Weekly Cyber Risk Roundup: Bad Rabbit Halted, Law Firm Breach Raises Questions

The week’s top trending event was the outbreak of Bad Rabbit ransomware, which quickly spread across Russia and Eastern Europe before most of the infrastructure behind the attack was taken offline hours later. 

2017-10-28_ITT.PNG

Bad Rabbit was largely spread via watering hole attacks using compromised news media websites that prompted users to install a fake “Flash Update.” Symantec reported that the vast majority of infection attempts occurred in Russia within the first two hours of the malware’s appearance, but there were also infection attempts observed in Japan, Bulgaria, Ukraine, the U.S., and other countries.

The malware used an SMB component as well as the “Mimikatz” tool, along with some hard-coded default usernames and passwords, to attempt to spread laterally across a network after infection. It was later discovered that the malware also leveraged the leaked NSA exploit EternalRomance in a way that was “very similar to the publicly available Python implementation of the EternalRomance exploit” used by NotPetya (or Nyeta) malware.

“The BadRabbit exploit implementation is different than the one in Nyetya, although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak,” Cisco researchers wrote. “We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor.”

Those infected with Bad Rabbit were directed to a Tor payment page and presented with a countdown timer for when the ransom demand would increase, starting at 0.05 bitcoin (around $280). The Register reported that various researchers have found that recovering infected machines appeared difficult, but not impossible.

2017-10-28_ITTGroups

Other trending cybercrime events from the week include:

  • TheDarkOverlord targets surgery clinic: TheDarkOverlord said it has stolen terabytes of data from London Bridge Plastic Surgery, including sensitive photos and information on some high-profile clients. “We have TBs [terabytes] of this shit. Databases, names, everything,” a representative from The Dark Overlord told The Daily Beast. “There are some royal families in here.” The clinic confirmed that it was likely breached and said it has launched an investigation into the stolen data.
  • Cryptocurrency-related cybercrime: A phishing scam impersonating MyEtherWallet managed to trick several users into handing over the passwords to their wallets, and as a result approximately $16,000 was stolen. Coinhive, which provides websites with a JavaScript miner, said that its Cloudflare account was hijacked due to the use of an insecure password and lack of two-factor authentication, and as a result the attacker was able to steal hashes from users. Coincafe said that an unauthorized third party gained access to a system that was decommissioned in 2014 containing customers’ personal information, and the third party then contacted some of those customers and said they would erase their compromised data for a fee. The website for the new cryptocurrency Bitcoin Gold was taken offline by a DDoS attack.
  • Updates on previously disclosed breaches: Whole Foods said its payment card breach affected nearly 100 locations. U.S. Cellular said an investigation into automated attacks against online user accounts in June revealed that the incident also exposed bank account and routing numbers. West Music, which operates westmusic.com and percussionsource.com, is the latest company to notify customers of a payment card breach tied to third-party payment processor Aptos. Alliance College-Ready Public Schools said they are one of multiple school districts and charter networks affected by a vulnerability that exposed information from the school data platform Schoolzilla. The NSA contractor tied to the leak of confidential hacking tools allegedly disabled his antivirus and infected his computer with malware when installing a pirated version of Microsoft Office.
  • Other notable events: A contractor lost control of a Dell customer support website designed to help customers restore their data and computers to their factory default state, and the hijacked website may have been used to push malware while it was compromised. Researchers discovered two publicly exposed MongoDB databases belonging to Tarte Cosmetics that contained the personal information of nearly two million customers. FirstHealth of the Carolinas, which has more than 100 physical locations, said that a WannaCry variant forced the shutdown of its network to prevent the malware from spreading. Memory4Less is notifying customers that their personal information may have compromised due to an unauthorized user installing malware on its network between November 2016 and September 2017. LightHouse Management Services and the Iowa Department of Human Services announced employee email account breaches. COL Financial Group said it has experienced a “possible breach.” Two websites run by the Czech Statistical Office that reported the results of the country’s parliamentary elections were temporarily taken offline by DDoS attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-10-28_ITTNew

Cyber Risk Trends From the Past Week

2017-10-28_RiskScoresThe offshore law firm Appleby said that client data was stolen last year, and the International Consortium of Investigative Journalists (ICIJ), which obtained the hacked data, has contacted the firm over allegations of wrongdoing and says it plans on publishing a series of stories related to the breach.

Business Insider reported that the law firm’s super-rich clients are “bracing themselves for the exposure of their financial secrets.” The incident has echoes of the 2016 “Panama Papers” leak, which involved the Panama-based law firm Mossack Fonseca and has led to numerous consequences around the globe — including the resignation of prime ministers in Iceland and Pakistan, and calls for the impeachment of Ukraine’s president.

It is unclear at the moment what fallout, if any, may occur due the breach at Bermuda-based Appleby, and it is important to note that the company said in a statement that it has found no evidence of wrongdoing.

“We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches,” the company said. “Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.”

However, there have already been reports that leak has led to renewed scrutiny of Glencore Plc’s acquisition of Katanga Mining Ltd., which runs copper and cobalt mines in Congo, and claims that aircraft buyers may have used Isle of Man for abusive Value Added Tax (VAT) avoidance.

Appleby’s clients include FTSE 100 and Fortune 500 companies, and the breach serves as a reminder that law firms are often the target of malicious actors due to the combination of sensitive documents they hold along with the potentially weaker security inherent in some third parties. Additional documents and reporting related to the Appleby breach will likely be published throughout the coming months.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s