FBI Recommends These Immediate Actions
TrickBot may sound like an engaging name for an impish bit of cyber play, but this Trojan malware is as serious as a heart attack.
As recently as March of 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) announced that they have observed and are warning of ongoing TrickBot spearphishing campaigns in North America. This includes anticipated attacks on hospitals and healthcare systems rendered vulnerable as a result of the pandemic.
The Short and Scary History of TrickBot
According to the FBI and CISA, TrickBot is “a Trojan developed and operated by a sophisticated group of cybercrime actors.” It originally surfaced in 2016 to steal the banking credentials of unsuspecting victims.
Over four years, it has evolved into “highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.”
Its new reach targets numerous other industries, including healthcare, as well as government agencies at all levels.
Many Uses for TrickBot
TrickBot is actively being used by cybercriminals for two purposes:
- Distributing malware that steals credentials, email data, and point-of-sale data.
- Spreading file-encrypting ransomware, such as Ryuk or Conti.
Until recently, TrickBot was also being used to download Emotet, banking malware that steals sensitive financial data. However, in January 2021, authorities located and seized the Emotet infrastructure and shut it down. Score one for the good guys!
How Victims are Baited and Hooked
Phishing and spearphishing campaigns are the means of choice for cybercriminals seeking to infect systems with TrickBot. Personalized spoofed emails contain tempting bait, in the form of malicious links and/or attachments. The malware installation process is set in motion when the email recipient clicks on one bait or the other.
A popular ploy is a targeted email informing the recipient that they have been captured on camera in a traffic violation, They are cued to click on the email link or attachment to view proof of the violation. That click takes the reader to a malicious website which provides a link to the photographic proof of the traffic violation.
When the photo link on the website is clicked, a malicious JavaScript file is opened, causing the cybercriminal’s command and control server to download TrickBot into the victim’s system.
The ultimate goal, of course, is to steal sensitive individual or company information that can either be used for additional criminal purposes or sold for profit on the black market in cyberspace.
With so many cameras installed at intersections, storefronts, and elsewhere, it is not difficult to believe that you might have been caught speeding and are liable to be cited and fined. Hence the popularity of this particular ploy.
In addition to spearphishing campaigns, there are several other means of infecting systems with TrickBot. These include email spam campaigns, malvertising, and exploitation of network vulnerabilities like Server Message Block.
TrickBot’s Nasty Habits
One of TrickBot’s technical tricks is to use man-in-the-browser attacks to steal information, such as login credentials, according to the FBI/CISA Alert.
In addition, some TrickBot modules can spread the malware laterally across a network by exploiting Server Message Block (SMB) vulnerabilities.
The TrickBot toolset can exploit the entire MITRE ATT&CK framework, from collecting data to use for email targeting to manipulating, interrupting, or destroying systems and data.
TrickBot is capable of data exfiltration, crypto mining, and host enumeration, such as the reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System firmware, according to the Alert.
In short, TrickBot is no joke. Network and system administrators need to make sure their cybersecurity defenses are current and strong. This includes hardening the weakest link in the security chain by launching employee security training immediately and ensuring periodic retraining.
What Organizations Can Do To Thwart TrickBot
The FBI and CISA have provided mitigation guidance to safeguard against TrickBot, including security best practices in both the public and private sectors. As always, they caution that any configuration changes or updates should be tested prior to implementation to prevent unexpected problems.
Following are their joint recommendations.
Employee-Focused Actions
- Provide social engineering and phishing training to employees. (Note: This appears at the top of the recommendations list for a reason. See more on training in the next section.)
- Monitor web traffic. Restrict user access to exclude suspicious or risky sites.
- Require employees to report all suspicious emails to the security and/or IT departments.
- Mark external emails with a banner denoting the email are from an external source to assist users in detecting spoofed emails.
System-Focused Actions
- Implement Group Policy Object and firewall rules.
- Implement an antivirus program and a formalized patch management process.
- Implement filters at the email gateway and block suspicious IP addresses at the firewall.
- Adhere to the principle of least privilege.
- Implement a Domain-Based Message Authentication, Reporting, and Conformance validation system for email authentication.
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications between network hoses, segments, and devices.
- Consider using application allow listing technology on all assets to ensure that only authorized software executes and that all unauthorized software is blocked from executing on assets. Ensure that such technology allows only authorized, digitally signed scripts to run on a system.
- Enforce multi-factor authentication.
- Enable a firewall on workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on workstations and servers. (Note: Use of data analytics may be helpful in identifying unneeded services and apps by analyzing usage history.)
- Implement an Intrusion Detection System to detect command and control server activity and other potentially malicious network activity.
- Maintain situational awareness of the latest threats and implement appropriate access control lists.
- Disable the use of Server Message Block version 1 (SMBv1) across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot.
The CISA has developed a snort signature for detecting network activity associated with TrickBot, which is presented in its entirety in the FBI/CISA Alert.
For additional guidance, the FBI recommends reviewing the pages on MITRE ATT&CK Techniques as well as CISA Alert AA20-245A on malware discovery and remediation.
The Importance of Employee Training
As noted in a previous blog on e-skimming, the importance of employee training, and periodic refresher training, can never be over-stated as a means of reducing risk. Unsuspecting employees have been responsible for activating TrickBot, however innocently.
Employee training in social engineering, phishing, and other ploys is crucial. Training should include lessons in the damage that can be inflicted on company networks and data by simply clicking on links or attachments in email messages. Train employees to be suspicious and teach them why they need to be. Instead of being the weakest links in the security chain, vigilant, well-informed employees can actually enhance your front-line defenses.
Because everyone learns a little differently, for the optimum effect, your cybersecurity awareness training should include a mix of components. These may include classroom training, virtual training such as online webinars and self-paced web-based training, newsletters and blogs, and regular email reminders and security quizzes.
Summary
The TrickBot Trojan is fairly new on the cybercrime scene but has wreaked serious havoc since it was first spotted in 2016. In March of 2021, the FBI and CISA announced recent observations of TrickBot in North America and issued a joint alert with mitigation recommendations and tools.
TrickBot installs malware to steal data, login credentials, and other information assets from vulnerable networks, and can also install ransomware. TrickBot relies on unsuspecting employees to click on tempting links provided in emails and attachments in targeted phishing campaigns, known as spearphishing.
CISOs should be aware of the ongoing TrickBot threat and ensure that all employees are fully trained to recognize and report suspicious emails. Network and system administrators should act quickly to harden security in accordance with FBI recommendations.
Cybersecurity Hygiene Webinar!
On May 11th, at 2 PM Eastern Time. The Cybersecurity and Infrastructure Security Agency (CISA) co-hosted a webinar to explore how prioritizing cybersecurity hygiene can enhance your business and how understanding CISA Cyber Essentials can help. Learn more at Cybersecurity: How’s Your Hygiene? - Stay Safe Online.