Robin’s Newsletter #272

3 September 2023. Volume 6, Issue 36
FBI takes down Qakbot. Two arrested for Polish train disruption. Met Police supplier loses personal data of 47,000 officers.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

The FBI has taken down the Qakbot operation

  • An FBI-led operation has resulted in the complete take over and shut down of the ‘Qakbot’. The Qakbot malware is also known as QBot and Pinkslipbot, and was one of the most prolific malware families (see Stats below), with over 700,000 infected devices connected to the botnet.
  • The malware helped facilitate over 40 ransomware attacks that generated $58 million in ransom payments over the last 18 months. The feds also seized $6.8 million in cryptocurrency as part of Operation Duck Hunt.
  • The FBI explained that they were able to obtain a warrant to get a secret copy of the servers used by the cybercriminals. They used this to extract encryption keys and understand how Qakbot controlled the infected devices.
  • On the evening of 25th August, the FBI issued a command instructing part of the network to replace its ‘super node’ modules used to control infected devices and change the encryption key to lock the Qakbot criminals out of their network. At the same time, they sinkholed the main command and control server. From there, a command was issued to all infected devices to download an uninstaller to remove the malicious files from affected devices.

Interesting stats

80% of early-stage malware infections so far this year are caused by just three malware families: QBot, SocGholish, and Raspberry Robin, according to ReliaQuest.

~50%~, the amount claimed by some UK politicians that “overall crime” has fallen since 2010, which is a little misleading because the Crime Survey of England and Wales (CSEW)didn’t ask or track fraud and computer misuse until 2017:

CSEW data from 2010 onwards shows a reduction in non-fraud, non-computer crime, but it’s only half the picture (source: Full Fact)

When adding the 3.7 million instances of fraud, and  764,000 instances of computer misuse in the year to December 2022 to the ~4.75 million other offences, it’s pretty much on par and shows a shift in the way that crimes are committed. H/t @PickardJE and Full Fact.

Related to those crime stats, here’s your reminder that cyber security is, at its core, a people problem, and the UN estimates (PDF) that  120,000 people in Myanmar and  100,000 people in Cambodia may be forcibly involved in online scams by organised crime gangs and people traffickers. It’s about as far from vendor fetishes for grand-sounding threat-actor names as possible. Forget ‘Voodoo Bear’ or ‘Seashell Blizzard’ or any other ludicrous names I’ll write below. (Perhaps we should start similarly naming cyber vendors? Let me know your suggestions on LinkedIn, Twitter and Mastodon 😇)

Other newsy bits / in brief

”The risk is that the treaty will not be a tool for prosecuting criminals but rather a weapon that allows for intrusive data access and surveillance instruments. The result could be an international agreement granting authoritarian states the power to suppress dissent under the guise of fighting cybercrime.” — Amy Hogen-Burney, Associate General Counsel, Cybersecurity Policy & Protection at Microsoft

And finally


  Robin's Newsletter - Volume 6

  “Federal Bureau of Investigation (FBI)” “Qakbot” “QBot” “Take-down” “Operation Duck Hunt” “Cybercrime” “Japan” “Netgear” “Okta” “Oktapus” “Juniper” “Metropolitan Police” “Malwarebytes” “National Cyber Security Centre (NCSC)” “Rail” “Russia” “Cyber Norms”