What would you say if you answered the phone, and it was the FBI investigating a cyber attack incident?
“Hello, this is the FBI.”
“Yeah, right...”
When a call like this came into our office here at VC3, we were skeptical...but it turned out to be legit. The FBI was collaborating with Microsoft to shut down a global malware scheme, and they needed our help taking down one of the devices at a client’s site.
Before we go any further – the incident happened outside of the systems that VC3 manages, and we’re not revealing their name to preserve confidentiality. However, it’s our mission to spread the word about security and how to protect yourself and your company from cyber predators, so this is a story that everyone should hear. There’s more than one lesson to learn from it...
Malware Commandeered a Slave Computing Army
So why was the FBI contacting us here at VC3? It has to do with a type of malware called TrickBot, one of the most sophisticated pieces of malware to be let loose on the internet. TrickBot sends out phishing emails that lure the recipient to either click a link or open an attachment. That will kick off other actions that lead to the kidnapping or theft of banking information.
Over time, the malware built its own infrastructure, allowing it to increase the control and options it had for dumping payloads on infected computers. But TrickBot developers didn’t really build this infrastructure – they commandeered it.
Ever heard of a botnet?
Essentially, it’s a slave army of devices that have been exploited for their computing power. This activity is usually unseen, but in the case of TrickBot, someone noticed that the malware was using a whole bunch of domain names to create the malicious websites that were part of their scheme.
TrickBot Trail Led to Phone System Router
This is where Microsoft comes in.
Because this malware makes their products not work like they’re supposed to, Microsoft initiated a lawsuit to take over the domain names and shut them down. The lawsuit was successful, and they worked with the FBI to close the domains. That meant blocking the IP addresses behind the names.
It turned out that one of the IP addresses led to one of our clients. The FBI contacted this company, and they referred them to us as their managed IT service provider.
The investigation revealed that the IP address belonged to a router that was connected to the client’s on-premises phone system (managed by their phone service provider).
It’s unknown how long the router was a TrickBot slave, but when the Internet Service Provider blocked all outgoing traffic, the company’s phone system went down, causing a scramble to get communications back up and running.
The phone company ended up replacing the router with a modern model, but another solution would have been to update to a cloud-hosted phone system.
Security Best Practices from Phone Vendor Could Have Thwarted Router Takeover
Could this have been avoided? In this case, the phone vendor had not kept the compromised router’s software up to date. Using supported and consistently updated software is a basic cyber security practice that we know works to keep network doors locked from intruders. Because vulnerabilities are found in software all the time, we can’t say that this blocks out bad guys 100%, but it’s a must-have layer of security that you can’t skip.
Related: 17 Foundational Cyber Security Measures Southern California Businesses Need
Consider Security with All Network Devices and Vendors
If a phone router can get captured in a botnet, are other devices at risk too?
Oh yeah! Anything that you have on your network, like security cameras, environmental controls, manufacturing machines, and the like, has the potential to be exploited if there’s a vulnerability that can be discovered.
For example, if you access your security cameras from your phone without VPN, you’re creating a hole where a cyber attacker can creep in.
By now, you might be wondering if you’re unknowingly hosting a botnet. If equipment is being managed proactively and best practices are being followed to patch and update software, and you’re refreshing hardware on a regular basis, then you most likely have those network doors locked as best you can.
However, cybercriminal tactics are getting more and more sophisticated, and if you don’t have an Endpoint Detection and Response (EDR) tool, then you’re underinvested in cyber safety.
Related: Top 5 Ways Businesses Can Prevent the Most Common Cyber Security Threats
What about all of those other devices that you’re using?
Be your own advocate and ask your vendors what they’re doing to secure the devices and services they’re providing. Additionally, don’t be lulled into thinking that just because the equipment is visibly working as it should, that it doesn't need to be upgraded or replaced. You don't want to wait until a crisis, like a cyber attack or sudden equipment failure.
VC3 IT Services Delivered with Security Mindset
Here at VC3, we do everything with our eyes on security. The baseline for security has moved, and basic security is no longer enough to keep up with the increasing number of cyber risks organizations face every day.
If you’re not confident that your IT team has all the bases covered when it comes to managing cyber risks, contact us for a Security and Risk Assessment. You’ll get an objective viewpoint and actionable recommendations that will help you improve your security posture, whether or not you decide to work with us.