Reality check Qakbot might have been on your network. How would you find out?
Did you know that Qakbot indicates that other malware, APT, criminal, and State threat actors might still be on your network?
Yes, law enforcement sent out a command to disable Qakbot. But the reality is that your network is STILL Vulnerable!
Competent Threat Actors would use Qakbot to get into a network. They would use other tools to start moving around inside the network. Kill off Qakbot will now knock out the persistent threat actor. They would still be inside your network.
Qakbot was a tool used by many miscreant threat actors over the years. It was ONE TOOL in a TOOLBOX!
First, go to the Shadowserver Qakbot Historical Bot Infections Special Report and read through the details! Then read Qakbot Historical Bot Infections Special Report and Qakbot Botnet Disruption. All this work is a public service as part of Shadowserver’s Cyber Civil Defense activities.
Second, if you have not subscribed to the free Shadowserver Daily Reports, do that now. Everyone who is sided up to Shadowserver got the report on their network.
If you have missed a Special Report because you were NOT yet a subscriber when a report was pushed out, simply subscribe for your network now and request all recent Shadowserver Special Reports (send an email to email@example.com).
Shadowserver will regenerate specifically for your network at no cost. The Shadowserver Foundation is a non-profit focused on Cyber Civil Defense. Decades of experience are historically trusted by the world’s top law enforcement organizations.
Finally, review the report from Shadowserver, look for Qakbot infections, and start hunting. Expect other threat actors on your network if you find a past Qabot infection.
The “hunting exercise” would not be a waste of time. You might be surprised by what you find. If you need a reminder of what could happen, watch Operation Aurora | HACKING GOOGLE. Aurora was multiple organizations with the best-known defenses and threat detection architectures. And yet, an observant peer outside of Google pulled the thread, which led to a massive penetration in multiple organizations.
Pull down the Shadowserver Qakbot Special Report, find out if Qakbot was ever on your network, and then go hunting to find out what else might be on your network. Never assume your tools are foolproof.