Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

December 1, 2023 at 06:24AM

The DOJ and FBI partially dismantled the Qakbot malware network, shutting down command servers but not arresting operators, leaving a diminished risk. They advise using multi-factor authentication, employee training, software updates, strong passwords, network filtering, a recovery plan, and adherence to the “3-2-1” backup rule. Users can check for past Qakbot infections through certain online resources, while ongoing vigilance and specific security measures are recommended for protection.

**Takeaways from Meeting Notes on Qakbot Malware Operation**

**Overview:**
– The DOJ and FBI orchestrated a multinational effort to counter the Qakbot malware and botnet.
– Their operation successfully disrupted Qakbot but did not completely eliminate the threat.
– Concerns indicate Qakbot may persist in a less potent form.
– The absence of arrests implies that actors behind Qakbot could still present a risk.

**Key Points:**
– Around 700,000 devices globally, with 200,000 in the U.S., were infected by Qakbot at the time of the takedown.
– The takedown impacted command-and-control servers without addressing the spam delivery infrastructure.
– Qakbot’s operators remain at large and potentially active.

**Mitigation Strategies for Future Protection:**
1. Require Multi-Factor Authentication (MFA) for internal network access.
2. Conduct regular employee security training to instill best practices.
3. Maintain updated corporate software across all systems.
4. Enforce strong password policies in line with NIST guidelines, emphasizing MFA.
5. Utilize block/allow lists to filter network traffic, blocking communications with known malicious IPs.
6. Develop and maintain a comprehensive recovery plan for data breaches.
7. Follow the “3-2-1” backup rule – three data copies, two local but on different devices, and one off-site.

**For Checking Past Infections:**
– DOJ has obtained over 6.5 million compromised passwords and credentials.
– Use “Have I Been Pwned” or “Check Your Hack” to see if your data was compromised.
– Avoid passwords listed on the “World’s Worst Passwords” to prevent brute-force attacks.

**Conclusion and Recommendations:**
– Despite the setback, Qakbot can potentially reemerge.
– Continuous vigilance and the implementation of recommended security measures are essential.
– To guard against malware like Qakbot, BlackBerry’s CylanceENDPOINT and CylanceOPTICS solutions are advised.

**Additional Resources:**
– DOJ has a dedicated Qakbot resources page for extended information and guidance.

**Action Items:**
– Follow up on implementing recommended security measures.
– Check corporate and personal credentials against the provided resources.
– Stay informed by following related updates on The Hacker News, Twitter, and LinkedIn.

Full Article