The US Department of Justice (DOJ) and the FBI recently collaborated on a multinational operation to dismantle the notorious Qakbot malware and botnet. While the operation was successful in disrupting this long-standing threat, concerns arose as it appeared that Qakbot could still pose a threat in a reduced form. This article discusses post-removal, provides mitigation strategies, and offers guidance on determining past infections.
The Deletion and its Limitations
During the takedown operation, law enforcement secured court orders to remove the Qakbot malware from infected devices remotely. It was discovered that the malware had infected many devices, with 700,000 machines worldwide, including 200,000 computers in the US, compromised at the time of the removal. However, recent reports suggest that Qakbot is still active but in a reduced state.
The absence of arrests during the takedown operation indicated that only the command-and-control (C2) server was affected, leaving the spam delivery infrastructure untouched. Therefore, the threat actors behind Qakbot continue to operate, indicating an ongoing threat.
Mitigation for Future Protection
To protect against the potential resurgence of Qakbot or similar threats, the FBI, and the Cybersecurity & Infrastructure Security Agency (CISA) recommend some key mitigations:
- Requires Multi-Factor Authentication (MFA): Implement MFA for remote access to internal networks, especially in critical infrastructure sectors such as healthcare. MFA is very effective in preventing automated cyberattacks.
- Regular Conduct of Employee Security Training: Educate employees about security best practices, including avoiding clicking on suspicious links. Encourage practices such as verifying the source of links and typing website names directly into browsers.
- Update Corporate Software: Keep operating systems, applications, and firmware up to date. Use a centralized patch management system to ensure timely updates and assess the risk of each network asset.
- Remove Weak Passwords: Follow NIST guidelines for employee password policies and prioritize MFA over password trust whenever possible.
- Network Traffic Filtering: Block incoming and outgoing communications with known malicious IP addresses by implementing block/allow lists.
- Create a Recovery Plan: Prepare and maintain a recovery plan to guide security teams in the event of a breach.
- Follow the “3-2-1” Backup Rule: Maintain at least three copies of critical data, with two stored in separate locations and one stored off-site.
Check for Past Infections
For individuals concerned about past Qakbot infections, there is some good news. The DOJ recovered more than 6.5 million stolen passwords and credentials from Qakbot operators. To check if your login information has been exposed, you can use the following resources:
- Have I been hurt: This widely known site allows you to check if your email address has been compromised in a data breach. It now includes the Qakbot dataset in its database.
- Check your Hack: Created by the Dutch National Police using seized Qakbot data, this site allows you to enter your email address and provides an automatic email notification if your address appears in the dataset.
- List of World’s Worst Passwords: Since Qakbot uses a list of common passwords for brute-force attacks, you can check this list to make sure your password isn’t one of the worst.
While the removal of Qakbot is a significant achievement, the threat landscape remains complex. There is a possibility of Qakbot’s resurgence, due to the adaptability and resources of its operators. Staying vigilant and implementing security measures is essential to prevent future infections. It’s BlackBerry CylanceENDPOINT solution is recommended to protect against Qakbot execution, and specific rules within CylanceOPTICS can improve protection against threats such as Qakbot.
For more information and mitigation resources, visit the DOJ’s Qakbot resources page.