Tag: Bad Rabbit

Weekly Cyber Risk Roundup: Bad Rabbit’s Parallel Attack, Paradise Papers Fallout

October’s Bad Rabbit ransomware attacks were back in the news this week due to a report that a series of phishing attacks occurred at the same time as the Bad Rabbit outbreak, and the parallel attacks may have been carried out by the same group.

2017-11-10_ITT

The discovery also suggests that Ukraine may have been a key target of the attacks, despite Russian victims being more heavily targeted by Bad Rabbit.

The phishing attacks targeted users of Russian-designed 1C software with emails that appeared to be from the developer, the head of the Ukrainian state cyber police told Reuters. 1C products, including accounting software, are widely used in Ukraine.

The official said that 15 companies reported they were compromised by the attack, and it is possible that more people or organizations may have been affected due to 1C software’s wide use. The official also said the main theory is that both the Bad Rabbit and 1C phishing attacks were carried out by the same perpetrators with the goal of getting remote and undetected access in order to steal financial and confidential information. 1C’s developers did not respond to Reuters’ requests for comment about the phishing attacks, but a Ukrainian distributor confirmed that its users were targeted and that it warned them to take extra precautions.

Some researchers have suggested that the Bad Rabbit attacks were carried out by the same group behind June’s NotPetya outbreak. The NotPetya attack leveraged a back door that had been inserted into the M.E.Doc accounting software, which Reuters reported is used by 80 percent of Ukrainian companies. The use of popular Ukrainian accounting software during both NotPetya and attacks potentially linked to Bad Rabbit is yet another shared connection between the two events.

2017-11-10_ITTGroups

Other trending cybercrime events from the week include:

  • Data breach announcements: Verticalscope, which manages popular Web discussion forums, confirmed that it discovered an intrusion that provided access to the individual website files of six websites. Tween Brands is notifying customers that their personal information may have been compromised due the discovery of unauthorized access to a server. HumanGood is notifying customers that their personal information may have been compromised due to unauthorized access at a third-party benefits coordination vendor. North American Title Company is notifying customers that their personal information may have compromised due to an employee’s email account being accessed by an unauthorized third party. Wilbraham, Lawler & Buba and the East Central Kansas Area Agency on Aging announced ransomware attacks that could have also compromised personal information.
  • Data exposed: WikiLeaks released the source code for an alleged CIA hacking tool called “Hive,” and the release is just the first in a new series, dubbed “Vault 8,” that is intended to publish the source code from the variety of hacking tools described in the series of “Vault 7” publications earlier this year. A flaw in the website of the Australian Securities and Investments Commission (ASIC) exposes the search records and purchased documents of users such as investigative journalists and finance industry professionals. The website of the Scottish Appropriate Adult Network, which works with mentally impaired individuals that need help with the justice system, was shut down after it was found to be exposing the personal information of about 50 people. Klinger Moving Company is notifying employees that their personal information was briefly exposed due to a file that was stored on a company server being browsable via search engines.
  • Other notable incidents: NIC Asia Bank said that malicious actors initiated $4.4 million worth of fraudulent money transfers via the SWIFT messaging system last month; however, the bank was able to recover all but $580,000 of the funds. The anime streaming service Crunchyroll said that intruders planted a fake homepage that pushed a malicious “CrunchyViewer” program to its viewers for several hours. Approximately 800 school websites hosted by SchoolDesk displayed a pro-ISIS video after the company was hacked and a file was injected that redirected those websites to the video. Valley Family Medicine said that two now-former employees printed a mailing list of 8,450 patient names and addresses and used the list to make postcards informing them of a new practice.
  • Legal actions: A Pennsylvania man has been indicted for illegal trading via more than 50 hacked online brokerage accounts, which caused the firms servicing the accounts to lose more than $2 million. A former Minnesota resident has been charged with purchasing a year’s worth of DDoS attacks against his former employer Washburn Computer Group, as well as the networks of the Minnesota Judicial Branch, Hennepin County, and several banks. The UK’s Information Commissioner’s Office is warning employees to obey strict privacy laws on the heels of a charity worker at Rochdale Connections Trust being prosecuted for sending spreadsheets containing the personal information of 183 people to his personal email address.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-11-10_ITTNew

Cyber Risk Trends From the Past Week

2017-11-10_RiskScoresThe hack of a large cache of sensitive documents from the offshore law firm Appleby, which was first reported several weeks ago, has already begun to have potentially wide-reaching ramifications.

