Russian News Agency Interfax Faces ‘Unprecedented’ Hacker Attack

Discussion in 'malware problems & news' started by ronjor, Oct 24, 2017.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    61,560
    Location:
    Texas
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    http://www.securityweek.com/bad-rabbit-ransomware-attack-hits-russia-ukraine
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    A good test of Win 10 1703+ protected mode for lsass.exe? I wouldn't hold my breath on it.
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,210
    Location:
    DC Metro Area
    "Bad Rabbit: New Petya-like Ransomware Rapidly Spreading Across Europe

    A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours...

    Dubbed "Bad Rabbit," is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.

    According to an initial analysis provided by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly...

    However, security researchers at ESET have detected Bad Rabbit malware as 'Diskcoder.D' — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye...

    ESET believes the new wave of ransomware attack is using EternalBlue exploit — the same leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks...

    The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine..."

    https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html
     
  5. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,210
    Location:
    DC Metro Area
    "New 'Bad Rabbit' ransomware attack spreading across Europe...

    ...It's not yet clear, Kaspersky says, whether it's possible to recover the files encrypted by Bad Rabbit. However, Kaspersky says you can protect yourself by blocking execution of files "c: \ windows \ infpub.dat" and "C: \ Windows \ cscc.dat." If you are infected, experts advise against paying the ransom..."

    https://www.windowscentral.com/new-...tm_campaign=Feed: wmexperts (Windows Central)
     
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,210
    Location:
    DC Metro Area
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,210
    Location:
    DC Metro Area
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    If you're totally "security ignorant," you could get nailed. Or, if you have disabled UAC:rolleyes::
    https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
  10. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,210
    Location:
    DC Metro Area
    "Small Amount of Bad Rabbit Ransomware Victims Detected in the USA.

    Though the USA and other western countries were not specifically targeted by this campaign, according to cybersecurity and antivirus vendor Avast, Bad Rabbit has now been detected in the USA.

    'Avast Software
    @avast_antivirus
    #BadRabbit now detected in the U.S. We expect a growing number of detections in the hours ahead.
    5:44 PM - Oct 24, 2017'...

    How did Bad Rabbit make it to the United States?

    It is important to remember that Bad Rabbit attempts to spread laterally through an organization's network via SMB. It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords.
    Theoretically, if a U.S. organization had infected partners in the targeted regions and were on the same WAN with SMB access, Bad Rabbit could have spread laterally to the computers located in the USA..."

    https://www.bleepingcomputer.com/ne...bbit-ransomware-victims-detected-in-the-usa-/
     
  11. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,210
    Location:
    DC Metro Area
    "Bad Rabbit Linked to ExPetr/Not Petya Attacks

    A link has been confirmed between the Bad Rabbit ransomware outbreak detected yesterday in major organizations in Russia and Ukraine and this summer’s ExPetr/Not Petya attacks.

    Researchers at Kaspersky Lab said there are “clear ties” between the two attacks though one major piece of the puzzle is missing with Bad Rabbit...

    Kaspersky Lab researchers said they have found no evidence of EternalBlue—or EternalRomance, another NSA-developed attack that was publicly disclosed by the ShadowBrokers and used in the ExPetr attacks—in yesterday’s attack...

    'The hashing algorithm used in the Bad Rabbit attack is similar to the one used by ExPetr. Further, experts have found that both attacks use the same domains; and similarities in the respective source codes indicate that the new attack is linked to the creators of ExPetr,'..."


    https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    Security Firms Say Bad Rabbit Attack Carried Out by NotPetya Group
    https://www.bleepingcomputer.com/ne...-rabbit-attack-carried-out-by-notpetya-group/
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,210
    Location:
    DC Metro Area
    "Bad Rabbit used NSA “EternalRomance” exploit to spread, [Cisco] researchers say...

