hacker7 Posted October 27, 2017 Share Posted October 27, 2017 Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread Thursday, October 26, 2017 A new widespread ransomware worm, known as "Bad Rabbit," that hit over 200 major organisations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims' networks. Earlier it was reported that this week's crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither EternalRomance nor EternalBlue, but a recent report from Cisco's Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit.NotPetya ransomware (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the EternalRomance exploit, along with another NSA's leaked Windows hacking exploit EternalBlue, which was used in the WannaCry ransomware outbreak. Bad Rabbit Uses EternalRomance SMB RCE Exploit Bad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread across victims' networks.Microsoft and F-Secure have also confirmed the presence of the exploit in the Bad Rabbit ransomware. EternalRomance is one of many hacking tools allegedly belonged to the NSA's elite hacking team called Equation Group that were leaked by the infamous hacking group calling itself Shadow Brokers in April this year. EternalRomance is a remote code execution exploit that takes advantage of a flaw (CVE-2017-0145) in Microsoft's Windows Server Message Block (SMB), a protocol for transferring data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers. Along with EternalChampion, EternalBlue, EternalSynergy and other NSA exploits released by the Shadow Brokers, the EternalRomance vulnerability was also patched by Microsoft this March with the release of a security bulletin (MS17-010). Bad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims' into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems. How Bad Rabbit Ransomware Spreads In a Network According to the researchers, Bad Rabbit first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems. Bad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, noted EndGame. However, according to Cisco's Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently. "We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor," Talos researchers wrote. "Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space." Is Same Hacking Group Behind Bad Rabbit and NotPetya? Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim's hard drive and "wiper" code that could erase hard drives attached to the infected system, the researchers believe it is "highly likely" the attackers behind both the ransomware outbreaks are same. "It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017," Russian security firm Group IB noted. "Research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc." NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions. How to Protect Yourself from Ransomware Attacks? In order to protect yourself from Bad Rabbit, users are advised to disable WMI service to prevent the malware from spreading over your network. Also, make sure to update your systems regularly and keep a good and effective anti-virus security suite on your system. Since most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs, you should always exercise caution before falling for any of these. Most importantly, to always have a tight grip on your valuable data, keep a good backup routine in place that makes and saves copies of your files to an external storage device that isn't always connected to your PC. Source Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 27, 2017 Share Posted October 27, 2017 and people say Kaspersky the bad ones this is the same things Kaspersky flag but is bad of Kaspersky for stoping things like this crazy people NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions so now Kaspersky is stoping there own hackers seems funny they hackers or not ? https://www.kaspersky.co.uk/resource-center/threats/blackenergy NSA exploit not russia do not make the exploits usa did Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 9 hours ago, knowledge said: NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions Is Same Hacking Group Behind Bad Rabbit and NotPetya? Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim's hard drive and "wiper" code that could erase hard drives attached to the infected system, the researchers believe it is "highly likely" the attackers behind both the ransomware outbreaks are same. Quote https://www.kaspersky.co.uk/resource-center/threats/blackenergy Good article but when u read it they make u believe that Kasper is the only solution Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 27, 2017 Share Posted October 27, 2017 Quote https://www.kaspersky.co.uk/resource-center/threats/blackenergy Good article but when u read it they make u believe that Kasper is the only solution its not what i mean i mean usa say Kaspersky used hackers to get nsa files but y Kaspersky show what the so called russian hackers are doing and how ? so now Kaspersky is stoping there own hackers ok if people say so must be right lol but say it was part with NSA Exploit so nsa again Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 Quote but say it was part with NSA Exploit so nsa again They only Uses Leaked 'EternalRomance' NSA Exploit to Spread. And even though it's targeting Russia amogst others but it's hard to believe NSA is smarter then using it's own leaked Eternal to Specially attack Russia. And the Kasper thing already had discussion abt before but still unclear in many ways. Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 9 hours ago, 0bin said: Reveal hidden contents Spoiler ??? Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 It's may be unknown yes! but it's obviously at the same time Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 27, 2017 Share Posted October 27, 2017 this must be the hackers everyone talk about the russian hackers Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 27, 2017 Share Posted October 27, 2017 7 minutes ago, 0bin said: I think that the election wasn't hacked. Instead people made their choice. Now many people don't like Trump and give responsability to hackers, is not right no u is wrong russian hacked it all and putin did it all Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 Quote no u is wrong russian hacked it all and putin did it all Quote I doubt, the only interest of Putin is keeping peace, in an already on the war edge world. Is one of the more rational country leader I know, and would never do that. I don't believe that they hacked the election latterly but for sure they did manipulate the Media.! read abt ''UK and fb* Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 27, 2017 Share Posted October 27, 2017 if u not like the videos u are died inside its what best real proof u have putin did it all he is so good like james bond Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 9 hours ago, 0bin said: The social media manipulate people, you have a right example on this site with the Like button or the Ugly face button or the smile button. People think good, bad, or be happy or sad because of a face I doubt is Russian, instead I think is inside country job. Yes there is some truth in ur words cuz the big head banks wannat trump to win as well but they were not enough ! and there WHERE the RUSSIAN PART of mission CAME IN! Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 27, 2017 Share Posted October 27, 2017 1 minute ago, 0bin said: If you can proof me that Russian Hackers did it, I will believe you, and you must proof also that they were sponsored actors of Kremlin. I doubt you will be able to proof anything, and I suggest is better avoid dig too much, sometime there is the WhiteRabbit at the end of the tunnel. Follow the White Rabbit will take u to good place for sure Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 27, 2017 Share Posted October 27, 2017 2 minutes ago, 0bin said: Not sure? Sometime is better mind own business. I think following the white rabbit take me UnderGround, in a specific way. no following the white rabbit will take u to the real truth not made up things Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 9 hours ago, 0bin said: the truth only the people who created this climate and their commisioner know. then maybe no need for discussion or news or any thing at ! Maybe we just follow their unknown truth instead .? Link to comment Share on other sites More sharing options...
hacker7 Posted October 27, 2017 Author Share Posted October 27, 2017 9 hours ago, 0bin said: Use scientific method, and don't trust anyone are the best tools you have. No need to listen anyone. i don't believe All what i listen or read! Quote Is what I will want, if I create a fake news. So you are saying all news are fake,? Are u the new Trump in here.? Link to comment Share on other sites More sharing options...
straycat19 Posted October 28, 2017 Share Posted October 28, 2017 Slow down guys, you are filling the XKS drives up with your drivel. Link to comment Share on other sites More sharing options...
hacker7 Posted October 28, 2017 Author Share Posted October 28, 2017 9 hours ago, straycat19 said: Slow down guys, you are filling the XKS drives up with your drivel. lol I believe they call that passion . to hell with XKS Link to comment Share on other sites More sharing options...
steven36 Posted October 28, 2017 Share Posted October 28, 2017 Hop on, Average Rabbit: Latest extortionware menace flopped The buck stops… somewhere in Ukraine, Turkey, Japan? As the dust settles from Tuesday’s Bad Rabbit ransomware outbreak, it’s already clear that it is far less severe than the WannaCrypt and NotPetya infections from earlier this year. Bad Rabbit claimed notable victims including the media agency Interfax and was largely contained in Russia and Ukraine, as previously reported. According to ESET, 65 per cent of the victims are in Russia, 12.2 per cent in Ukraine. The nasty also hit some other Eastern European countries as well as Turkey and Japan. Bad Rabbit spread from a network of compromised websites set up by the hackers in preparation for the attack. The dropper, which posed as a Flash Player installer, was downloaded by users when they visited infected websites through a drive-by download (a common hacker tactic). Carrier websites included argumentiru[.]com, which covers current affairs, news and celebrity gossip in Russia and its neighbours, among several others. Bad Rabbit also attempted to spread to other machines on the same network using worm-like functionality. Like NotPetya, Bad Rabbit made use of a custom version of the Mimikatz password recovery tool as well as SMB network shares to spread across machines on the same network. Security experts found that Bad Rabbit did not use EternalBlue – the stolen and leaked NSA-created exploit previously abused by both NotPetya and WannaCry – to spread. Instead it relies on local password dumps, as well as a list of common passwords, in attempts to hop from an infected machine to other Windows PCs. Once executed, the malicious code acted like a traditional ransomware, encrypting files before demanding a ransom to decrypt them – a relatively modest 0.05 BTC (around $280). Infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com, the dropper delivery site, and sites containing the rogue code – were taken offline around six hours after the ransomware began spreading, according to a count by researchers at Cisco Talos. