Q
Problem solve Get help with specific problems with your technologies, process and projects.

QakBot malware: How did it trigger Microsoft AD lockouts?

QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks are being carried out.

IBM X-Force researchers observed QakBot malware causing hundreds of thousands of Microsoft Active Directory (AD)...

users to be locked out of their company domains. QakBot malware typically targets businesses and their financial resources. How is QakBot able to carry out these Microsoft AD lockouts?

Malware is constantly evolving, and those that target financial institutions seem to be updated the most. Each update addresses the steps taken by financial institutions and antimalware vendors to protect their customers.

For example, one recently updated piece of malware targeting financial institutions is QakBot. Like most malware, QakBot is designed to access and control an endpoint and is distributed via exploit kits. IBM X-Force Research recently observed a wave of QakBot-induced lockouts of Microsoft AD in several incident response engagements, which is a less common aspect of malware incident response.

Malware, like ransomware, can prevent access to data, and the AD lockouts could be the result of a denial-of-service attack; in this case, the lockouts are just a function of the malware trying to brute-force attack AD servers with automated login attempts that use common usernames.

QakBot has the functionality to target financial accounts for fraud, and it also has worm-like functionality that enables it to copy itself to removable media and infect additional systems. The worm functionality tries to connect to a remote system using Windows file sharing so that it can copy the malware to the remote endpoint. It also comes with a built-in username list, but it can also try to enumerate usernames by querying enterprise AD using the access of the logged in user.

However, an authenticated user can usually query AD for usernames so that permissions can be granted to a file. Usernames are not typically sensitive information, but as these incidents have pointed out, usernames can still be misused.

This lockout also requires that AD is configured to lock out an account after a predefined number of failed logins. This is done to prevent brute-force attacks on accounts, and many enterprises configure the lockout to auto-expire after a reasonably short period of time to prevent a denial-of-service attack.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in December 2017

Dig Deeper on Active Directory security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use Microsoft AD? If so, how does QakBot change your view on AD?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close