On August 29th, 2023, the US Justice Department successfully shut down one of the most notorious botnets in the industry's history, known as Qakbot or Qbot (MITRE ID S0650). This malware, active for nearly two decades, posed a significant threat to the security of hundreds of thousands of computer systems and their networks, but its reign of control over compromised systems has ended.
Aside from its longevity, Qbot was notable for its extensive range of capabilities and the sophistication of its supporting infrastructure. Originally emerging as a simple banking trojan in 2007, Qbot has continuously evolved, expanding its capabilities to include brute force mechanisms, command and scripting interpreters, methods for 'living off the land,' data exfiltration, and credential compromise. In time, it has become a Swiss Army knife of malicious tools, supporting payloads such as ransomware like ProLock (MITRE ID S0654) and Ergregor (MITRE ID S0554).
While it is good news that Qakbot has been taken down, this is likely a temporary state of affairs. It will be back. How do we know? The supporting backend infrastructure largely remains intact, and there haven't been, and likely won't be, any arrests for individuals involved. Unfortunately, this scenario is increasingly common, as security analysts' recent observations suggest.
Many malware groups operate beyond the jurisdiction of Western law enforcement, including state actors like China's Volt Typhoon (MITRE ID G1017), an Advanced Persistent Threat group focusing on espionage and information gathering. The group targets critical infrastructure such as power grids, water management systems, and government communications using stealth operations like web shells and other methods for 'living off the land.' It also has sophisticated capabilities for target enumeration and credential compromise.
Recently, the White House authorized the FBI to take down a sophisticated botnet run by KV-botnet, which focuses on small office and home/residential routers. It is not likely that the FBI will have the same degree of success as their takedown of Qbot due to the KV-botnet's architecture and its association with a state-sponsored actor beyond easy reach. Efforts are underway to disrupt the botnet's command and control communications, yielding some success. Nonetheless, as we saw in previous instances, this achievement will likely only offer a temporary reprieve as the group is expected to adapt their tactics and face no repercussions for these actions, making the likelihood of this stopping slim to none.
Does this mean that cybercriminals are becoming untouchable by law? It certainly seems that it’s becoming incredibly difficult to enforce legal action. This is particularly the case for state-sponsored actors such as Volt Typhoon. FBI Director Christopher Wray emphasized this with the following statement, "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities if or when China decides to strike."
The situation has moved beyond the relatively simple concept of cybercrime. It is beginning to touch on cyberwarfare and its potential to inflict great harm upon an enemy's population. Even internationally, law enforcement is unlikely to have the teeth required to enforce any punishment for the perpetrators. This type of activity lies more so in international relations and all of its complexities.
The formula is simple: the degree of cyberwarfare activity is directly related to the degree of enmity between the nation-states in question. Disrupting domestic communication and critical services could heavily impact civilians, potentially serving as an indirect attack. Given all of this, it is not surprising that cybersecurity has become a hot topic on the international agenda. There will likely be increasing pressure on nation-states to not only bolster their security defenses but also invest in using cybersecurity as an offensive weapon or, at the very least, a distraction and disruption during times of conflict.
Attacks are also becoming increasingly interconnected. For example, Cloudflare's Atlassian systems were breached by nation-state actors, as reported in a February 1st blog post. The breach involved significant data exfiltration, suspected to have originated from a compromise in November 2023 due to unchanged Okta credentials. This compromise was compounded by the breach of Okta's backend support system in October 2023, granting access to files concerning identity and access management, including Cloudflare's data. Okta's initial breach stemmed from an employee's compromised personal Google account. This entire chain of events, from the personal account breach that led to the compromise of identity and access management files (possibly by a nation-state actor), all leading up to a breach of a major cloud platform provider by nation-state actors, illustrates how a single breach at an individual level can have extensive, far-reaching consequences.
There is also a trend in the specialization of different threat actors. The adage' stick to what you do well' plays out here nicely. As a result, whole ecosystems are developing where certain actors will focus on initial access, now known as Initial Access Brokers (IABs). These groups then pass off their operation to actors focusing on ransomware or large-scale post-exploitation, such as nation-states. This complicates attribution and spreads the risk of discovery through multiple participants in the attack chain. It also allows groups to hone their skills in one specialty rather than trying to be a jack of all trades. We must also realize that these are not 'one-off' occurrences either. Established connections among Advanced Persistent Threat (APT) groups enable them to operate quickly and extensively, like how a pack of wolves can overpower larger prey. This ability for collaborative teamwork positions the wolf as a superior predator. This raises the question: Is the same phenomenon happening in cybercrime? Evidence strongly suggests that it is.
