Bad Rabbit, Good Practice

We’ve been getting our heads around this latest malware — third in a series that have several things in common:

1. Worm component using SMB to spread
2. Ransomware payloads (or at least, posing as ransomware)
3. Leveraging NSA-sourced exploits that were patched earlier this year, via MS17–010.

You would think we’d be immune to the same attacks by now, but it’s still:

1. Time consuming to harden networks and Active Directory
2. Time consuming to harden Windows
3. Hard to patch

So, yes, there are still systems that will fall prey to these attacks, and as long as there are, we’ll keep seeing the same attack vectors. Still, we found some interesting insights to share.

Kyle’s Take

I think it would be a good idea to just remind users that any software installations and upgrades will always come from company staff, and users should not seek out their own software upgrades or installations without consulting with IT first. The reason being is the infection vector (fake Adobe Flash Player upgrade that’s actually a malware dropper) can be avoided altogether by coordinating all software upgrades and installs via IT. However, if not coordinated by IT, then perhaps give them a heads up about phony software that tries to trick users into installing malware, and you can use Adobe Flash as an example.

As it appears to also utilize Shadow-Brokers’ SMB exploits to traverse the network, I would coordinate an effort to ensure that MS17–010 has been applied to all systems. Because of the Mimikatz inclusion, if not already deployed, it would be worth looking into Microsoft LAPS to randomize the local admin passwords across your systems. LAPS makes lateral movement more difficult in that attackers can’t reuse the same local admin hash or password to traverse the network. I’ve written a brief guide on deployment.

Generally speaking, in regards to Bad Rabbit, it doesn’t seem like an issue that justifies a company-wide email specific to this ransomware strain, as there is no evidence it has hit US targets. However, it is still a good example of how good security training for users (being able to identify malicious/suspicious links and emails), and good security operations (maintaining configuration standards, protecting privileged access, patching where possible) will stop most malware/ransomware variants.

Adrian’s Take

I’ve been trying to get my thoughts together on this one, and strategically, I’m not sure if it’s a good or bad sign that their tactics aren’t changing much. Some of the most interesting details here:

1. They don’t delete shadow copies — perhaps that’s because behavioral-based anti-malware is looking for ‘vssadmin.exe /delete’ and using that to stop ransomware?
2. Still using SMB exploits and mimikatz — that’s either because it’s still working, or because they don’t have any other cards to play?
3. I see it as a good sign that they’re relying on social engineering victims to manually download and execute malware — that means drive-by/client-side exploits are getting more and more rare. The browsers are winning the fight. If Flash wasn’t getting kicked to the curb, it would likely have been the primary entry point for Bad Rabbit.
4. Finally, they’re reportedly using waterhole attacks to spread it, so there’s no reason it couldn’t be obtained by other criminal parties and used against US targets. Malware tends to see a LOT of reuse. Don’t look at this as a near miss, look at it as a head start.