The International Consortium of Investigative Journalists (ICIJ), which also drove the reporting around the 2016 “Panama Papers” leak, has dubbed the new leak the “Paradise Papers.”

The Guardian reported that the now-exposed Appleby documents contain information related to numerous prominent individuals and organizations, such as Donald Trump’s commerce secretary Wilbur Ross, Queen Elizabeth II and Prince Charles, associates of Canadian Prime Minister Justin Trudeau, social media platforms Twitter and Facebook, corporations Apple and Nike, a variety of wealthy private individuals, and hundreds more.

Appleby reiterated this week that the theft of its data was not a leak by an insider, but “a serious criminal act” carried out “by an intruder who deployed the tactics of a professional hacker.” The company has previously stated that it had “thoroughly and vigorously investigated the allegations” from the ICIJ and was “satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients.”

The BBC reported that although the 2016 Panama Papers were larger is size, the way the Paradise Papers “lifts the lid on sophisticated, upper-end offshore dealings” is unprecedented. For example, Gabriel Zucman, a professor of economics at the University of California, Berkeley, wrote in The New York Times that $70 billion, or close to 20 percent of all U.S. corporate tax revenue, is lost every year due to shifting corporate profits to tax havens.

The ICIJ and nearly 100 media groups are continuing to dig through the 13.4 million documents spanning seven decades that make up the Paradise Papers. The BBC said the papers include 6.8 million documents related to the Appleby breach, 6 million documents from corporate registries in mostly Caribbean jurisdictions, and a smaller amount from the Singapore-based international trust and corporate services provider Asiaciti Trust.

Dozens more stories related to the Paradise Papers will likely be published in the near future, although it remains to be seen what political, economic, or reputational fallout will accompany the organizations and individuals impacted by the leak.

Weekly Cyber Risk Roundup: Bad Rabbit Halted, Law Firm Breach Raises Questions

The week’s top trending event was the outbreak of Bad Rabbit ransomware, which quickly spread across Russia and Eastern Europe before most of the infrastructure behind the attack was taken offline hours later. 

2017-10-28_ITT.PNG

Bad Rabbit was largely spread via watering hole attacks using compromised news media websites that prompted users to install a fake “Flash Update.” Symantec reported that the vast majority of infection attempts occurred in Russia within the first two hours of the malware’s appearance, but there were also infection attempts observed in Japan, Bulgaria, Ukraine, the U.S., and other countries.

The malware used an SMB component as well as the “Mimikatz” tool, along with some hard-coded default usernames and passwords, to attempt to spread laterally across a network after infection. It was later discovered that the malware also leveraged the leaked NSA exploit EternalRomance in a way that was “very similar to the publicly available Python implementation of the EternalRomance exploit” used by NotPetya (or Nyeta) malware.

“The BadRabbit exploit implementation is different than the one in Nyetya, although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak,” Cisco researchers wrote. “We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor.”

Those infected with Bad Rabbit were directed to a Tor payment page and presented with a countdown timer for when the ransom demand would increase, starting at 0.05 bitcoin (around $280). The Register reported that various researchers have found that recovering infected machines appeared difficult, but not impossible.

