The Ivanti Threat Thursday Update for October 26, 2017: A Bad Rabbit and a Grim Reaper

Greetings. Two new cybersecurity threats made lots of news this week, and at least one may have already disappeared – or not. Confused, or eager to opine, react, or suggest in response to anything you read here? Do feel free, and thanks in advance.

Bad Rabbit and Reaper: New Variants of Old Threats Demand Proven Protections

A new ransomware attack captured a lot of media attention early this week, but may have already disappeared or gone into a kind of stealth mode. Meanwhile, experts warn that new malware appears poised to launch a massive attack on the Internet via poorly secured connected devices.

  • On Tuesday, multiple media reported that ransomware code-named “Bad Rabbit” was infecting networks at hundreds of organizations, primarily in Russia and Ukraine. As Motherboard reported, “The hackers behind Bad Rabbit—who at this point are unknown—compromised a series of media and news websites to push a prompt to install a fake Adobe Flash update. Once the victim fell for the trick, the malware was served from servers under the control of the hackers.”
  • One day later, according to the same report, several cybersecurity researchers noted that those servers had apparently ceased delivering malware and were unreachable. However, at least one researcher said he and his colleagues were still seeing victimized systems attempting to look up the addresses of the hackers’ servers. The researcher opined that the malware “is still out there attempting to propagate from other infected sites.” And Motherboard later issued a correction, saying that while earlier tests indicated the dark web site the hackers created for ransom payment collection was down, it later appeared to be up again.
  • Several media reports linked Bad Rabbit to the high-profile NotPetya weaponized malware attack of a few months ago. (See “Petya and Weaponized Malware: Is Ransomware the New DDoS Attack?” and “Webinar Q&A: Petya and Weaponized Malware.”)

Meanwhile, on Monday, Krebs on Security reported that multiple “experts are sounding the alarm” about new “attack malware” known variously as “Reaper” and “IoTroop.” This malware “spreads via security holes in IoT [Internet of Things] software and hardware. And there are indications that over a million organizations may be affected already.”

  • Although the malware hasn’t launched any attacks yet, it is reportedly similar to Mirai. That was the malware behind the 2016 distributed denial-of-service (DDoS) attacks on Internet infrastructure provider Dyn, French hosting firm OVH, and the Krebs on Security site itself. However, researchers quoted in the report say this new malware “partially borrows some Mirai source code, but is significantly different from Mirai in several key behaviors.”
  • One key difference: “an evolution that allows Reaper to more stealthily enlist new recruits and more easily fly under the radar of security tools looking for suspicious activity on the local network.” Other researchers said “this new IoT malware strain is ‘evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.’”
  • “Unlike Mirai — which wriggles into vulnerable IoT devices using factory-default or hard-coded usernames and passwords — this newest IoT threat leverages at least nine known security vulnerabilities across nearly a dozen different device makers.” (The Krebs on Security report includes links to additional information about affected devices and available software patches and updates.)

What We Say: There may be a new list of scary names, but your response to the latest round of cybersecurity threats should be the same. Your enterprise needs multi-layered cybersecurity protections, effective remediation solutions and practices, and committed user education efforts. As Ivanti Security Evangelist Amber Boehm says in a recent SC Magazine UK article, “Patching won’t protect you against everything but it’s still the most important step in your cyber-security defence plan. But if you can’t patch—because you’re running legacy systems, for example, or you have concerns that patching will break something in your environment—you need to block the applications that don’t get patched with tools like application whitelisting and privilege management.” (See “The Equifax Breach, Patch Management, and Your Cybersecurity” and “User Education for Cybersecurity: Yes, It’s Worth It.”)

From Patch to Privilege Management and Beyond, Ivanti Can Help Improve Your Cybersecurity

Discover and inventory what’s in your environment completely and accurately. Get and keep your client and server system patches up to date. Gain and maintain control over your users’ applications, devices, and admin rights. Fight and remediate malware and other attacks rapidly and effectively. Achieve and deliver detailed, actionable reporting and analysis of the actions, behaviors, events, and trends that affect your environment and its security.

Ivanti has the solutions, experience, expertise, and ecosystem of partners that can help you succeed with any and all of the above critical elements of an effective cybersecurity strategy. Get in touch with us, and let’s start improving cybersecurity at your enterprise together. (And please continue to read, share, and react to our Patch Tuesday and Threat Thursday updates!)