The recent operation against the Qakbot (“Qbot”) botnet by the US’ FBI, Justice Department and their international partners is nothing short of commendable. By taking down this long-running botnet, we have been shown what is possible when the cyber security community works together to take on cyber threats. We are indeed stronger together. I hope this success will be the first of many, rather than an isolated victory. However, there is some cause to temper the current wave of optimism.
More infected devices might be out there
The 700,000 devices number being quoted by the FBI is based on the contacts received by the adversarial servers that were taken over. This is a substantial number and might prove to be a killing blow to this botnet. However, even assuming that the malware removal command was successful in all cases, there might be other offshore servers that were untouched.
My research team at Lumu Technologies has continued to detect contacts from Qbot after the botnet was supposedly taken down.
Getting rid of Qbot is just the first step
Each of those 700,000 devices still represents a device where credentials were potentially stolen and are now for sale on the dark web. Qbot can also act as a backdoor to install other malware or persistence tools, so each of those devices needs to be checked for compromise.
Threat actors will adapt
Qbot is essentially a legacy botnet, adapted from its original purpose as a banking trojan, that has proven to be a thorn in our side for too long. It’s important to remember that Qbot is just one element in the cyber crime supply chain. It’s great to see that cryptocurrencies have been confiscated but as far as we know no arrests have been made. The threat actors are still at large and other malware is likely to take up Qbot’s position as an initial access vector and precursor to ransomware.
Botnets like Qbot and Emotet have proven to be resilient before following similar (but smaller) takedown operations and it remains to be seen if this was the killing blow to Qbot. The government’s operation shows the power of collective action in cyber security, reinforcing that we are stronger together. We need to continue to remain vigilant. We might have won this battle, but the war still rages on.
Ricardo Villadiego is founder and CEO of Lumu Technologies, a threat hunting and network detection and response (NDR) specialist.