Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

Cyber Security Threat Summary:
The DOJ and FBI collaborated to dismantle the Qakbot malware and its botnet, successfully disrupting a long standing threat. However, concerns linger as Qakbot may still pose a risk, although in a reduced form. The takedown removed the malware from a significant number of devices, including 700,000 globally and 200,000 in the U.S. Yet, recent findings suggest Qakbot remains active but weakened. Notably, the operation targeted only the command-and-control servers, leaving the spam deliver infrastructure unphased. As a result, the threat actors retain their operations, indicating a persistent danger despite the takedown.

Security Officer Comments:
Although dismantling Qakbot marked a notable success, the threat landscape remains intricate. The adaptability and resources of Qakbot’s operators raise concerns about it’s potential resurgence. For individuals worried about previous Qakbot infections, there’s encouraging news. The DOJ has retrieved more than 6.5 million passwords and credentials from Qakbot operators. Highlighted within the resource, researchers provide a compilation of tools available for individuals concerned about previous Qakbot infections, which may help aid in the verification of potential exposure of login information:

  • Have I Been Pwned: This renowned platform enables users to verify if their email address was compromised in data breaches, now encompassing the Qakbot dataset in its records.
  • Check Your Hack: Developed by the Dutch National Police using data seized from Qakbot, this platform allows users to input their email address, triggering automatic notifications if their address matches data within the Qakbot dataset.
  • World’s Worst Password List: Given Qakbot’s use of commonly used passwords for brute force attacks, reviewing this list may help ensure that your password is not among the most vulnerable options.
      Suggested Correction(s):
      To safeguard against potential Qakbot resurgence or similar threats, the FBI, and the Cybersecurity & Infrastructure Security Agency (CISA) recommend several key mitigations:
      • Require Multi-Factor Authentication (MFA): Implement MFA for remote access to internal networks, particularly in critical infrastructure sectors like healthcare. MFA is highly effective in preventing automated cyberattacks.
      • Regularly Conduct Employee Security Training: Educate employees about security best practices, including avoiding clicking on suspicious links. Encourage practices like verifying the source of links and typing website names directly into browsers.
      • Update Corporate Software: Keep operating systems, applications, and firmware up to date. Use centralized patch management systems to ensure timely updates and assess the risk for each network asset.
      • Eliminate Weak Passwords: Comply with NIST guidelines for employee password policies and prioritize MFA over password reliance wherever possible.
      • Filter Network Traffic: Block ingoing and outgoing communications with known malicious IP addresses by implementing block/allow lists.
      • Develop a Recovery Plan: Prepare and maintain a recovery plan to guide security teams in the event of a breach.
      • Follow the "3-2-1" Backup Rule: Maintain at least three copies of critical data, with two stored in separate locations and one stored off-site.