Qakbot botnet infrastructure shattered after international operation

Europol has supported the coordination of a large-scale international operation that has taken down the infrastructure of the Qakbot malware and led to the seizure of nearly EUR 8 million in cryptocurrencies. The international investigation, also supported by Eurojust, involved judicial and law enforcement authorities from France, Germany, Latvia, The Netherlands, Romania, United Kingdom and the United States. Qakbot, operated by a group of organised cybercriminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes.

Active since 2007, this prolific malware (also known as QBot or Pinkslipbot) evolved over time using different techniques to infect users and compromise systems. Qakbot infiltrated victims’ computers through spam emails containing malicious attachments or hyperlinks. Once installed on the targeted computer, the malware allowed for infections with next-stage payloads such as ransomware. Additionally, the infected computer became part of a botnet (a network of compromised computers) controlled simultaneously by the cybercriminals, usually without the knowledge of the victims. However, Qakbot’s primary focus was on stealing financial data and login credentials from web browsers.

How does Qakbot work?

- The victim receives an email with an attachment or hyperlink and clicks on it;
- Qakbot deceives the victim into downloading malicious files by imitating a legitimate process;
- Qakbot executes and then installs other malware, such as banking Trojans;
- The attacker then steals financial data, browser information/hooks, keystrokes, and/or credentials;
- Other malware, such as ransomware, is placed on the victim’s computer.

Over 700 000 infected computers worldwide

A number of ransomware groups used Qakbot to carry out a large number of ransomware attacks on critical infrastructure and businesses. The administrators of the botnet provided these groups with access to the infected networks for a fee. The investigation suggests that between October 2021 and April 2023, the administrators have received fees corresponding to nearly EUR 54 million in ransoms paid by the victims. The lawful examination of the seized infrastructure uncovered that the malware had infected over 700 000 computers worldwide. Law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa, enabling the malware’s activity on a global scale.

Over the course of the investigation, Europol facilitated the information exchange between participating agencies, supported the coordination of operational activities, and funded operational meetings. Europol also provided analytical support linking available data to various criminal cases within and outside the EU. The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved. The Agency hosted a coordination meeting in July 2023 to facilitate evidence sharing and to prepare for this joint operation.

IOCTA spotlight report on malware-based cyber-attacks published

Following the Internet Organised Crime Assessment (IOCTA) 2023, Europol published the spotlight report “Cyber Attacks: The Apex of Crime-as-a-Service”. It examines developments in cyber-attacks, discussing new methodologies and threats as observed by Europol’s operational analysts. The report also outlines the types of criminal structures that are behind cyber-attacks, and how these increasingly professionalised groups are exploiting changes in geopolitics as part of their modi operandi.

Malware-based cyber-attacks, specifically ransomware, remain the most prominent threat. These attacks can attain a broad reach and have a significant financial impact on industry. Europol’s spotlight report takes an in-depth look at the nature of malware attacks as well as the ransomware groups’ business structures. The theft of sensitive data could establish itself as the central goal of cyber-attacks, thereby feeding the growing criminal market of personal information.

As well as shedding light on the most common intrusion tactics used by criminals, the report also highlights the significant boost in Distributed Denial of Service (DDoS) attacks against EU targets. Lastly, among the report’s key findings are the effects the war of aggression against Ukraine and Russia’s internal politics have had on cybercriminals.
Key findings in “Cyber Attacks: The Apex of Crime-as-a-Service”

- Malware-based cyber-attacks remain the most prominent threat to industry;
- Ransomware affiliate programs have become established as the main form of business organisation for ransomware groups;
- Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing and Virtual Private Network (VPN) vulnerability exploitation are the most common intrusion tactics;
- The Russian war of aggression against Ukraine led to a significant boost in Distributed Denial of Service (DDoS) attacks against EU targets;
- Initial Access Brokers (IABs), droppers-as-a-service and crypter developers are key enablers utilised in the execution of cyber-attacks;
- The war of aggression against Ukraine and Russia’s internal politics have uprooted cybercriminals, pushing them to move to other jurisdictions.

Europol’s response in fighting cyber-attacks

Europol provides dedicated support for cybercrime investigations in the EU and thus helps protect European citizens, businesses and governments from online crime. Europol offers operational, strategic, analytical and forensic support to Member States’ investigations, including malware analysis, cryptocurrency-tracing training for investigators, and tool development projects. Based in Europol’s European Cybercrime Centre (EC3), the Analysis Project Cyborg focuses on the threat of cyber-attacks and supports international investigations and operations into cyber criminality affecting critical computer and network infrastructures in the EU.

CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

The Cybersecurity and Infrastructure Security Agency (CISA) has released an update to a previously published Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. The CSA—originally released to warn network defenders of critical infrastructure organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway—contains victim information gathered in August 2023. Since July 2023, the Joint Cyber Defense Collaborative (JCDC) has facilitated continuous, real-time threat information sharing with and between partners on post-exploitation activity of CVE-2023-3519. JCDC consolidated and shared detection methods, threat actor tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs) received from industry and international partners. The updated CSA contains new TTPs as well as IOCs received from some of these partners and an additional victim.
CISA strongly urges all critical infrastructure organizations to review the advisory and follow the mitigation recommendations—such as prioritizing patching known exploited vulnerabilities like Citrix CVE-2023-3519.

International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware

The United Kingdom’s National Cyber Security Centre (NCSC-UK), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Canadian Centre for Cyber Security (CCCS), and the Australian Signals Directorate (ASD) published a joint Malware Analysis Report (MAR), on Infamous Chisel a new mobile malware targeting Android devices with capabilities to enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information.

Infamous Chisel mobile malware has been used in a malware campaign targeting Android devices in use by the Ukrainian military.

Infamous Chisel is a collection of components targeting Android devices and is attributed to Sandworm, the Russian Main Intelligence Directorate’s (GRU’s) Main Centre for Special Technologies, GTsST. The malware’s capability includes network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning and Secure Copy Protocol (SCP) file transfer.

The authoring organizations urge users, network defenders, and stakeholders to review the malware analysis report for indicators of compromise (IOCs) and detection rules and signatures to determine system compromise. For more information about malware, see CISA’s Malware, Phishing, and Ransomware page. The joint MAR can also be read in full on the NCSC-UK website. Associated files relating to this report can also be accessed via the NCSC's Malware Analysis Reports page.

CISA and FBI Publish Joint Advisory on QakBot Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally.

Originally used as a banking trojan to steal banking credentials for account compromise, QakBot—in most cases—was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network. QakBot has since grown to deploy multiple types of malware, trojans, and highly-destructive ransomware variants targeting the United States and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.

CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections.

CISA Publishes JCDC Remote Monitoring and Management Systems Cyber Defense Plan

The Cybersecurity and Infrastructure Security Agency (CISA) published the Cyber Defense Plan for Remote Monitoring and Management (RMM), the first proactive Plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of our 2023 Planning Agenda. This Plan provides a clear roadmap to advance security and resilience of the RMM ecosystem and further specific lines of effort in the National Cyber Strategy to scale public-private collaboration and in the CISA Cybersecurity Strategic Plan to drive adoption of the most impactful security measures.

Organizations across sectors leverage RMM products to gain efficiencies and benefit from scalable services. These same benefits, however, are increasingly targeted by adversaries – from ransomware actors to nation-states – to compromise large numbers of downstream customer organizations. By targeting RMM products, threat actors attempt to evade detection and maintain persistent access, a technique known as living off the land.

Part of our 2023 Planning Agenda, the RMM Cyber Defense Plan provides a clear roadmap to advance security and resilience of this critical ecosystem, including RMM vendors, managed service providers (MSPs), managed security service providers (MSSPs), small and medium sized businesses (SMBs), and critical infrastructure operators. This Plan was developed through a multi-month process that leveraged deep expertise by vendors, operators, agencies, and other stakeholders, and has already resulted in a significant deliverable with publication of our joint advisory on Protecting Against Malicious Use of Remote Monitoring and Management Software.

The RMM Cyber Defense Plan is built on two foundational pillars, operational collaboration and cyber defense guidance, and contains four subordinate lines of effort:

(1) Cyber Threat and Vulnerability Information Sharing: Expand the sharing of cyber threat and vulnerability information between U.S. government and RMM ecosystem stakeholders.

(2) Enduring RMM Operational Community: Implement mechanisms for an enduring RMM operational community that will continue to mature scaled security efforts.

(3) End-User Education: Develop and enhance end-user education and cybersecurity guidance to advance adoption of strong best practices, a collaborative effort by CISA, interagency partners and other RMM ecosystem stakeholders.

(4) Amplification: Leverage available lines of communication to amplify relevant advisories and alerts within the RMM ecosystem.

“As envisioned by Congress and the Cyberspace Solarium Commission, JCDC Cyber Defense Plans are intended to bring together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks and develop shared, actionable solutions. The RMM Cyber Defense Plan demonstrates the criticality of this work and the importance of both deep partnership and proactive planning in addressing systemic risks facing our country,” said Eric Goldstein,CISA Executive Assistant Director for Cybersecurity. “These planning efforts are dependent on trusted collaboration with our partners, and this Plan was a true partnership with the RMM community, industry and interagency partners that contributed time and effort towards this important work. The collaboration established to develop this plan has already achieved several accomplishments for RMM stakeholders and ecosystem. As the JCDC leads the execution of this plan, we are confident that this public-private collaboration in the RMM ecosystem will further reduce risk to our nation’s critical infrastructure.”

