微软被勒索诈骗勒索的软件网络

一个被用来用勒索软件感染数百万台计算机的非法在线网络被微软破坏了。

该公司周一宣布，与世界各地的电信供应商一道，能够切断Trickbot僵尸网络使用的基础设施，使其不再被用来引发新的感染或激活已经植入计算机系统的勒索软件。

微软负责客户安全与信任的公司副总裁汤姆·伯特在公司博客中指出，美国政府和独立专家警告说，勒索软件是即将到来的选举的最大威胁之一。

伯特写道：“对手可以使用勒索软件感染一个用于维护选民名单或报告选举之夜结果的计算机系统，并在规定的时间内占领这些系统，以期散布混乱和不信任。”。

他补充道：“现在，包括金融服务在内的各种金融机构和机构将免受各种恶意软件的攻击。”

潜在威胁与实际威胁

基于云的网络浏览器制造商Authentic8的战略计划主管马特•阿什伯恩（Matt Ashburn）观察到，一旦攻克了这个诡计多端的僵尸网络，就会大大减少恶意网络造成的持续危害。

这位前中情局特工和国家安全委员会CISO告诉TechNewsWorld，“如果允许这种僵尸网络继续下去，这种僵尸网络可能会通过损害或破坏选民登记、选举协调以及州和地方政府依赖的其他支持系统，间接影响正在进行的和即将到来的选举。”

虽然“骗子”有可能扰乱美国大选，但实际威胁可能没有宣称的那么严重。”信息技术安全公司Eset的威胁研究主管Jean-Ian Boutin告诉TechNewsWorld，我们还没有看到Trickbot以任何方式威胁美国大选。

Broadcom旗下赛门铁克（Symantec）技术总监维克拉姆·塔库尔（Vikram Thakur）补充说：“虽然我们没有观察到这些攻击者在选举后有任何动机，但由于僵尸网络的规模，这种可能性确实存在。”。

他对TechNewsWorld说：“威胁来自于那些把勒索软件推到可能与选举有关的电脑上。”。

恶意软件即服务

微软的伯特指出，自2016年以来，Trickbot已经感染了超过100万台电脑。”虽然运营商的确切身份尚不清楚，但研究表明，他们既为民族国家服务，也为犯罪网络服务，目的多种多样。

他解释说：“它之所以如此危险，是因为它具有不断发展的模块化功能，通过‘恶意软件即服务’的模式感染受害者，达到运营商的目的。”。

他继续说：“它的运营商可以让客户访问受感染的机器，并为他们提供多种形式的恶意软件（包括勒索软件）的传送机制。”。

伯特还写道，除了感染终端用户电脑外，Trickbot还感染了一些物联网设备，如路由器，这使得Trickbot的影响范围扩大到家庭和组织。

应用程序安全提供商nVisium的首席执行官杰克·曼尼诺（Jack Mannino）认为，恶意软件作为一种服务，对技术不太熟练的黑客来说可能是个福音。”它减少了维护勒索软件基础设施和发动攻击的难度，为技能较低的对手提供了公平的竞争环境，”他告诉TechNewsWorld。

数字风险保护解决方案提供商Digital Shadows的网络威胁情报分析师奥斯汀·梅里特（Austin Merritt）补充说，勒索软件即服务（RaaS）为威胁参与者提供了常规勒索软件攻击的所有好处，而无需编写代码。

“本质上，”他告诉TechNewsWorld，“它降低了勒索软件领域网络罪犯的进入壁垒。”

它还为作者赚钱。”网络安全营销公司Allegro Solutions的负责人卡伦·沃尔什（Karen Walsh）说：“你像其他SaaS提供商一样出售订阅服务，然后从中赚钱。”。

“这是一个低资本产出高收入，”她告诉TechNewsWorld2018年，网络犯罪服务收入16亿美元。”

