Eastern Europe Hit by Bad Rabbit Ransomware, Kaspersky Opens Code to 3rd Party Review & APT 28 Has Massive Fail


Ukraine Called It Right – A few reports ago, we reported that Ukraine Security Services were warning its government, critical infrastructure and businesses that a new wave of ransomware was about to hit the country. Well that has now happened and it seems to be just as devastating and disruptive as the WannaCry and NotPetya campaigns that hit the country a month or so ago. Termed “Bad Rabbit”, it has hit government agencies and private businesses in Ukraine, Russia, Bulgaria and Turkey so far. It is spreading like predicted via fake Flash update packages but this time the malware comes loaded with tools to allow it to move laterally within a network. From security companies ESET, Emisoft and Fox-IT, the malware uses Mimikatz to extract credentials from the local computer’s memory and along with hard-coded credentials tries to access servers and workstations on the same network via SMB and WebDAV. The victims of NotPetya will recognise the ransom note left behind by the malware as it is almost identical to the NotPetya one but that is as far as the resemblances go. The current ransom stands at 0.05 Bitcoin with victims having 40 hours to pay before the fee goes up.

Kaspersky Tries to Regain Trust – In an attempt to regain some public trust in ts products, Kaspersky is looking to open its software up to a trusted 3rd Party vendor for a code review. Called the “Global Transparency Initiative”, it is about as much as the company can do to try and build trust back with countries governments, businesses and the public. Not due to begin until 2018, the company is also looking to create “Transparency Centres” in Europe, Asia and the US, which will allow companies and governments to access the source code review. Finally, the maximum bug bounty reward for finding faults with the companies software has been raised to £100,000. Despite all the good intentions, if you peel back what they are actually doing it doesn’t amount to actually fixing what was broken. A code review audit wont preclude a compromise or collaboration with the intelligence services, which are the fundamental concerns customers are currently facing.

APT 28 Fail – Fancy Bear have apparently put their foot in it with one of the biggest fails of the year by trying to hack cyber security professionals. With a security conference organised by NATO’s Cooperative Cyber Defence Centre of Excellence and the US Army’s Cyber Institute set to start next month, APT 28 sent spear phishing emails to the attendees of the event. Now with these individuals being at the top of the cyber security tree in regards to expertise, you would expect the APT to use one of their more sophisticated attacks, maybe even a zero day. But instead they deployed emails containing Word documents asking for basic macro script to be enabled. Now these security researchers lecture for hours about never enabling Word macros, so the attack was immediately spotted. Published online for what the emails were, the researchers uploaded and opened the attachments in sandboxes, which revealed the malware downloaded the “Seduploader”, which is one of the groups well-known backdoor trojans used for reconnaissance operations.