The FBI Dismantled QakBot Infrastructure
QakBot — also known as Qbot, Quackbot and Pinkslipbot — is responsible for thousands of malware infections globally. QakBot has provided initial access for more than 700,000 computers around the world that lead to ransomware attacks and compromising of Financial Sector user accounts.
On August 25, 2023, the FBI (Federal Bureau of Investigation) and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. [1]
EclecticIQ analysts assess with moderate confidence that following the operation, a short-term decline in QakBot infection rates is almost certain. In the intermediate term, it is probable that QakBot developers will enhance their C2 communication security and resume their activities. Analysts saw similar cases in the disruption of Emotet’s infrastructure by a coordinated global law enforcement takedown in January 2021. Emotet reemerged 10 months later and has resumed campaigns. [2]
UNC4841 Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
According to Mandiant, a China-based hacking group called UNC4841 exploited a zero-day vulnerability in Barracuda's Email Security Gateway (ESG) to target government, military, defence and aerospace, high-tech industry, and telecom sectors in the U.S. and Canada as part of a global espionage campaign. [3]
Threat actor UNC4841 exploited CVE-2023-2868 to deploy malware and to conduct post-exploitation activities. Intrusions have led to the deployment of additional malware, such as SUBMARINE (aka DEPTHCHARGE) to maintain persistence remote access.
The latest disclosure from the FBI is urging impacted customers to replace their ESG appliances with immediate effect, citing continued risk. [4]
Exploit Released for Critical VMware SSH Auth Bypass Vulnerability
On August 29, 2023, VMware warned customers that exploit code was released online for a critical SSH (secure shell) authentication bypass vulnerability that leads to RCE (remote code execution) flaw in the VMware Aria Operations for Logs analysis tool. [5]
The vulnerability tracked as CVE-2023-34039 was found by security analysts at ProjectDiscovery Research and patched by VMware in version 6.11. [6]
Successful exploitation enables remote attackers to bypass SSH authentication on unpatched appliances and access the tool's command line interface. The low-complexity exploitation does not require user interaction.
To mitigate the flaw, VMware "highly recommends" applying security patches for Aria Operations for Networks versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10 available in a support document. [7]
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang
Flax Typhoon targeting Taiwan, Ransomware Emphasizing Linux-Centric Payloads
Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat
Appendix
[1] “FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown,” Federal Bureau of Investigation. https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown (accessed Sep. 06, 2023).
[2] “The Emotet botnet is back, and it has some new tricks to spread malware,” ZDNET. https://www.zdnet.com/article/the-emotet-botnet-is-back-and-it-has-some-new-tricks-to-spread-malware/ (accessed Sep. 08, 2023).
[3] “Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868),” Mandiant. https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation (accessed Sep. 06, 2023).
[4] “FBI Flash Report” Accessed: Sep. 07, 2023. [Online]. Available: https://www.ic3.gov/Media/News/2023/230823.pdf
[5] SinSinology, “CVE-2023-34039.” Sep. 07, 2023. Accessed: Sep. 07, 2023. [Online]. Available: https://github.com/sinsinology/CVE-2023-34039
[6] “VMSA-2023-0018,” VMware. https://www.vmware.com/content/vmware/vmware-published-sites/us/security/advisories/VMSA-2023-0018.html (accessed Sep. 06, 2023).
[7] “Addressing Security Vulnerabilities CVE-2023-34039 and CVE-2023-20890 in VMware Aria Operations for Networks (Formerly vRealize Network Insight) On-Prem installations (94152).” https://kb.vmware.com/s/article/94152 (accessed Sep. 07, 2023).
