At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    New QBot Attack Only Takes 30 Minutes to Elevate Privileges and Steal Data

    New QBot Attack

    This banking trojan-turned-information-stealer has been around for nearly 15 years. But its latest iteration – seen even in the past few weeks – has stepped up in its’ ability to act quickly.

    A few months back we wrote about SnapMC – a cybercriminal group that focuses on data theft and extorting payment to not publish the data. This group is able to gain access and steal data within 30 minutes. At the time this was unheard of; the average ransomware dwell time (from initial attack to launch of the ransomware) was measured in days (and still is today).

    But now we’re hearing about more attacks that are taking less than an hour. In this latest attack using QBot, the security researchers at The DFIR Report document a speedy attack model they first saw in October of last year that they state they are continuing to see today.

    Qbot leverages a mix of HTML scripting, the Windows Task Scheduler service, reconnaissance using built-in Windows tools, and access to the Local Security Authority Server Service (LSASS) to gain control over an endpoint.

    The article is helpful enough to also provide a timeline of the actions taken:

    Qbot-Likes-to-Move-It-Move-It

    Source: DFIR Report

    The scariest part of this is noted in the article:

    Thirty minutes after initial access, Qbot was observed collecting data from the beachhead host including browser data and emails from Outlook.

    According to the DFIR Report analysts, the QBot-based attacks were delivered via phishing campaign with a malicious Excel attachment. This puts the onus on the recipient user to engage with the attachment in the first place – something Security Awareness Training would teach them not to do.

    If this keeps up 30 minutes will be the new standard for how long organization Security has to detect the threat actor. But if you can engage your users to be vigilant, the “threat timer”, as it were, will never get started.

    Free Ransomware Simulator Tool

    Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

    KnowBe4’s “RanSim” gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

    RansIm-Monitor3

    Here’s how it works:

    • 100% harmless simulation of real ransomware and cryptomining infections
    • Does not use any of your own files
    • Tests 23 types of infection scenarios
    • Just download the install and run it 
    • Results in a few minutes!
    Get RanSim!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/ransomware-simulator-tool-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top