn’t concerned that botnets could be used to change actual election results, but to voter registration systems, tablets used by voting workers, or results reporting systems. I was worried that the attack could confuse the election and encourage efforts to undermine its legitimacy. The post wrote.

Earlier this year, the New York Times reported that digital crime units were “quietly” gathering help from authorities in many countries to lead botnet countermeasures efforts. As of March 2020, Microsoft has suspended 18 cybercriminal activities in the last decade. This includes simultaneously freezing or gaining control of the approximately 6 million domains used by the Russian-based Necurs Group to send fraudulent emails, support stock market fraud, and spread. Ransomware. According to Bloomberg, the acquisition of Trickbot was “highly coordinated” and required the assistance of telecommunications providers in several countries. The company has also joined the proceedings in the Financial Services Information Sharing and Analysis Center, which represents thousands of banks, some of which have been targeted by Trickbot.

Last week, the post separately reported that four sources confirmed that US Cyber ​​Command had begun its own operations to disrupt the Trickbot network, at least temporarily. On September 22nd and October 1st, cybersecurity experts apparently hacked Trickbot’s command and control server and sent an exit command to the infected machine, but in both cases the botnet operator was in a situation. I was able to regain control of.

Brett Callow, a spokesman for security firm Emsisoft, told Bloomberg that the Trickbot network is associated with at least two major Eastern European or Russian groups. The Ryuk operator (who won Monica’s Wizard Spider) and the operator of a new variant called Conti could themselves be a sect or successor to the Ryuk group. Crowdstrike believes Wizard Spider is a monetary-motivated criminal organization, not a nation-state-backed group.

In a blog post, Microsoft wrote that the operator of the Trickbot network remains unknown, but based on the mercenary’s “malware as a service,” “according to research, both national and criminal networks for a variety of purposes. We provide services to Microsoft. ” Tom Kellerman, head of VMWare’s cybersecurity strategy and a member of the Secret Service Advisory Board, told the Times that the Kremlin maintains a “pax mafiosa” with cybercrime gangs. My purpose.

“It’s a highway used only by criminals,” Amy Hogan Bernie, who turned from a former FBI attorney to chief manager of Microsoft’s digital crime unit, told the New York Times. “And the idea of ​​allowing them to continue to exist doesn’t make sense. The infrastructure needs to be dismantled … they amputated their arms for a while.”


Editor’s Note: The release date for this article is based in the United States, but will be updated with local dates in Australia as more details become available.

Microsoft abolishes large botnets before 2020 elections

Source link Microsoft abolishes large botnets before 2020 elections

Back to top button