CISA-FBI advisory covers identification, disruption of QakBot infrastructure; provides mitigation action

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published Wednesday a joint cybersecurity advisory (CSA) that disseminates QakBot infrastructure indicators of compromise (IOCs), based on FBI investigations carried out this month. Organizations have been urged to implement the provided mitigation actions to reduce the likelihood of QakBot-related activity and promote the identification of QakBot-facilitated ransomware and malware infections. 

The advisory further added that disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. “If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.”

On August 25, the FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The takedown action represents the largest U.S.-led financial and technical disruption of the Qakbot infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.

These ransomware groups caused significant harm to businesses, healthcare providers, and government agencies all over the world, including to a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California. Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately US$58 million in ransoms paid by victims.

The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders. Together with its international partners, the U.S. Department of Justice has hacked Qakbot infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the U.S. and around the world, and seized $8.6 million in extorted funds.

The advisory detailed that QakBot, also known as Qbot, Quackbot, Pinkslipbot, and TA570, is responsible for thousands of malware infections globally. QakBot and affiliated variants have targeted the U.S. and other global infrastructures. It has been the precursor to a significant amount of computer intrusions, including ransomware and the compromise of user accounts within the financial sector. 

In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem, the advisory outlined. “QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.”

Since its initial inception as a banking trojan, the advisory detailed that QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, including performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. “QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.”

The advisory disclosed that QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike, Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal, and PwndLocker. 

Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers. 

The CISA-FBI advisory said that the first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 ‘supernodes’ by downloading an additional software module. “These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers.” 

As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month, the advisory disclosed. “Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.”

CISA and FBI recommend network defenders apply various mitigations to reduce the likelihood of QakBot-related activity and promote the identification of QakBot-induced ransomware and malware infections. These include implementing a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location; and requiring all accounts with password logins to comply with the National Institute of Standards and Technology (NIST)’s standards when developing and managing password policies. 

The advisory suggests implementing phishing-resistant multi-factor authentication (MFA) for remote access and sensitive data repositories, especially in webmail and VPNs, which access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. It also recommends keeping operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats, and prioritize patching known exploited vulnerabilities of internet-facing systems.

The CISA-FBI document also recommends segmenting networks to prevent the spread of ransomware by controlling traffic flows between, and access to, various subnetworks to restrict adversary lateral movement. It also identifies, detects, and investigates abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. It also suggests installing, regularly updating, and enabling real-time detection for antivirus software on all hosts.

It also calls for a review of domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts, an audit of user accounts with administrative privileges, and configuring access controls according to the principle of least privilege. Furthermore, the advisory suggests disabling unused ports, adding an email banner to emails from outside the organization, and disabling hyperlinks in received emails.

Lastly, the joint advisory calls for implementing time-based access for accounts set at the admin level and higher; disabling command-line and scripting activities and permissions; performing regular secure system backups and creating known good copies of all device configurations for repairs and/or restoration; and ensuring all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure. 

The DOJ announced earlier this year its ‘months-long disruption’ campaign against the Hive ransomware group that has targeted more than 1,500 victims across over 80 countries worldwide. The hackers have since 2021 targeted hospitals, school districts, financial firms, and critical infrastructure, and received over $100 million in ransom payments. Also, Europol supported the German, Dutch, and U.S. authorities in disrupting and taking down the infrastructure used by Hive ransomware affiliates, involving law enforcement authorities from a total of 13 countries.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.