pixel_dreams - Fotolia

QakBot malware: How did it trigger Microsoft AD lockouts?

QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks are being carried out.

IBM X-Force researchers observed QakBot malware causing hundreds of thousands of Microsoft Active Directory (AD) users to be locked out of their company domains. QakBot malware typically targets businesses and their financial resources. How is QakBot able to carry out these Microsoft AD lockouts?

Malware is constantly evolving, and those that target financial institutions seem to be updated the most. Each update addresses the steps taken by financial institutions and antimalware vendors to protect their customers.

For example, one recently updated piece of malware targeting financial institutions is QakBot. Like most malware, QakBot is designed to access and control an endpoint and is distributed via exploit kits. IBM X-Force Research recently observed a wave of QakBot-induced lockouts of Microsoft AD in several incident response engagements, which is a less common aspect of malware incident response.

Malware, like ransomware, can prevent access to data, and the AD lockouts could be the result of a denial-of-service attack; in this case, the lockouts are just a function of the malware trying to brute-force attack AD servers with automated login attempts that use common usernames.

QakBot has the functionality to target financial accounts for fraud, and it also has worm-like functionality that enables it to copy itself to removable media and infect additional systems. The worm functionality tries to connect to a remote system using Windows file sharing so that it can copy the malware to the remote endpoint. It also comes with a built-in username list, but it can also try to enumerate usernames by querying enterprise AD using the access of the logged in user.

However, an authenticated user can usually query AD for usernames so that permissions can be granted to a file. Usernames are not typically sensitive information, but as these incidents have pointed out, usernames can still be misused.

This lockout also requires that AD is configured to lock out an account after a predefined number of failed logins. This is done to prevent brute-force attacks on accounts, and many enterprises configure the lockout to auto-expire after a reasonably short period of time to prevent a denial-of-service attack.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing