Threat Spotlight: Follow the Bad Rabbit
What you need to know:
On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organisations across eastern Europe and Russia.
Ransomware is the threat of choice for both its monetary gain as well as destructive nature. As long as there is money to be made or destruction to be had these threats are going to continue.
According to Talos Intelligence, “This threat also amplifies another key area that needs to be addressed, user education. In this attack the user needs to facilitate the initial infection.”
Technical Recommendation:
Avoid the aftermath with a before strategy. Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet wherever users go.
If you are concerned about the level of security in your organisation and would like to discuss this with a security expert, please contact us. INNOVATE is a highly experienced IT solutions provider and can perform a review of your company’s IT infrastructure to prepare a Security Review and Assessment for your organisation.
We have developed a reputation as a high-quality provider of Managed Network Connectivity and Cloud solutions together with premium consultancy and support services to a broad range of organisations in both the public and private sectors.
INNOVATE is Cisco Advanced Security Architecture Specialised Partners and can conduct a Security Review and Assessment, outline the recommendations and security roadmap for implementation depending on the level of security you require in your organisation.
Note: This blog post discusses active research by Talos Intelligence into a new threat. This information should be considered preliminary and will be updated as research continues.
There have been several large-scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.
As was the case in previous situations, Talos Intelligence quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as SMB to proliferate. In this example the initial vector wasn’t a sophisticated supply chain attack. Instead it was a basic drive-by-download leveraging compromised websites. This is quickly becoming the new normal for the threat landscape. Threats are spreading quickly, for a short window, to inflict maximum damage.
DISTRIBUTION
Talos assesses with high confidence that a fake Flash Player update is being delivered via a drive-by-download and compromising systems. The sites that were seen redirecting to BadRabbit were a variety of sites that are based in Russia, Bulgaria, and Turkey.
Despite initial reports, we currently have no evidence that the EternalBlue exploit is being utilized to spread the infection. However, our research continues and we will update as we learn more.
Ransomware is the threat of choice for both its monetary gain as well as destructive nature. As long as there is money to be made or destruction to be had these threats are going to continue.
This threat also amplifies another key area that needs to be addressed, user education. In this attack the user needs to facilitate the initial infection. If a user doesn’t help the process along by installing the flash update it would be benign and not wreak the devastation it has across the region. Once a user facilitates the initial infection the malware leverages existing methods, such as SMB, to propagate around the network without user interaction.
COVERAGE
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Email has not been identified as an attack vector at this time. The malware, if transferred across these systems on your networks, will be blocked.
Talos is Cisco’s industry-leading threat intelligence team that protects your organization’s people, data and infrastructure from active adversaries. The Talos team collects information about existing and developing threats, and provides comprehensive protection against more attacks and malware than anyone else. All Cisco Security products utilize Talos threat intelligence, providing fast and effective security solutions. Our job is protecting your network.
