web analytics

Operation ‘Duck Hunt’ Dismantles Qakbot – Source: www.databreachtoday.com

operation-‘duck-hunt’-dismantles-qakbot-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Cybercrime
,
Fraud Management & Cybercrime
,
Ransomware

52 Servers, Nearly $9 Million Worth of Cryptocurrency Seized

Michael Novinson (MichaelNovinson) ,
David Perera (@daveperera) •
August 29, 2023    

Operation 'Duck Hunt' Dismantles Qakbot

U.S. authorities Tuesday said they permanently dismantled the notorious Qakbot botnet in an international operation that seized 52 servers and nearly $9 million worth of cryptocurrency.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The botnet, also known as Qbot, was a vector for ransomware, and it “has ceased to operate,” said Don Alway, the assistant director in charge of the FBI’s Los Angeles Field Office, during a press conference. Qakbot started as a banking Trojan in 2008. It is one of the world’s longest-running botnets and accounted for hundreds of millions of dollars of losses over its lifetime, said senior FBI and Justice Department officials.

“We at the FBI and DOJ are focused on proactive disruptive activities against the actors and the key services which support their activity,” senior FBI and DOJ officials told members of the media during a background briefing Tuesday. “This strategy stems from looking at the problem from the perspective of the adversary and what they need to conduct their attack.”

Law enforcement identified more than 700,000 computers infected with the Qakbot malware, including more than 200,000 in the United States. Authorities used a removal tool get the malware off victims’ machines since Qakbot only operated in memory rather than on the user’s hard drive.

The FBI dubbed the operation behind the takedown “Duck Hunt,” a play on the Qakbot moniker. The operation is “the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said United States Attorney Martin Estrada of the Central District of California. International partners in the investigation include France, Germany, the Netherlands, the United Kingdom, Romania and Latvia.

“Almost every country in the world was affected by Qakbot, either through direct infected victims or victims attacked through the botnet,” said senior FBI and DOJ officials. Officials said Qakbot spread primarily through email phishing campaigns, and FBI probes revealed Qakbot infrastructure and victim computers had spread around the world.

Qakbot played a role in approximately 40 different ransomware attacks over the past 18 months that caused $58 million in losses, Estrada said. “You can imagine that the losses have been many millions more through the life of the Qakbot,” which cyber defenders first detected in 2008, Estrada added. “Today, all that ends,” he said.

Qakbot evolved over the years to become an initial access broker for other cybercriminals, selling access to criminal affiliates who rely on that foothold. Online criminal gangs that have used Qakbot to spread ransomware include Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta.

“If you think about it from the perspective of the adversary, they are going to rent this out to what’s going to make money,” senior FBI and DOJ officials said. “As far as how it’s utilized, they typically do not have a say or care as long as they’re getting their cut.”

An ecosystem has developed over time that allows ransomware groups and nation-state actors to use services from initial access brokers such as Qakbot to carry out business email compromise, elder fraud and other types of cybercrime, according to senior FBI and DOJ officials. Without services from groups such as Qakbot, officials said, these criminal activities would be much more difficult to engage in.

“This is a criminal business that they’re running, and the financial piece is critically important,” senior FBI and DOJ officials said. “Cybercriminals need all of those services to engage in their conduct.”

Law enforcement worked with U.S. legal authorities to facilitate the operation, officials said. First, authorities penetrated Qakbot’s network and were able to map it out in its entirety. Then, authorities got authorization to assume control of Qakbot’s command-and-control server and redirected traffic to a server under the control of the FBI.

After redirecting online traffic to servers controlled by authorities, downloaded onto infected computers a file untethering them from Qakbot, states an FBI affidavit submitted in the U.S District Court for the Central District of California. Since Qakbot ran in memory, law enforcement didn’t need to touch, erase or read anything in the victim’s hard drive to remove the botnet.

“None of the private information that a victim might have on his computer is going to be accessible through that process of malware being removed from memory,” senior FBI and DOJ officials said. Officials said victims wouldn’t even know authorities had removed Qakbot from their system unless they had been independently tracking it.

Senior FBI and DOJ officials said the operation was timed to take advantage of a slowdown in Qakbot’s activity during the summer months, and authorities sought to take action before Qakbot ramped up attacks in the fall. Even though Qakbot has been removed from victim systems, officials cautioned there still might be malware present since the botnet facilitated access for deploying other malware variants.

Prosecutors declined to identify the cybercriminal organization behind Qakbot, citing a need for secrecy in an ongoing investigation. Senior FBI and DOJ officials also declined to comment on the relationship between Qakbot and state-aligned activity or espionage.

Authorities say they will use the seized $8.6 million of cryptocurrency to refund victims and make them whole. Filings with the court and the Justice Department will be required to make a claim to the seized funds, according to senior FBI and DOJ officials.

“By shutting down the entire botnet, we are stopping the ongoing delivery of ransomware and other malicious software to victim computers across America and around the world,” senior FBI and DOJ officials said. “We are looking forward to creating a broad and lasting reduction in ransomware victimization.”

Original Post url: https://www.databreachtoday.com/operation-duck-hunt-dismantles-qakbot-a-22959

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Cybersecurity Talent Crisis Today and Tomorrow by Codrut Andrei
Cybersecurity Talent Crisis Today and...
SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST...
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of...
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity...
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat...
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief...
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES

More Latest Published Posts

SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Red Canary
Threat Detection Report 2024
Threat Detection Report 2024
HADESS
Pwning the Domain Persistence
Pwning the Domain Persistence
Australian Goverment
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
CISC (Comité Internacional Sobre Ciberseguridad)
Política Nacional de Ciberseguridad 2023-2028
Política Nacional de Ciberseguridad 2023-2028
Google
Perspectiveson Securityfor the Board
Perspectiveson Securityfor the Board
HADESS
OSINT Method for Map Investigations
OSINT Method for Map Investigations
CCN-CERT
Observatorio Riesgos Ciberseguridad 2024
Observatorio Riesgos Ciberseguridad 2024
CYBERTHEORY
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
FORTINET
Bloking Malware Through Antivirus Security Profile in FortiGate
Bloking Malware Through Antivirus Security Profile in FortiGate