The past year has shown us the significant impact of the Gamarue botnet on computers worldwide; cyber criminals leveraging less sophisticated methods to infect machines and in some cases, extort ransoms from victims; and ransomware being used in a wide range of cybercrime activity, including email phishing campaigns and destructive attacks like WannaCrypt. Organizations that adopt security hygiene methods, security solutions, and best practices, have cyber resilience and incident response plans and employ the right mix of people and processes for dealing with the various threat scenarios and attacks described could at least minimize damage and impact from them.
CyberSecOP is a trusted security advisor and partner to large global organizations. To learn more about our security offerings, visit www.cybersecop.com and check out the Security News Section for our perspectives on additional trending threats and topics.
Cyber criminals are continuing to relentlessly infect computers and engage in botnet activity with the intention to have a large infrastructure that they can then mine for sensitive data and possibly monetize, as is the case with ransomware threats. Defending against botnet activity is not a simple task and, as in years past, takes a massive effort by both private and public organizations working together.
A bot is a program that allows an attacker to take control of an infected computer. A botnet is a network of infected computers that communicate with command-and-control servers. Cybercriminals use botnets to conduct a variety of online attacks, such as send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising, and much more.
There have been several botnet disruptions coordinated by the Microsoft Digital Crimes Unit (DCU) going back to the November 2008 Conficker botnet disruption. On November 29, 2017, the Microsoft Digital Crimes Unit (DCU) coordinated the disruption of the Gamarue botnet (also known as Andromeda).
· 1,214 domains and IP addresses of the botnet’s command and control servers
· 80+ associated malware families
Impact of the disruption operation
Worldwide coordination of research and investigation efforts is key to disrupting a malware operation with the magnitude of Gamarue. As a result of such complexities, public/private partnerships between global law enforcement agencies and private industry partners are essential to a successful outcome.
A significant aspect of the Gamarue disruption was the kill chain effect that the operation had on the distribution of 80 additional malware families. By disrupting a major malware family like Gamarue, we are able to stop potential harm being caused to millions of users worldwide and begin the restoration of victims’ devices.
Since the botnet disruption operation in November 2017, the sinkhole Microsoft created has experienced a 30% decrease in Gamarue victims worldwide, as shown in Figure 6.
Microsoft continues to collaborate with public and private industry partners to identify affected devices through the Microsoft Digital Crimes Unit Cyber Threat Intelligence Program to accelerate the remediation process.
To detect and protect computers from Gamarue and other malware, use security solutions that apply advanced machine learning models as well as generic and heuristic techniques. CyberSecOP is continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their employees and customers.
As the cost of circumventing security measures increases, hackers are taking advantage of “low-hanging fruit”, such as infrastructure and apps used by organizations and consumers, with the intention of infecting computers and gaining access to sensitive data such as credentials. In this section, we share three of the low hanging fruit routes employed by cyber attackers: social engineering, poorly secured cloud apps, and legitimate software platform features.