Bad Rabbit Ransomeware [CVE-2017-0145]

Vulnerability Overview:

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.

Details:

Media companies have been affected by a new ransomware called Bad Rabbit ransomware. The malware utilizes fake Flash installer as its payload that leverages SMB protocol to check hardcoded credentials. This ransomware gets delivered through "drive-by attacks" compromising insecure web applications. While the target visits such website, the malware gets downloaded from the attacker’s infrastructure. The malware has been known to be Adobe Flash installer. When the installers get installed, it encrypts files and invokes user to pay ransom. Its all starts with social engineering!

The ransomware gets delivered through drive-by attack from insecure web applications. The file “install_flash_player.exe” provided by the website, has to be downloaded and installed by the user to execute it. Bad rabbit is a bootkit-based ransomware which affects MBR (Master Boot Record). Once installed, files on the target machines gets encrypted, it then installs its own bootloader in MBR and schedules a restart.

Once the computer gets infected, Using the list of usernames and passwords provided in malware, it tries to extend in the network. The credentials provided are gathered from bad/disclosed password list available in internet.

Unlike EternalBlue vulnerability, EternalRomance RCE exploits the flaw (CVE-2017-0145) in Microsoft's Windows Server Message Block (SMB), which is used to transfer data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers.

There are facts that EternalRomance vulnerability was patched by Microsoft this March with the release of a security bulletin (MS17-010). Computers that are not updated with recent patches gets affected with ransomware.

Who is impacted?

Media Firm which needs updated flash services.Some of the Russian media firms like Fontanka and Interfax were among the companies affected by the Bad Rabbit ransomware. The Ukrainian computer emergency agency CERT-UA has issued an alert that Odessa airport and Kiev subway were also affected

What is impacted?
As already mentioned this ransomware is delivered as a drive-by attack from compromised websites. File named “install_flash_player.exe” is send by the website and the user needs to manually execute it. It is a bootkit based ransomware like Petya/NotPetya. Upon execution of the installer file, it encrypts the files on the target machine and installs its own bootloader in MBR and schedules a reboot. The OS does not boots but after the system reboots it displays the ransom note to the user. Upon execution, the file tries to gain privilege via the standard UAC prompt. After acquiring the privileges, it creates a file under “C:\Windows\infpub.dat “. This file is executed using rundll32, and infpub.dat drops dispci.exe under C:\Windows. This executable is responsible for encrypting the files and modifies the boot-loader.

Detection
The following are some of the files, if found to be present on the system, gets infected
– %windir%\infpub.dat
– %windir%\dispci.exe
– %windir%\cscc.dat

Recommended Solution:

Mitigation steps:
- If possible, disable Windows Management Instrumentation(WMI) service.

- Try to block the execution of files C:\windows\infpub.dat and C:\Windows\cscc.dat (using GPO or other method)

- A fake file like C:\windows\infpub.dat and c:\windows\cscc.dat (the dropper looks for the presence of these files, if any exist, it does not infect the machine) can be created.

- Take precaution before opening any documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

- Take regular backups and store the copies in a protected environment.

- Make sure to have an anti-virus which receives updates for latest threats and provided adequate alert mechanism and counter mechanism automatically.

System Affected/Related OS and Version:

This issue affects
ft:server_message_block:1.0

Appendix:
External Source:BID
http://www.securityfocus.com/bid/96705
External Source:CONFIRM
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...

Threat Category: