Bad Rabbit Ransomware Highlights Perils of Poor Network Management

Companies in Russia and Eastern Europe have been battling a new ransomware outbreak since Tuesday that security researchers have dubbed Bad Rabbit. The malware can spread to Windows systems over local networks by using weak or stolen credentials for SMB shares and other services.

Bad Rabbit has similarities to NotPetya, the destructive ransomware attack that hit companies in June, and is distributed from compromised websites as rogue a Flash Player update. However, once it infects a computer, it scans the local network for other Windows systems and attempts to infect them using legitimate Windows services such as SVCCTL, SMBv2, SMBv1 and NTLMSSP, according to researchers from Cisco’s Talos team.

Unlike NotPetya, which infected networked computers using an SMBv1 exploit known as EternalBlue, Bad Rabbit uses brute force attacks using a list of common usernames and password combinations. It also uses a custom version of the mimikatz open-source tool to extract Windows credentials from infected systems.

Even though the initial victims of this new ransomware outbreak are in Eastern European countries, due to the SMB spreading mechanism there is a high risk that infections could spread globally. For example, the NotPetya attacks started out in Ukraine, but because of the interconnection of corporate branches in different countries, large international companies were affected.

International shipping giant Maersk had to shut down operations at tens of port terminals around the world because of NotPetya infections and estimated in August that the attack will end up costing the company between $200 million and $300 million. FedEx also said that NotPetya’s impact on its TNT Express division will cost the company $300 million. Other large companies like pharmaceutical manufacturer Merck, consumer goods giant Reckitt Benckiser and global advertising firm WPP were also hit by the attack at the time.

“It’s probably safe to say that any significant malware-based attack we see going forward will have worm-like behavior, making the potential for damage exponentially higher,” said Mike Buckbee, a security engineer at Varonis, via email.

The Bad Rabbit attack highlights the risks of poor network and systems hygiene, where administrators are careless with their credentials, are falling behind on critical patches and are using weak passwords for network services.

After the NotPetya attack it was revealed that over 40 percent of SMB-enabled computers inside large corporate networks still support SMBv1, a decades-old and insecure version of the protocol that Microsoft has long advised companies to stop using.

Kaspersky Admits Its AV Got NSA Malware Source Code From a PC

Antivirus company Kaspersky Lab has published the results of its internal investigation into claims that its antivirus product was used to extract cyberattack tools from the personal computer of an NSA employee.

The company acknowledged an incident from 2014 that appears to be a match for the incident recently reported in the media and which might have led to the U.S. government’s ban on Kaspersky products and the FBI advising private companies against using them.

Earlier this month, the Washington Post and the Wall Street Journal reported that an NSA employee who was working on replacing the agency’s cyberespionage tools compromised because of the Snowden leaks, took home some of the classified files he was working with. The staffer reportedly had Kaspersky Antivirus installed on his personal computer and the program detected and copied the files, ultimately helping Russian intelligence services get a copy of them.

Kaspersky has repeatedly denied having inappropriate relations with any governments, aside from helping law enforcement agencies investigate and combat cybercriminal activities like most cybersecurity firms do.

In a press release Wednesday, the company revealed that in September 2014 an installation of its consumer product did detect malware associated with the Equation group—a cyberespionage group widely believed to be the NSA—on a user’s computer. The detection was triggered for a 7zip archive and the entire file was uploaded to the company’s servers for analysis because the product had the automatic sample submission feature turned on.

“The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts,” the company said. “Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware. After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”

Furthermore, the company said the computer where the archive was obtained from was also infected with a backdoor program as a result of an illegal Microsoft Office activation key generator that had been installed on the machine. The antivirus maker believes the user deliberately disabled the antivirus to install the infected keygen because otherwise it should have been blocked by its product.

While Kaspersky doesn’t explicitly say so, the implication here is that the backdoor could have been used by third-parties to steal files from the user’s computer, possibly explaining the accusations coming from the U.S. intelligence community and reported in the media.

“The investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like ‘top secret’ and ‘classified’,” the company said.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin