May 3, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – Multiple SAP Business Technology Platform BTP Vulnerabilities
December 28, 2023
Rewterz Threat Alert – RedLine Stealer – Active IOCs
December 28, 2023
Rewterz Threat Advisory – Multiple SAP Business Technology Platform BTP Vulnerabilities
December 28, 2023
Rewterz Threat Alert – RedLine Stealer – Active IOCs
December 28, 2023
Severity
High
Analysis Summary
The Qakbot malware has resurfaced less than four months after law enforcement, including US authorities, dismantled its distribution infrastructure in a successful operation called “Duck Hunt.” Despite the takedown, security vendors have recently detected Qakbot being distributed via phishing emails targeting organizations in the hospitality sector. While the current email volumes are relatively low, experts anticipate an increase due to the persistent nature of Qakbot operators.
Reports from several security vendors suggest that law enforcement’s takedown had a limited impact on Qakbot actors. In the months following the operation, Cisco Talos observed Qakbot-affiliated actors distributing the Remcos backdoor and Ransom Knight ransomware. This led experts to speculate that the law enforcement action may have only targeted Qakbot’s command-and-control servers, leaving its spam-delivery mechanisms intact.
Security researchers reported 1,581 attempted Qakbot-related attacks on its customers during September. Despite the takedown, the level of activity has remained consistent in subsequent months. Qakbot continues to target organizations in finance, manufacturing, education, and government sectors.
The fact that Qakbot has persisted suggests that the threat group behind it managed to evade significant consequences. Researchers highlight that the group’s ability to operate depends on economic feasibility, technical capabilities, and the ease of establishing new infrastructure. As long as the ransomware model remains profitable and legal efforts do not specifically target individuals and the underlying structure of these criminal operations, fully neutralizing such malware networks remains challenging.
The resurgence of Qakbot emphasizes the ongoing challenges faced by cybersecurity professionals in combating resilient and adaptable threat actors. The malware’s return underscores the importance of continuous vigilance and evolving cybersecurity strategies to mitigate the risks associated with persistent threats.
Impact
- Sensitive Information Theft
- Unauthorized Access
Remediation
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.