Wednesday, October 25, 2017

Research on BadRabbit Ransomware

From Eskenzi PR:

"Nozomi Networks has taken a look into the BadRabbit Ransomware that hit Russia and Ukraine yesterday affecting systems at three Russian websites, transport systems in Ukraine, including an airport and an underground railway in Kiev.

"Moreno Carullo, Co-Founder and Chief Technical Officer for Nozomi Networks says, “Our research shows that the group behind Bad Rabbit have spent considerable time creating their ‘infection-network,’ going back at least to July, with the majority of sites relating to media and news.When a victim visits what they believe is a legitimate site, they are instructed to download an Adobe Flash installer/update. Given that the attackers are targeting media and news sites, that have previously employed Flash to enhance the visitor experience, this request may not immediately arouse suspicion – but it should! If the user follows the redirection the attack begins and the ransomware dropper (distributed from: hxxp://1dnscontrol[.]com/flash_install.php) downloads.”

"Moreno explains,“As soon as the victim executes the dropper, for which admin privilege is needed, a malicious DLL named infpub.dat is saved and is then run using the usual utility rundll32. Our experience executing the infpub.dat file is that it then seems to try to brute-force NTLM [NT LAN Manager] login credentials and download an executable dispci.exe, which appears to be derived from the well-known utility DiskCryptor code - a disk encryption module. The execution of the last file downloaded begins the encryption phase and the replacement of the bootloader as already seen in previous NotPetya attacks.

"According to Moreno, “Prevention is always better than cure as, if infected, it is never advisable to pay the ransom as it is not guaranteed that the criminals will honor the agreement and restore systems/data. Organizations need tools that will help them immediately identify when something ambiguous is happening within the infrastructure. Applying artificial intelligence and machine learning for real-time detection and response, organizations can monitor for malware to rapidly discover and act to remove malicious code and the risks posed before harm is done.”

"Michael Patterson, CEO of Plixer says, “Many times ransomware infections go unreported. Employees who make the mistake and click on something they shouldn’t are usually very embarrassed about the infection. Security teams need to be aware of all infections in order to grasp the scale of the intrusion. Unreported infections can often be discovered using network traffic analytics.  By profiling the Bad Rabbit communication behavior other machines reaching out to the Internet with similar behaviors can be identified.”"

Thursday, October 19, 2017

EU-U.S. Data Transfer Pact Passes First Annual Review

Reuter's reports that the EU-U.S. data transfer pact passes its first annual review.

EU data privacy protection rules are getting tougher all the time and they're not shy about imposing fines for violations.

Are you responsible for data privacy in your organization? Do you conduct business in Europe? If either answer is "yes," you should read Paul Lambert's The Data Protection Officer: Profession, Rules, and Role  and  Understanding the New European Data Protection Rules.

Wednesday, October 11, 2017

How Israel Caught Russian Hackers Scouring the World for U.S. Secrets

According to the New York Times, "What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool -- antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen American government agencies.

I seems I warned of this in 2012 in this post: Kaspersky, ex-KGB, Is Tool of Putin.