IBM X-Force researchers observed QakBot malware causing hundreds of thousands of Microsoft Active Directory (AD)...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
users to be locked out of their company domains. QakBot malware typically targets businesses and their financial resources. How is QakBot able to carry out these Microsoft AD lockouts?
Malware is constantly evolving, and those that target financial institutions seem to be updated the most. Each update addresses the steps taken by financial institutions and antimalware vendors to protect their customers.
For example, one recently updated piece of malware targeting financial institutions is QakBot. Like most malware, QakBot is designed to access and control an endpoint and is distributed via exploit kits. IBM X-Force Research recently observed a wave of QakBot-induced lockouts of Microsoft AD in several incident response engagements, which is a less common aspect of malware incident response.
Malware, like ransomware, can prevent access to data, and the AD lockouts could be the result of a denial-of-service attack; in this case, the lockouts are just a function of the malware trying to brute-force attack AD servers with automated login attempts that use common usernames.
QakBot has the functionality to target financial accounts for fraud, and it also has worm-like functionality that enables it to copy itself to removable media and infect additional systems. The worm functionality tries to connect to a remote system using Windows file sharing so that it can copy the malware to the remote endpoint. It also comes with a built-in username list, but it can also try to enumerate usernames by querying enterprise AD using the access of the logged in user.
However, an authenticated user can usually query AD for usernames so that permissions can be granted to a file. Usernames are not typically sensitive information, but as these incidents have pointed out, usernames can still be misused.
This lockout also requires that AD is configured to lock out an account after a predefined number of failed logins. This is done to prevent brute-force attacks on accounts, and many enterprises configure the lockout to auto-expire after a reasonably short period of time to prevent a denial-of-service attack.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Active Directory security
Related Q&A from Nick Lewis
The CIA Vault 7 cache exposed the Brutal Kangaroo USB malware, which can be spread to computers without an internet connection. Learn how this is ...continue reading
Kaspersky Lab recently accused Windows 10 of acting as an antivirus block to third-party antimalware software. Discover how your software is being ...continue reading
A OneLogin data breach affected all of the company's U.S. customers after threat actors abused an Amazon Web Services API. Discover what this means ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.