CISA, NSA, and NIST Publish Factsheet on Quantum Readiness

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.

CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources related to CISA’s PQC work, visit Post-Quantum Cryptography Initiative.

CISA Releases Infrastructure Resilience Planning Framework Launchpoint

The Cybersecurity and Infrastructure Security Agency (CISA) releases the Infrastructure Resilience Planning Framework (IRPF) Launchpoint, a supplemental resource developed to help prospective users of the IRPF quickly navigate IRPF guidance and concepts based on their specific needs.

This self-appraisal tool helps users contemplate their community’s resilience goals and start developing an approach to incorporating critical infrastructure resilience into their planning activities by pointing them to specific IRPF guidance, resources, and templates that might be most relevant and valuable to them.

“The IRPF Launchpoint is a great resource created by our Resilience Services Branch that provides SLTT and regional planners with insights on how best to apply the Infrastructure Resilience Planning Framework to meet their specific needs,” said Dr. David Mussington, Executive Assistant Director for Infrastructure Security. “As one of many resilience resources within CISA, the new IRPF Launchpoint tool will guide users to specific resources they can employ in planning for infrastructure to reduce the risk of disruptions to their communities.”

Infrastructure is the backbone of communities, providing not only critical services, but also the means for health, safety, and economic growth. CISA’s IRPF provides flexible guidance for state, local, tribal, territorial, and regional planners on enhancing community resilience by addressing critical infrastructure dependencies in their existing planning efforts.

CyberSentry Program Launches Webpage

It should come as no surprise that our nation’s critical infrastructure is under concerted threat from malicious cyber actors.

To illustrate, just recently, the Office of the Director of National Intelligence’s 2023 Threat Assessment stated that “China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems” and that “Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”

Facing such a challenging threat environment, we must focus our efforts on a two-pronged strategy of defense – on driving adoption of strong cybersecurity measures, and on ensuring effective visibility into cyber threats targeting our nation’s critical infrastructure.

The second line of effort, in particular, is what I want to talk about today.

Right now, we are able to achieve a portion of this visibility by partnering with critical infrastructure organizations and cybersecurity companies, forging and maintaining crucial relationships with our partners for the betterment of our nation.

But for some of the nation’s most critical entities, we need to do more. And that leads us to CyberSentry.

We can distill down CyberSentry’s mission to this – through unique partnerships with industry, CISA is able to supply commercial detection capabilities that provide three key benefits:

- Enables the operational use of sensitive information prior to broader dissemination to the cybersecurity community

- Allows CISA’s analysts to correlate threat activity targeting multiple critical infrastructure entities and understand evolving campaigns

- Provides participating entities with access to their own CyberSentry dashboard, enabling integration into the partner’s cyber operations.

CyberSentry is governed by an agreement between CISA and voluntarily participating critical infrastructure partners. CyberSentry technology supports sensing and monitoring for information technology (IT) and operational technology (OT) networks. CyberSentry has added significant value to both CISA’s national mission and to our partners’ enterprise cybersecurity efforts.

Recent successes include:

- Infected OT Equipment: CyberSentry discovered an infection on a partner’s Human Machine Interface (HMI) equipment that had not been properly patched and secured. CISA analysts quickly notified the partner about the issue and offered guidance on preventive techniques for the future.

- Unintentional Exposure: CyberSentry tools spotted cleartext authentication occurring on a partner’s network, and further investigation revealed that a misconfiguration had caused the issue. A detailed report was provided to the partner, including specific guidance on remediating the situation.

- Private Sector Coordination: During the Colonial Pipeline disruption, CISA analysts coordinated closely with its pipeline partners to share information and monitor for adversary activity.

- SolarWinds Response: CyberSentry data helped to quickly identify partners affected by the SolarWinds supply chain compromise. All impacted partners were notified, and the program worked closely and expediently with these partners to confirm remediation of the threat.

- Identification of Malicious Activity: On multiple occasions, CISA analysts identified possible malicious activity at partner sites and worked with affected partners to identify the root causes of activity.

- Malware Discovery: CyberSentry tools quickly discovered and identified malware in a partner’s IT network. Working with the partner, CISA analysts were able to locate the infected device so the partner could remove it from the network and verify that the threat was contained.

- Attacker Exfiltration Detected: CyberSentry discovered that an attacker was actively exfiltrating information. CyberSentry worked with the partner to identify information that had been exfiltrated. After conferring with CyberSentry analysts, the partner was able to isolate infected systems that same evening, eliminating the threat.