2017-10-28_ITTGroups

Other trending cybercrime events from the week include:

  • TheDarkOverlord targets surgery clinic: TheDarkOverlord said it has stolen terabytes of data from London Bridge Plastic Surgery, including sensitive photos and information on some high-profile clients. “We have TBs [terabytes] of this shit. Databases, names, everything,” a representative from The Dark Overlord told The Daily Beast. “There are some royal families in here.” The clinic confirmed that it was likely breached and said it has launched an investigation into the stolen data.
  • Cryptocurrency-related cybercrime: A phishing scam impersonating MyEtherWallet managed to trick several users into handing over the passwords to their wallets, and as a result approximately $16,000 was stolen. Coinhive, which provides websites with a JavaScript miner, said that its Cloudflare account was hijacked due to the use of an insecure password and lack of two-factor authentication, and as a result the attacker was able to steal hashes from users. Coincafe said that an unauthorized third party gained access to a system that was decommissioned in 2014 containing customers’ personal information, and the third party then contacted some of those customers and said they would erase their compromised data for a fee. The website for the new cryptocurrency Bitcoin Gold was taken offline by a DDoS attack.
  • Updates on previously disclosed breaches: Whole Foods said its payment card breach affected nearly 100 locations. U.S. Cellular said an investigation into automated attacks against online user accounts in June revealed that the incident also exposed bank account and routing numbers. West Music, which operates westmusic.com and percussionsource.com, is the latest company to notify customers of a payment card breach tied to third-party payment processor Aptos. Alliance College-Ready Public Schools said they are one of multiple school districts and charter networks affected by a vulnerability that exposed information from the school data platform Schoolzilla. The NSA contractor tied to the leak of confidential hacking tools allegedly disabled his antivirus and infected his computer with malware when installing a pirated version of Microsoft Office.
  • Other notable events: A contractor lost control of a Dell customer support website designed to help customers restore their data and computers to their factory default state, and the hijacked website may have been used to push malware while it was compromised. Researchers discovered two publicly exposed MongoDB databases belonging to Tarte Cosmetics that contained the personal information of nearly two million customers. FirstHealth of the Carolinas, which has more than 100 physical locations, said that a WannaCry variant forced the shutdown of its network to prevent the malware from spreading. Memory4Less is notifying customers that their personal information may have compromised due to an unauthorized user installing malware on its network between November 2016 and September 2017. LightHouse Management Services and the Iowa Department of Human Services announced employee email account breaches. COL Financial Group said it has experienced a “possible breach.” Two websites run by the Czech Statistical Office that reported the results of the country’s parliamentary elections were temporarily taken offline by DDoS attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-10-28_ITTNew

Cyber Risk Trends From the Past Week

2017-10-28_RiskScoresThe offshore law firm Appleby said that client data was stolen last year, and the International Consortium of Investigative Journalists (ICIJ), which obtained the hacked data, has contacted the firm over allegations of wrongdoing and says it plans on publishing a series of stories related to the breach.

Business Insider reported that the law firm’s super-rich clients are “bracing themselves for the exposure of their financial secrets.” The incident has echoes of the 2016 “Panama Papers” leak, which involved the Panama-based law firm Mossack Fonseca and has led to numerous consequences around the globe — including the resignation of prime ministers in Iceland and Pakistan, and calls for the impeachment of Ukraine’s president.

It is unclear at the moment what fallout, if any, may occur due the breach at Bermuda-based Appleby, and it is important to note that the company said in a statement that it has found no evidence of wrongdoing.

“We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches,” the company said. “Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.”

However, there have already been reports that leak has led to renewed scrutiny of Glencore Plc’s acquisition of Katanga Mining Ltd., which runs copper and cobalt mines in Congo, and claims that aircraft buyers may have used Isle of Man for abusive Value Added Tax (VAT) avoidance.

Appleby’s clients include FTSE 100 and Fortune 500 companies, and the breach serves as a reminder that law firms are often the target of malicious actors due to the combination of sensitive documents they hold along with the potentially weaker security inherent in some third parties. Additional documents and reporting related to the Appleby breach will likely be published throughout the coming months.