Making the headlines: Bad Rabbit and Reaper malware
October 27, 2017
Here’s a quick overview, their potential impact on business and some suggested mitigation techniques to help you and your organization.
Bad Rabbit burrowing into Europe and Russia
Bad Rabbit appears to have the capability of bruteforcing NTLM services, probably in an attempt to infect the rest of an internal network after an initial breach. It’s being delivered using a drive-by download mechanism from legitimate websites, but needs to be manually executed by the user and crucially, requires administrative privileges to run.
Bad Rabbit is primarily targeting European and Russian organizations. If an end-user or employee accesses one of the sites and executes the malware, they will get infected. If this happens on an internal network where users have weak passwords, there is the possibility that large part of the network will be compromised.
However, the Bad Rabbit attack is remarkable only in its scale, caused by the use of legitimate websites to spread it.
The impact of this malware relies heavily on social engineering, so having an educated user base inside your company will greatly reduce the infections for this type of malware. Meanwhile, research has been published claiming to prevent the disk encryption Bad Rabbit threatens.
Fear the Reaper?
Reaper, or IoTroop, is a trojan aimed at infecting IoT devices. Supposedly, this trojan is currently dormant right now, but the actors behind it have been infecting devices for quite some time and moving closer to launching full-scale DDoS attacks by herding millions of devices into the botnet.
A key differentiator for this strain of malware is that it appears to be exploiting multiple device vulnerabilities to infect them, instead of attempting to bruteforce their way in like last year’s Mirai botnet.
Researchers at CheckPoint have suggested that over one million organizations have been affected so far, with the malware targeting IoT devices such as web cameras. Meanwhile, scripts such as CVE-2017–8225 are already being shared on forums which can enable device weaponization.
Depending on the exposure of your infrastructure, any number of corporate or personal devices might be affected. At the moment, the best way to mitigate this threat is to update your IoT devices as frequently as possible, ensuring that all known vulnerabilities have been patched. Additionally, keeping your IoT devices inside a private network without Internet access will also ease the security impact, and probably prevent infection of the devices.
Blueliv’s Cyber Threat Intelligence technology can help monitor and identify infected devices in real time and compromised credentials – whether they are in the headlines or not.
Even more, members of our community have access to our free sandbox which can analyze suspicious files, and exchange IOCs and information from various sources that often help mitigate the impact of potential targeted malware.