26 October 2017

Bad Rabbit, Brother of [Ex]Petr

On October 24, reports appeared that new encryption malware dubbed Bad Rabbit was attacking corporate networks of different organizations. Victims of the ransomware included some Russian media outlets, Odessa international airport and Kiev metro.

Announcement on the Facebook page of Kiev metro

According to Kaspersky Lab research, Bad Rabbit hit almost 200 targets in Russia, Ukraine, Turkey and Germany. The malware was distributed via infected mass media websites using a fake Adobe Flash installer.

According to Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT), some of the companies attacked were industrial facilities. However, no infections of industrial automation systems have been detected.

The attack has now ceased.

Kaspersky Lab experts believe that there is a connection between the Bad Rabbit attack and the ExPetr outbreak in June 2017 – that the same threat actor is behind both attacks.

Like ExPetr, the new encryption malware can spread inside the corporate network perimeter using Windows Management Instrumentation Command-line (WMIC), hijacking local and domain accounts to access other hosts on the local network (unlike ExPetr, Bad Rabbit does not leverage EternalBlue or EternalRomance exploits).

According to Kaspersky Lab ICS CERT experts, this means that, potentially, the malware could propagate from the corporate network to the control network, possibly via ICS engineering workstations.

Although currently the ransomware is not spreading, there is no guarantee that the threat actor will not resume attacks by distributing a new modification of Bad Rabbit or other encryption malware that uses the same mechanisms to propagate across the local network.

The following measures are recommended to reduce the possible risk of industrial automation systems being infected by this or similar malware:

  • restrict access from the corporate network to the control network;
  • use unique credentials (logins and passwords) to access the control network from the corporate network;
  • avoid using Active Directory (or its copy) for authorization on the control network.

Update – Oct 27, 2017:

Kaspersky Lab confirms that the EternalRomance exploit was used in Bad Rabbit

Based on their ongoing analysis of the threat, Kaspersky Lab researchers have confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread in corporate networks. Kaspersky Lab products have been proactively detecting this vulnerability with the following verdict: Intrusion.Win.CVE-2017-0147.sa.leak (detected by IDS).

This is one of the two NSA exploits used in ExPetr attacks in June 2017.

However, according to Kaspersky Lab research, EternalBlue, the other NSA exploit used by ExPetr, has not been found in Bad Rabbit.

Since Bad Rabbit uses the EternalRomance exploit, the ExPetr mitigation recommendations previously provided by Kaspersky Lab experts are relevant in the case of Bad Rabbit.


Source: Kaspersky Lab