Friday, October 27, 2017

Bad Rabbit ransomware spread using leaked NSA EternalRomance exploit, researchers confirm

istock-mini-lop-bunny.jpg

BadRabbit ransomware was named after the Tor payment page demanding Bitcoin

Image: iStock

Bad Rabbit ransomware spread using the help of a leaked NSA exploit exposed by the Shadow Brokers hacking group, security researchers have confirmed.

When the ransomware infected organisations in Russia and Ukraine on Tuesday, it was initially suggested that it was using EternalBlue - the leaked exploit which helped the spread of WannaCry - but this was quickly deemed to be not the case.

However, researchers at Cisco Talos have now identified that Bad Rabbit did indeed use an SMB vulnerability to propagate through networks - EternalRomance.

The vulnerability was also used to distribute NotPetya in June, although researchers note that while this version of EternalRomance is very similar to the publicly available Python implementation, it's slightly different.

For Bad Rabbit, the EternalBlue implementation is used to overwrite a kernal's session security context to allow it to launch remote services and try to find other nearby systems listening for SMB connections and then spread the ransomware. Meanwhile, EternalRomance was used by NotPetya it was used to install the DoublePulsar backdoor.

In both instances, the actions are possible due to how EternalRomance allows the attacker to read and write arbitrary data into the kernel memory space to spread ransomware.

As a result of similarities in the code and use of the SMB exploit, Talos researchers have "high confidnce" that there's a link between NotPetya and Bad Rabbit and even suggest that the authors of the two ransomware variants could be the same.

"The evasion techniques present in the modifications to the DoublePulsar backdoor in Nyetya and EternalRomance in BadRabbit demonstrate similar, advanced, levels of understanding of the exploits involved, the network detections in place at the time of deployment, and general Windows kernel exploitation," said Nick Biasini, Threat Researcher at Talos Outreach

See also: Bad Rabbit: Ten things you need to know about the latest ransomware outbreak

Along with EternalBlue, the EternalRomance vulnerability was patched by Microsoft back in March - suggesting that those infected by this ransomware outbreak were still yet to apply the critical update, despite the impact of previous high-profile incidents.

Named Bad Rabbit after the Tor payment page for collecting ransoms, the ransomware hit targets including Russian media outlets, and the Kiev metro system and the Odessa International Airport in Ukraine.

A number of organisations in Germany, South Korea and Poland were also reported as falling victim, but the total number of infections was far lower than was seen with WannaCry and Petya, with under 200 organisations affected.

It's not clear how many of those affected paid, but victims are directed to a Tor payment page which demands a payment of 0.05 Bitcoin -- around $285 - for decrypting the files. They're threatened with the price rising if they don't pay within just under 48 hours - although a number of security vendors have now said the infrastructure used to collect payments is now down.

Bad Rabbit spread via drive-by downloads on hacked websites. Rather than being delivered by exploits, visitors of compromised sites - many of which had been under the control of hackers for months - were told to install a Flash update.

This malicious download subsequently installed the ransomware to what appeared to be specially selected targets - although it's unknown what the reasoning behind choosing the victims was.

What is obvious is how using exploits like EternalRomance is becoming an increasingly common method of spreading ransomware.

"This is quickly becoming the new normal for the threat landscape. Threats spreading quickly, for a short window, to inflict maximum damage," said Biasini.

READ MORE ON CYBER CRIME



from Latest Topic for ZDNet in... http://ift.tt/2hfgpA1

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.