8 September 2023

13 min read

FBI and partners disrupt infamous Qakbot botnet network | Cyber Intelligence Briefing: 8 September

September 2023
FBI and partners disrupt infamous Qakbot botnet network | Cyber Intelligence Briefing: 8 September placeholder thumbnail


Top news stories this week

  1. Shutdown. FBI and partners disrupt infamous Qakbot botnet network.

  2. Broken fence. LockBit leaks UK Ministry of Defence related data following compromise of supplier. 

  3. In the rough. Passwords exposed in separate incidents involving Callaway and LogicMonitor.

  4. RAAC or RaaS. Cyber attacks on UK schools cause disruption ahead of the new school year.

  5. Zero-days for days. Law in China requires reporting of vulnerabilities prior to patching. 

  6. Prescription for privacy. A decade of patient data possibly leaked from Melbourne pathology clinic. 

  7. Uncovered. Swedish insurer Trygg-Hansa fined USD 3 million for exposing client data. 

1. FBI takes down notorious Qakbot botnet network

International law enforcement agencies and the FBI have taken down infamous malware platform Qakbot, which was used for more than a decade by criminals to commit a variety of financial crimes. Qakbot infected more than 700,000 computers and caused hundreds of millions worth of damage to businesses around the world.     

Separately, the US and UK have sanctioned 11 individuals allegedly associated with Trickbot – a notorious group reportedly responsible for extorting at least USD 180 million from victims globally, including through ransomware attacks. 


So what?

These actions do disrupt the cybercriminal ecosystem, although the impact is often short-lived as cybercriminals quickly find new methods and techniques to achieve their objectives. Despite the crackdown, organisations should continue to invest in their cyber security defences.  


2. Data on UK Ministry of Defence sites exposed after attack on supplier

The UK Ministry of Defence has allegedly experienced a data breach following a LockBit ransomware attack on its supplier Zaun, a UK-based high-security fencing manufacturer. According to media reports, LockBit leaked documents relating to sales orders and physical installations and equipment at MOD and GCHQ sites. The hackers gained access to Zaun's systems via a legacy Windows 7 device. 


So what?

Organisations should replace vulnerable legacy systems to prevent potential data breaches and disruptions, which can have significant security implications.

3. Password data leaks at Callaway and LogicMonitor

Golf equipment supplier Callaway has informed 1.1 million customers that account information, including passwords and security questions, was exposed in an IT incident.  

Separately, the use of weak default passwords and insecure password policies by network security company LogicMonitor has led to cyber attacks on its customers. 


So what?

It is important to use unique passwords and enable multi-factor authentication to protect against account compromises

4. RAAC vs RAAS: cyber incidents at start of term cause disruption to UK schools

Debenham High School in Suffolk UK had all IT systems taken offline during a recent hack and, in another incident, a ransomware attack on a school in Wokingham restricted access to teaching resources, preventing lesson planning. Separately, a North London high school has resorted to pushing back its official start date by 6 days to recover from a cyber incident. 


So what?

Cyber incidents can cause significant operational downtime. In the event of an attack, you must ensure that you have backups, isolated and stored offsite/offline to help speed up recovery time. 

5. Concerns over new law governing software vulnerabilities in China 

A new law in China effectively forces organisations to first report all software vulnerabilities to the country’s Ministry of Industry and Information Technology before publicly releasing a patch. There are concerns that this will facilitate the exploitation of zero-day vulnerabilities by state-linked threat actors. According to a report by the US think tank Atlantic Council, there has been a marked increase in the number of zero-day exploits used by Chinese state-linked hacking teams since the law was passed. 


So what?

Zero-day vulnerabilities are incredibly difficult to defend against. While prevention is ideal, an organisation’s ability to detect and respond to intrusions is critical.

6. Patient data possibly leaked from Melbourne pathology clinic

A cyber attack on Melbourne pathology clinic TissuPath potentially exposed ten years' worth of patient data, including names, dates of birth, contact details, Medicare numbers, and private health insurance details. The attack was claimed by the ransomware gang ALPHV/BlackCat 


So what?

Organisations should sanitise and encrypt data to safeguard sensitive information. Compliance with a strict data retention policy can also mitigate the impact of a data breach.  

7. Trygg-Hansa fined USD 3 million for exposing client data 

Swedish insurer Trygg-Hansa has been fined USD 3 million by the Swedish Authority for Privacy Protection after it was found that a backend database was publicly accessible without authentication. This led to the potential exposure of sensitive data of over 650,000 clients for over two years. The exposed information included personal, health, financial, and social security data. 


So what?

Misconfigurations are a common cause of data breaches. Organisations should conduct regular penetration tests to identify potentially accessible and vulnerable systems.

Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.