Cage the Bad Rabbit, Fear the Reaper

Another week, another bunch of nasty stinking malwares come down the swanny to keep us on our toes.

The first and in our opinion, totally inappropriately named is ‘Bad Rabbit’. This nasty piece of work is yet another example of Ransomware very much in the WannaCry/Petya/NoPetya spirit.

Appearing to be specifically targeting Eastern European and Russian infrastructure, this new bunny on the block is delivered via a fake flash update, which a user is presented with when visiting an infected website (probably having been directed to by Phishing or via another infected website, we all know the drill by now).

Once the flash update link is clicked on – you guessed it – infection time for you and, very significantly, machines connected to the same network as you. Lateral infection is achieved using the very naughty tool mimikatz which can do a whole slew of badness such as Golden Ticket and pass the hash exploits together with an embedded list of usernames and rubbish passwords (123456, password, iamaneejut, etc).

Initial reports that the bunny uses ETERNALBLUE, have subsequently been played down by security researchers, but mimikatz itself is pretty scary.

In order to decrypt, the usual TOR website is presented – the current going rate is 1/20th of a Bitcoin ($280), this will rise over time – the website has a neat countdown timer to when this will happen, they really do think of everything these villains.

The good news is that this attack seems to be very targeted, AT THE MOMENT. The lateral traversal using a bunch of hard coded passwords and mimikatz is a bother however, since it is sure to be copied and coming your way soon. Be very aware of any internal passwords that may be the idle work of systems administrators prior (ahem)…

The infection appears to have died a natural death now, leaving us all to wonder what the original purpose was? Disruption? A test run? A vendetta, warning message or punishment?

Our advice with all of these things as you know starts with:

  • Don’t use Flash or if you do, don’t chose to upgrade flash from anything other than an Adobe source
  • Take regular backups and test them
  • Don’t pay, ever

Further advice can readily be found online, however if you want the full skinny, contact us at [email protected] or call 0207 517 3900 and we will send you our advisory, which covers more bases than the bad guy from Zero Wing (and that is all of them).

And now we come TO THE REAPER BIT (RIP Terry Pratchett). It seems that a very nasty Internet of Ting Tings vulnerability, which has been disturbingly named REAPER, is doing the rounds building a global botnet that will make Mirai look like the robots from Goldie Looking Chain or the Flight of The Conchords  taking on the Daleks.

As Enterprise professionals, it is very easy to thumb one’s nose at the tragedy of unpatched home systems. That is of course until they are used to launch Distributed Denial Of Service attacks on an unprecedented scale against critical infrastructure, like DYN. Well in the words of the song, and since we are on a cheeseygeeklinkfest, you ain’t seen nothing yet.

The tragedy about this new botnet is that most ting tings vendors have issued patches, but because automatic updates have not been mandated by vendors or as they most certainly should be, by government agencies responsible for product licencing. The best we can do is spread the word and encourage staff, friends and family to update their ting ting shizzle regularly. You can read all about REAPER here.

If you have been following our now regular Marcuswatch, we understand that Marcus Hutchins (of WannaCry fame and having no knowledge of Zeus Ransomware or who might have written or sold it) has won a small victory and will be permitted to remove his electronic tag and not be subject to strict curfew, that is if the Fed’s appeal against his recent court success does not succeed. This will enable him to concentrate on pressing matters such as catching some breaks off the California coast. Good luck Mr Hutchins.