CISA is looking to partner with a select number of additional Critical Infrastructure organizations who operate systems supporting National Critical Functions – functions so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on our Nation.

As malicious cyber activity continues to evolve, and nation state actors continue to aggressively target National Critical Functions, CyberSentry’s capabilities and critical partnerships directly enhance CISA’s goal of a stronger collective defense for our Nation.

For more information visit our CyberSentry webpage.

Author: Jermaine Roebuck, Associate Director for Threat Hunting

Ransomware Accounts for 54% of Cybersecurity Threats

The European Union Agency for Cybersecurity (ENISA) released its first cyber threat landscape for the health sector. The report found that ransomware accounts for 54% of cybersecurity threats in the health sector.

The comprehensive analysis maps and studies cyberattacks, identifying prime threats, actors, impacts, and trends for a period of over 2 years, providing valuable insights for the healthcare community and policy makers. The analysis is based on a total of 215 publicly reported incidents in the EU and neighbouring countries.

Executive Director of the European Union Agency for Cybersecurity (ENISA), Juhan Lepassaar, said: “A high common level of cybersecurity for the healthcare sector in the EU is essential to ensure health organisations can operate in the safest way. The rise of the covid-19 pandemic showed us how we critically depend on health systems. What I consider as a wake-up call confirmed we need to get a clear view of the risks, the attack surface and the vulnerabilities specific to the sector. Access to incident reporting data must therefore be facilitated to better visualise and comprehend our cyber threat environment and identify the appropriate mitigation measures we need to implement.”

The findings

The report reveals a concerning reality of the challenges faced by the EU health sector during the reporting period.

- Widespread incidents. The European health sector experienced a significant number of incidents, with healthcare providers accounting for 53% of the total incidents. Hospitals, in particular, bore the brunt, with 42% of incidents reported. Additionally, health authorities, bodies and agencies (14%), and the pharmaceutical industry (9%) were targeted.
- Ransomware and data breaches. Ransomware emerged as one of the primary threats in the health sector (54% of incidents). This trend is seen as likely to continue. Only 27% of surveyed organisations in the health sector have a dedicated ransomware defence programme. Driven by financial gain, cybercriminals extort both health organisations and patients, threatening to disclose data, personal or sensitive in nature. Patient data, including electronic health records, were the most targeted assets (30%). Alarmingly, nearly half of all incidents (46%) aimed to steal or leak health organisations' data.
- Impact and lessons learned by the COVID-19 Pandemic. It is essential to note that the reporting period coincided with a significant portion of the COVID-19 pandemic era, during which the healthcare sector became a prime target for attackers. Financially motivated threat actors, driven by the value of patient data, were responsible for the majority of attacks (53%). The pandemic saw multiple instances of data leakage from COVID-19-related systems and testing laboratories in various EU countries. Insiders and poor security practices, including misconfigurations, were identified as primary causes of these leaks. The incidents serve as a stark reminder of the importance of robust cybersecurity practices, particularly in times of urgent operational needs.
- Vulnerabilities in Healthcare Systems. Attacks on healthcare supply chains and service providers resulted in disruptions or losses to health organisations (7%). Such types of attacks are expected to remain significant in the future, given the risks posed by vulnerabilities in healthcare systems and medical devices. A recent study by ENISA revealed that healthcare organisations reported the highest number of security incidents related to vulnerabilities in software or hardware, with 80% of respondents citing vulnerabilities as the cause of more than 61% of their security incidents.
- Geopolitical Developments and DDoS Attacks. Geopolitical developments and hacktivist activity led to a surge in Distributed Denial of Service (DDoS) attacks by pro-Russian hacktivist groups against hospitals and health authorities in early 2023, accounting for 9% of total incidents. While this trend is expected to continue, the actual impact of these attacks remains relatively low.
- The incidents examined in the report had significant consequences for health organisations, primarily resulting in breaches or theft of data (43%) disrupted healthcare services (22%) and disrupted services not related to healthcare (26%). The report also highlights the financial losses incurred, with the median cost of a major security incident in the health sector estimated at €300,000 according to the ENISA NIS Investment 2022 study.
- Patient safety emerges as a paramount concern for the health community, given potential delays in triage and treatment caused by cyber incidents.

New report from the NIS Cooperation Group

The NIS Cooperation Group releases today its report on “Threats and risk management in the health sector – Under the NIS Directive”. As a first assessment on the measures currently in place, the study sheds light on the different cybersecurity challenges in risk mitigation faced by the EU health sector. Together with relevant threat taxonomies and cyber incident data, the report discloses business continuity and mitigation recommendations to limit the likelihood and impacts of a cyber related incident.

1 2 3 34