Ready to Start Your Career?

UNM4SK3D: Bad Rabbit, Iot Reaper, and Kaspersky

Olivia 's profile image

By: Olivia

October 27, 2017



Bad Rabbit ransomware, which involves the downloaded file named 'install_flash_player.exe,' has hit approximately 200 businesses in multiple countries including the US, Russia, Ukraine, Germany and Turkey. According to researchers as Kaspersky, the outbreak is spreading from drive-by download attacks via legitimate news sites where the host sites are infected with a dropper in the guise of a phony Adobe Flash Player installer. While there are no exploits involved, the executable requires "elevated privileges to run, and uses a Windows UAC prompt to obtain them, again with the victim’s permission." After the initial discovery, researchers then concluded after further analysis that there was a definite link between this ransomware and this summer’s ExPetr/Not Petya attacks.Their analysis indicated "Like ExPetr, Bad Rabbit tries to grab credentials from the system memory and spread within the corporate network by WMIC." In addition, victims also are served a similar ransom note to the ExPetr and Petya notes. The attackers are demanding 0.05 Bitcoin or $276 USD at today’s exchange rate in exchange for the decryption key that will unlock their hard drives. Cisco has also contributed findings to Kaspersky's initial report, adding that the leaked NSA exploit EternalRomance, a remote code execution attack that exploits CVE-2017-0145, was used to spread the malware on compromised networks.
This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr/NotPetya attack. -Kaspersky researchers
Read this previous edition of 'UNM4SK3D' for more details on NotPetya.


IoT devices are a ticking security time bomb and with the IoT Reaper botnet, they are one step closer to exploding. Researchers at NewSky Security warn that hackers are one step closer to launching full-scale DDoS attacks using millions of IoT devices, as it appears they are "swapping scripts on forums that can scan the internet for vulnerable IoT devices and dump default or weak credentials from them." Principal security researcher at NewSky Security, Ankit Anubhav conducted an investigation where he discovered a pair of hackers were able to demonstrate a script that exploited the CVE-2017-8225 vulnerability in a China-built wireless camera resold by many vendors. This discovery builds on recent research from CheckPoint warning that the botnet was recruiting a global army of connected devices.Currently, the identity of the hackers is unknown, but researchers have put heavy warning on the severity of this botnet. It seems as though "over one million IoT devices were already infected with IoT Reaper and 60% of corporate networks contained a device vulnerable to one of several vulnerabilities exploitable by adversaries behind the malware." The researchers maintain that hackers are actively developing attack scripts. Affected IoT devices include routers and wireless IP cameras manufactured by D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, Synology and GoAhead. Perhaps most frightening is that this botnet goes beyond exploiting default credentials to compromise devices, like Mirai, meaning it has the potential to do more damage exploiting nearly a dozen vulnerabilities.
A huge number of devices vulnerable via CVE-2017-8225 were simply visible in Shodan, just waiting to be attacked. Without any security or patch, they are now vulnerable to become part of the IoT Reaper botnet. -Ankit Anubhav
Learn the ins and outs of botnets. Read 'Understanding How Botnets Work.'


Kaspersky isn't running or hiding after recent allegations that their software is being used to assist the Russian government with cyberespionage efforts. Now, with the 'comprehensive transparency initiative,' they're putting it all out in the open. This initiative will allow independent third-party reviews of its source code and internal processes. This effort is meant to to win back the trust of customers and the infosec community who have expressed doubts about the company's affiliations. As it turns out, a story published by the New York Times claimed that "Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian hackers red-handed hacking US government with the help of Kaspersky."You may recall that back in July, the company offered to turn over the source code for the U.S. government to audit, but the U.S. Department of Homeland Security (DHS) instead banned and removed Kaspersky software from all of the government computers. Suspicions of both U.S. officials and cyber security experts are all out in the open, suspicions which Kaspersky hopes to combats with transparency. Their plan includes independent review of source code, independent review of business practices, payment of up to $100,000 in bug bounty rewards, and the creation of three transparency centers.
Code review is absolutely meaningless. All Russian intelligence need is an access to KSN, Kaspersky's data lake which is a treasure trove of data. Even open sourcing the entire product won't reveal or even help with revealing that. -Amit Serper, security researcher at Cybereason
For more on the removal of Kaspersky products from government computers, read the KnowBe4 blog.


The US House of Representatives passed legislation aimed at guarding U.S. ports from cyberattacks. H.R. 3101, the 'Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017,' would improve information sharing and cooperation in addressing cybersecurity risks at our nation’s ports through several measures. olivia2Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.
Schedule Demo