一个僵尸网络

威胁检测和情报公司Huntress Labs的高级安全研究员约翰·哈蒙德（John Hammond）指出，其他僵尸网络的设计方式与Trickbot类似，但它们的针对性不强。

他告诉TechNewsWorld：“它是通过恶意的垃圾邮件传播的，这些垃圾邮件带有非常复杂的品牌，以冒充微软和其他官方来源等可信的第三方。”

他补充说，它在本地机器上安装了持久性，这样威胁参与者就可以保持访问并继续他们的操作。”这使得攻击者能够通过命令和控制渠道灵活部署勒索软件或造成进一步的破坏，”哈蒙德解释道。

其模块化设计也有助于提高灵活性，使其能够远程更新和添加功能。”“这种能力是它在网络犯罪分子中如此受欢迎的一个原因，”数字阴影公司的梅里特说它可以定制和进一步开发，使其更有效、更有利可图。”

提高防守队员的士气

伯特指出，微软采取了一种新的法律手段来关闭Trickbot。

“我们的案件包括对Trickbot恶意使用我们的软件代码的版权索赔，”他写道这种方法是我们努力阻止恶意软件传播的一个重要发展，使我们能够采取民事行动，保护世界上许多实施这些法律的国家的客户。”

IT安全和合规软件提供商New Net Technologies的CTO Mark Kedgley称赞了微软的战略。”利用版权法追击威胁行为人的新策略，是一种创造性的方式，可以获得法律支持，向僵尸网络的争吵者发起战斗。”。

他对TechNewsWorld说：“很高兴看到，到目前为止，它似乎有效地关闭了大部分指挥和控制网络。”。

梅里特补充说，这一战略可以有效地阻止恶意软件传播，特别是在执法部门的协助下。”民事诉讼可以保护世界上许多有版权法的国家的客户。

然而，他补充道，“不可能知道TrickBot会对这种方法做出什么反应。TrickBot运营商拥有后备机制，允许他们维护僵尸网络，并恢复感染了TrickBot的丢失计算机。”

不管这个骗子团伙对微软的行为有何反应，他们都会在饱受折磨的企业系统维护者中鼓舞士气。

云安全服务提供商redcanary的情报主管凯蒂•尼克尔斯（Katie Nickels）表示：“近来勒索软件的盛行，让维权者难以跟上，并想知道如何才能阻止这些运营商。”。

“对于那些每天都在与勒索软件运营商抗争的捍卫者来说，”她告诉TechNewsWorld，“看到有可能阻止这些运营商的行动，真是令人兴奋。”

原文题：Microsoft Squelches Trickbot Ransomware Network

原文：An outlaw online network that's been used to infect millions of computers with ransomware has been disrupted by Microsoft.

The company announced Monday that, together with telecommunications providers around the world, it was able to cut off the infrastructure used by the Trickbot botnet so it could no longer be used to initiate new infections or activate ransomware already planted on computer systems.

Microsoft Corporate Vice President for Customer Security & Trust Tom Burt noted in a company blog that the United States government and independent experts have cautioned that ransomware is one of the largest threats to the upcoming elections.

"Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust," Burt wrote.

"In addition to protecting election infrastructure from ransomware attacks," he added, "today's action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled."

Potential Versus Actual Threat

The takedown of the Trickbot botnet immediately and drastically reduces the ongoing harm caused by the malicious network, observed Matt Ashburn, head of strategic initiatives at Authentic8, maker of a cloud-based Web browser.

The former CIA agent and CISO of the National Security Council told TechNewsWorld, "If allowed to continue, this botnet could have indirectly affected ongoing and upcoming elections by compromising or corrupting systems used for voter registration, election coordination, and other supporting systems relied upon by state and local governments."

While the potential is there for Trickbot to disrupt the U.S. elections, the actual threat may be less serious than it's claimed to be. "We have not seen Trickbot being leveraged to threaten the U.S. elections in any way," Jean-Ian Boutin, head of threat research at Eset, an information technology security company, told TechNewsWorld.