But why stop there? Why not take your specialty and sell it as a service? Surely, some would like to use your skills and are willing to pay for them. A great example is Ransomware as a Service, or RaaS, exemplified by the aforementioned Egregor (MITRE ID S0554). This RaaS reached a global level, affecting several notable names, such as Barnes and Noble, in October 2020.
Another example is Conti. When I first wrote about RaaS back in 2020, I mentioned that a better acronym might be MaaS or Malware as a Service, because I suspected that other forms of malware would follow this trend. One is Distributed Denial of Service or DDoS. Enter KillNet, a very effective group that provides DDOS for hire. Strongly suspected of Russian affiliation, one could argue that given its track record, it could be referred to as a state-actor for hire.
When you think about it, DDoS is an ideal malicious activity to sell as a service. It requires a well-established infrastructure to perform it effectively and a reasonable degree of coordination and management of resources. These are things that the typical cyber attacker might deem as too onerous and time-consuming. Particularly if you are looking at just one specific target, it's much easier to turn to an established group with the tools and expertise. The tool can be rented for a day, a week, or a month, bringing the capability to launch sophisticated DDOS attacks to anyone willing and able to pay for it.
One of the latest trends that is starting to have an impact is artificial intelligence (AI). While we like to think that AI will only improve our lives and make things safer and more efficient, the reality is that, like any technology, AI can also be used maliciously. The recent advent of AI-generated 'Deepfakes' has gone around the internet, circulating fake images and recordings of celebrities and prominent individuals. This has obvious malicious implications, particularly with the upcoming US presidential election. We not only have to question what someone says but whether or not they actually said it. This could be used to disparage a political opponent by making them look like they are doing or saying something that would hurt their standings in the election.
If it isn’t already, identity verification will also be challenged in the near future. Gartner recently made a statement to this effect, predicting that 30% of enterprises will consider identity verification and authentication solutions unreliable in isolation due to AI-generated deepfakes by 2026. While there are mitigations, they are not easy, and they are not perfect. As time goes on, the detection of fakes will become more complex.
Even aside from deepfakes, there are many things that attackers would find very handy with AI as a toolset. Weaponized AI can assist in data poisoning as well as reverse engineering. AI-powered malware is becoming a reality. Botnets are evolving and leveraging AI to analyze the environment and adapt its behavior to evade detection. AI could also be used to analyze a target system's vulnerabilities. As we think about the previous example of Volt Typhoon, the next steps are obvious.
Knowing of the many cyberattacks that happened in 2023, we are entering 2024 with a bit of wariness, and we should. The events and trends discussed in this article point to an evolution of cybersecurity challenges we've never had to deal with before. But then, what else is new? These challenges are serious, but as in the past, we will address them as best we can. However, we are finding it more and more difficult to declare victory. When we do, it is likely only temporary.
So, is there nothing that we can do? Are we left to simply wait for the world to change for the better? Obviously not. Contrary to popular opinion, some things can be done to improve your overall security posture with the existing technologies that you may have. Here is a short list for consideration:
Maintain a comprehensive inventory of all systems in your environment, especially IoT/ICS and OT devices. Know their function, ownership, and intended purpose. Ownership is a crucial piece; any IoT device without an owner should not be part of your network. Always adhere to the golden rule: you cannot secure what you are not aware of.
Use this inventory to understand typical system communication patterns. If possible, get this directly from the manufacturer, but validate it in the lab. You should have a solid understanding of a normal system communication profile. If you have IoT equipment from a defunct manufacturer, remove these devices as there’s a possibility they will have no future patches or upgrades.
After establishing a communication profile for the system, implement policies and segmentation strategies for the relevant systems on a strictly need-to-know basis. Unless presented with three compelling reasons for allowing remote system access to employees, I prefer to maintain complete isolation of the systems, enforcing stringent controls at the security boundary.
Continuous monitoring for unusual activity is crucial. A wealth of insights can be obtained by comparing the established 'normal' profile of system activity with actual operations. This comparison is one of the most effective early warning signs of a system breach. Identifying any deviations in behavior can greatly enhance security outcomes.
Don’t overlook your application and cloud implementations. Make sure they are included in your inventory and establish best practices using suitable tools for consistency and confidence. It never hurts to perform internal and external penetration tests by red teams, whether that be staffers or third parties. The value of using outsourcing is that you remove any potential bias that could occur with internal teams. Scanning should be done by teams or at least individuals other than the developers themselves. This avoids the "fox in the chicken coop" scenario.
I also recommend reviewing and evaluating your existing security practices regularly. For more ideas, check out this eBook on the Top 10 Network Security Best Practices.