21 October 2020

Microsoft disrupts 94% of TrickBot's command and control servers


Microsoft disrupts 94% of TrickBot's command and control servers

In mid-October, Microsoft announced in had partnered with industry partners to disrupt the Trickbot botnet, which is considered one of the most prevalent threats. While the identities of the operators of Trickbot are currently unknown, Microsoft said that it has been used both for individual criminal operations as well as nation-state campaigns.

In a new update on the matter, the company has revealed more details on ongoing efforts to take down Trickbot’s network. Microsoft said that together with industry partners it eliminated 94% of Trickbot’s critical operational infrastructure including both the command-and-control servers being in use at the time of the first phase of the operation and new infrastructure Trickbot has attempted to bring online.

“We initially identified 69 servers around the world that were core to Trickbot’s operations, and we disabled 62 of them. The seven remaining servers are not traditional command-and-control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled,” Microsoft said.

“As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers they attempted to add to their infrastructure. We’ve now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world,” the company added.

Since securing its initial court order allowing it to disable Trickbot infrastructure, Microsoft has procured several other court orders to disrupt the newly activated infrastructure. The company said it will continue doing so until election day on November 3.

According to the IT giant, the Trickbot’s operators have attempted to rebuild the infrastructure to resume operations and collaborate with other criminals to deploy malicious payload.

“This is one of many signs that suggests to us that, faced with its critical infrastructure under repeated attack, Trickbot operators are scrambling to find other ways to stay active. While an arrangement with other actors will not enable Trickbot to equal its homegrown capabilities, it’s also a reminder that there are many threats to keeping cyberspace secure,” Microsoft said.


Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020