"While we have not observed any motivation by these attackers to go after elections, the potential does exist because of the size of the botnet," added Vikram Thakur, technical director at Symantec, a division of Broadcom.

"The threat comes from Trickbot pushing ransomware down to computers that might be associated with elections," he told TechNewsWorld.

Malware as a Service

Microsoft's Burt noted Trickbot has infected more than a million computers since 2016. "While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives," he added.

"What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators' purposes through a 'malware-as-a-service' model,'" he explained.

"Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware," he continued.

Burt also wrote that beyond infecting end user computers, Trickbot has also infected a number of Internet of Things devices, such as routers, which has extended Trickbot's reach into households and organizations.

Malware as a Service can be a boon for less skilled hackers, maintained Jack Mannino, CEO of nVisium, an application security provider. "It reduces the difficulty in maintaining ransomware infrastructure and launching attacks, leveling the playing field for less skilled adversaries," he told TechNewsWorld.

Austin Merritt, a cyber threat intelligence analyst for Digital Shadows, a provider of digital risk protection solutions, added that Ransomware as a Service (RaaS) gives threat actors all the benefits of a regular ransomware attack, without the hassle of writing their code.

"In essence," he told TechNewsWorld, "it lowers the barrier of entry for cybercriminals in the ransomware landscape. "

It also makes money for its authors. "You sell a subscription service like any other SaaS provider and you make money off it," observed Karen Walsh, the principal at Allegro Solutions, a cybersecurity marketing company.

"It's a low capital output for a high income," she told TechNewsWorld. "In 2018, cybercrime as a service earned US$1.6 billion."

A Botnet Apart

Other botnets are designed in ways similar to Trickbot, but they're not as targeted, noted John Hammond, a senior security researcher at Huntress Labs, a threat detection and intelligence company.

"It is spread by malicious spam campaigns with very sophisticated branding to impersonate trusted third parties like Microsoft and other official sources," he told TechNewsWorld.

He added that it installs persistence on the local machine so threat actors can maintain their access and continue their operations. "This allows the attackers flexibility through a command-and-control channel to deploy ransomware or wreak further havoc," Hammond explained.

Its modular design also contributes to its flexibility, allowing it to update itself and add features remotely. "This capability is one reason it is so popular among cybercriminals," said Merritt, of Digital Shadows. "It can be customized and developed further to make it more effective and profitable."

Raising Defenders' Morale

Burt noted that Microsoft took a new legal tack to shutdown Trickbot.

"Our case includes copyright claims against Trickbot's malicious use of our software code," he wrote. "This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place."

Mark Kedgley, CTO of New Net Technologies, a provider of IT security and compliance software, praised Microsoft's strategy. "The new tactic of using copyright law to go after threat actors is a creative way to get legal backing to take the fight to the Botnet Wranglers," he said.

"It is good to see that, so far, it appears to have been effective in shutting down the majority of the command and control network," he told TechNewsWorld.

Merritt added the strategy can be an effective way to thwart malware propagation, especially with the assistance of law enforcement. "Civil action can protect customers in many countries around the world that have copyright laws in place," he maintained.

However, he added, "It is impossible to know how TrickBot may react to this approach. TrickBot operators have fallback mechanisms that allow them to maintain the botnet and recover lost computers infected with Trickbot."

Regardless of how the Trickbot gang reacts to Microsoft's actions, they will raise morale among harried defenders of corporate systems.

"The recent prevalence of ransomware has left defenders struggling to keep up and wondering how these operators can be stopped," observed Katie Nickels, director of intelligence at Red Canary, a cloud-based security services provider.

"For defenders who are fighting against ransomware operators every day," she told TechNewsWorld, "it is exciting to see actions that could potentially deter some of these operators."

作者：John P. Mello Jr.

原文网站：https://www.technewsworld.com/story/86880.html