Bad Rabbit Ransomware

This week, ‘Bad Rabbit’ ransomware infections have been reported in countries including Russia, Ukraine, Bulgaria, Turkey, Germany and Japan. The NCSC has not received any reports that the UK has been affected by this latest malware attack. The majority of infections have been in Russia, where media organisations were worst affected. Russia’s Interfax News Agency suffered outages to several of its services, including its news portal. Ukrainian victims included the Ministry of Infrastructure, Odessa airport and Kiev metro.

Bad Rabbit asks victims to pay 0.05 Bitcoin (currently worth approximately £210) to restore their files. A smal number of transactions are reported to have been made, although these are unconfirmed, and it is currently unknown whether paying the ransom leads to decryption of files. The infection vector is believed to be via certain compromised media websites in the affected regions, which asks the user to execute a fake Adobe Flash Player update. Researchers including FireEye and Crowdstrike have identified several links between Bad Rabbit and the NotPetya ransomware, including the use of similar Javascript code to redirect victims. While claims have been made that Bad Rabbit made use of the EternalBlue exploit leveraged by WannaCry and NotPetya, these have been widely refuted; subsequent claims have been made that the EternalRomance exploit was leveraged.

It is currently unclear who is responsible for this ransomware. NCSC technical analysis is ongoing to provide more clarity on technical indicators. There are no reported UK victims to date. Nevertheless, it should be noted that UK organisations would be vulnerable were they to visit any of the infected websites. In the case of NotPetya for instance, a number of UK organisations were infected. The NCSC has provided some mitigation advice in its public statement, highlighting the importance of patching, using proper antivirus services and having effective backup procedures. In addition to this, Bad Rabbit makes use of a set of hard-coded username/password combinations in order to attempt to spread to SMB shares on the local network. Organisations should ensure that these username/password combinations do not exist anywhere on their network, and in general that they follow good password practices.

Is Reaper the new Mirai?

In September, cyber security firms reported the discovery of a new botnet that targets, and could already have infected millions of, vulnerable internet connected devices.

The botnet (named variously as ‘IoTroop’; ‘IoT_reaper’ or ‘reaper’) has been targeting a number of known vulnerabilities found in popular device brands including internet connected cameras and Wi-Fi routers.

Reaper is being compared to the Mirai botnet which caused serious disruption to the Dyn domain name server provider and thousands of customer websites in October 2016.  Some of Reaper’s code is reportedly similar to Mirai, however, researchers believe Reaper has many more capabilities than Mirai and the potential to cause a lot more damage.  The fast rate that Reaper has been infecting devices is also concerning and the attacker appears to be updating the malware regularly.

The purpose of the Reaper botnet is currently unclear as it does not yet appear to have been used for malicious purposes. It is possible that, like the Hajime botnet identified earlier this year, there will be speculation that it has been developed to stop vulnerable devices being harnessed for malicious activity, but it would be best to assume the worst until proven otherwise.

Ensuring your devices are fully patched and limiting access to these devices will help protect from compromise. For further advice see our 10 steps to cyber security.
 

Washington Cyber Conference reportedly targeted by hackers

The International Conference on Cyber Conflict (CyCon) will be held 7-8 November in Washington and will host a high-level gathering of NATO and US military cyber experts.

A recent Cisco report has highlighted that this conference has been targeted by cyber actors known as ‘APT28’ and ‘Fancy Bear’. Cisco report that this actor has modified an existing Microsoft Word flyer publicising the conference, added reconnaissance malware to it and has conducted an email campaign to infect potential victims. The modified document contains an embedded Visual Basic for Applications (VBA) macro which is executed when the document is opened and automatically installs the malware. Running any macro within any externally produced Microsoft Word document will usually generate a warning which must be explicitly approved by the user. However, the user is more likely to override the warning and execute the macro if the malware-bearing email appears to be from a legitimate contact.

Word and PDF documents are one of the most common ways to spread malware, so, as a security measure, Microsoft deliberately turned off auto-execution of macros by default many years ago. Many current malware infections rely on persuading the user to turn macros back on. We assess with high confidence that cyber actors will likely continue to use creative and current specialised topics to compromise targets. It is likely that this campaign has been targeting people linked to government/military cyber security.

Comment

.author-name { display: none; }