On October 24th infections about a ransomware called Bad Rabbit began to spread. Less than one day, it has been targeting organizations and consumers, mostly in Russia, Ukraine, Turkey, Bulgaria and the United States.
The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.
However, Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks. The same exploit was used in the ExPetr. This been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. The code analysis showed a notable similarity between the code of ExPetr and Bad Rabbit binaries.
According to Kaspersky, analyzing the sample, it looks like the criminals behind this malware are fans of the famous books and TV show series Game Of Thrones. Some of the strings used throughout the code are the names of different characters from this series. They have also discovered that files encrypted by Bad Rabbit can be recovered with following specific procedures: “We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files. It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities”.
Dutch Privacy Regulator Says Windows 10 Breaks the Law
The lack of transparency about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). To comply with the law, the DPA says that Microsoft must be clearer about what data is collected and how that data is processed and respect previously chosen settings about data collection.
The CSE of Canada Releases a Malware-fighting Tool to the Public
The Communications Security Establishment (CSE) releases one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats. Assemblyline is an open-source malware analysis tool that, according CSE, is used to protect the Canadian government’s sprawling infrastructure each day.
Rest of the Week´s News
Microsoft Releases the Open Source Scanning Tool Sonar
Microsoft announced the availability of Sonar, an open source linting and website scanning tool that was developed by the Microsoft Edge team. Sonar is a linting tool that analyzes the code for a wide range of issues, including related to coding errors, performance, accessibility, security, Progressive Web Apps (PWA), and interoperability.
Hackers Used Backdoored MS Office Key-gen to Steal NSA Exploits
Kaspersky Lab published a detailed report on the case that explains how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC. According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a compromised copy of Microsoft Office.
APT28 Racing to Exploit Flash Vulnerability Before Patches Are Deployed
The CVE-2017-11292 Adobe Flash vulnerability allows attackers to make use of a bug which can lead to code execution on Windows, Mac, Linux, and Chrome OS systems. As a result, attackers are moving quickly to exploit it while they can and researchers at Proofpoint have attributed a campaign designed to spread trojan malware using the vulnerability to APT28.