    Despite early reports that there was no use of National Security Agency-developed exploits in this week's crypto-ransomware outbreak, research released by Cisco Talos suggests that the ransomware worm known as "Bad Rabbit" did in fact use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims' networks. The attackers used EternalRomance, an exploit that bypasses security over Server Message Block (SMB) file-sharing connections, enabling remote execution of instructions on Windows clients and servers. The code closely follows an open source Python implementation of a Windows exploit that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. NotPetya also leveraged this exploit..."

    https://arstechnica.com/information...nalromance-exploit-to-spread-researchers-say/

    "...'This is a different implementation of the EternalRomance exploit,” said Martin Lee, technical lead of security research for Cisco’s research arm, Talos. “It’s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.'..."

    https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/
     
    Last edited: Oct 26, 2017
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    You do really have to wonder about the state of security in the Ukraine and Russia since this exploit was patched months ago.

    Also for clarification the initial exploiting is not done by EternalBlue:
    http://www.securityweek.com/bad-rabbit-ransomware-uses-nsa-exploit-spread

    Also the network propagation was not done exclusively via SMBv1 but using a number of legit Windows features:
    http://blog.talosintelligence.com/2017/10/bad-rabbit.html
     
    Last edited: Oct 26, 2017
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    In light that this attack used EternalRomance, might be good to review what security solutions block it. Eset was the only once that outright blocked EternalRomance in this ad hoc test by MRG: https://www.mrg-effitas.com/eternalromance-vs-internet-security-suites-and-nextgen-protections/

    Of note about EternalRomance:
    Hence the use of Mimikatz in this attack to gain credentials as noted in the Cisco analysis.
     
    Last edited: Oct 26, 2017
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    Now this is very interesting indeed! Appears we have entered the next NSA exploit phase where malware developers are launching their own modified versions of them:eek: What has not been answered is if the previous Windows patches deployed will work against these modified versions? And do these new versions work against Win 8/10?
    https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-also-used-nsa-exploit/
     
    Last edited: Oct 27, 2017
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    Files Encrypted by Bad Rabbit Recoverable Without Paying Ransom
    http://www.securityweek.com/files-encrypted-bad-rabbit-recoverable-without-paying-ransom
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,486
    Location:
    U.S.A.
    I did some reading on the attack yesterday and appears that although this EternalRomance exploit has been modified, the previous MS patch will stop it. Make sense since all that was patched was the SMBv1 vulnerability. If the patched has been applied, the attack with employ WMI, namely WMIC.

    Also in case you missed the prior posting, an unpatched device is not enough for EternalRomance to work by itself; credential access is required. Hence the use of Mimikatz to perform credential stealing via lsass.exe hack. The outstanding question is if this attack employed the Mimikatz enhancement to bypass lsass.exe protected mode?
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    Check out this article, it shows how Endgame could stop the attack in various stages, this is the stuff that I love. Apparently, it could detect the malware sample via AI/ML (no signatures needed), but even after that it could block code injection and credential dumping. The only thing it needs to add is detection for rapid file modification, because if I understood correctly, it can't stop this, which is a bit weird.

    https://www.endgame.com/blog/technical-blog/falling-trap-how-endgame-platform-stops-badrabbit
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,311
    Endgame is clearly an Enterprise product out of most members price range. But there are other products that can accomplish the same thing.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    Yes correct, but I do believe Endgame is a bit more advanced then most consumer HIPS/AE products. And that's why I'm also a bit frustrated, would have loved to see a bit more innovation. Also, I don't think there are any AV's for consumers who can block malware with AI/ML only.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,311
    Rasheed, you don't need that expensive stuff. You can accomplish the same thing what's available to us. But you are going to have to let go of some of your preconceived ideas.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    Yes I know you can stay safe without this but I would love to see this stuff in implemented in HIPS like SpyShelter for example. It's widely known that most HIPS, both standalone and the ones integrated with AV's are not that good in blocking advanced code injection methods.
     
Loading...