Cybersecurity Threat Advisory: Increased Qakbot Use to Bypass Endpoint Protection
Posted on May 12, 2023 by Jason Franks
As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week, a new critical alert requires the mission-critical community’s immediate attention.
MCP is monitoring the increased use of Qakbot, a type of malware with backdoor capabilities, to bypass endpoint protection to gain initial access and then achieve a foothold in computer environments. Specifically, Qakbot is leveraging compromised trusted websites of small businesses to bypass email link scanning services to serve the malware after phishing users via email.
What are the Recommendations?
The following Qakbot servers have been listening for the connection on remote port 65400:
|Internet Protocol (IP) Address||Domain Name Server (DNS)|
Other potential mitigation tactics include the following:
- Disabling the Windows Script Host (wscript.exe) if not used by software on the machine.
- Blocking outbound communication to remote port 65400 via the firewall.
- Geoblocking via the firewall for outbound connections (however, this may interfere with some software).
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.