U.S. Markets close in 6 hrs 18 mins
  • S&P 500

    3,671.41
    +2.40 (+0.07%)
     
  • Dow 30

    29,963.00
    +79.21 (+0.27%)
     
  • Nasdaq

    12,386.45
    +37.09 (+0.30%)
     
  • Russell 2000

    1,838.03
    +1.98 (+0.11%)
     
  • Crude Oil

    45.18
    -0.10 (-0.22%)
     
  • Gold

    1,843.10
    +12.90 (+0.70%)
     
  • Silver

    24.11
    +0.03 (+0.15%)
     
  • EUR/USD

    1.2158
    +0.0043 (+0.3526%)
     
  • 10-Yr Bond

    0.9340
    -0.0140 (-1.48%)
     
  • Vix

    20.88
    +0.11 (+0.53%)
     
  • GBP/USD

    1.3460
    +0.0084 (+0.6272%)
     
  • USD/JPY

    103.8930
    -0.5310 (-0.5085%)
     
  • BTC-USD

    19,366.72
    +417.47 (+2.20%)
     
  • CMC Crypto 200

    380.75
    +6.34 (+1.69%)
     
  • FTSE 100

    6,463.81
    +0.42 (+0.01%)
     
  • Nikkei 225

    26,809.37
    +8.39 (+0.03%)
     

Botnet Fights Back After Microsoft’s Election Security Takedown

Kartikay Mehrotra
·3 min read

(Bloomberg) -- A week after Microsoft Corp. led a global attack against one of the world’s most prolific malware groups, the company says it’s winning an ongoing battle to temporarily destabilize the malicious botnet ahead of the U.S. presidential election.

When Microsoft and its coalition of partners attacked the infrastructure supporting the popular Trickbot malware, they identified 69 servers and routers hosting the botnet around the world. As of Oct. 18, they’d compromised 62 of them, according to a Microsoft statement. A botnet is a network of computers infected with malware.

In response, Microsoft observed Trickbot’s operators attempt to add 59 new servers to try to salvage their botnet. But those, too, were successfully infiltrated by Microsoft’s team within hours of adoption, according to the company.

In all, Microsoft officials said they’ve “taken down” 120 of those 128 systems.

“As we expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled,” according to Microsoft’s statement. “We fully expect that Trickbot’s operators will continue looking for ways to stay operational. What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks.”

Microsoft and its partners started their attack on Oct. 9 after winning a court order to disrupt Trickbot, known for infecting and stealing troves of data before exposing victims to ransomware attacks. Cyber-attackers use ransomware to lock users out of their own computers, while demanding payment in exchange for a key to regain access. The threat of ransomware in the days leading up to the Nov. 3 presidential election remains a credible cybersecurity threat against voting systems, according to the U.S. Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.

In less than a week, Microsoft’s operation has produced results.

When the attack started, Trickbot’s system included “many thousands” of active victims, which have since been reduced to “just more than 200,” said Alex Holden, founder of the information security investigations firm Hold Security LLC. However, Trickbot’s operators are still armed with the login credentials stolen from its many millions of victims breached in the last five years. Those could still be used to execute a damaging elections-related ransomware attack, if those credentials include access to state and local governments, he said.

“The botnet is down but not out,” said Holden, whose specializes in investigating complex malware systems. “It’s not mission accomplished.”

Along with activating existing credentials, Trickbot may also attempt to salvage its malicious network by renting space from other botnet operators. This will likely take weeks or months, Holden said.

Microsoft’s Tom Burt, corporate vice president for customer security & trust, said it would be a victory just to stifle Trickbot until the U.S. elects its next president. Getting rid of the botnet altogether is a monumental task that will require support from a global coalition, he said. That includes the continued support of internet service providers and server hosts around the world, including in the U.S., Germany, South Korea, Indonesia, Kyrgyzstan, Brazil and Cambodia, he said.

In the days after Microsoft announced its attack, skeptics such as cyber researchers at Proofpoint Inc. and Intel 471 questioned Microsoft’s ability to successfully execute a sustained attack. “Typically, these types of actions don’t result in a direct reduction of threat activity,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

Intel 471 found that Trickbot had returned as early as Oct. 15. However, Microsoft’s early efforts have mitigated some of that skepticism.

“If you can’t arrest them, disruption is the next best thing,” said Mark Arena, chief executive officer of Intel 471. “But these guys can and have added new servers all the time. A definitive takedown is asking a lot, but if Trickbot operators are busy on the run trying to fix their infrastructure, then maybe they can keep them on the run until the election.”

For more articles like this, please visit us at bloomberg.com

Subscribe now to stay ahead with the most trusted business news source.

©2020 Bloomberg L.P.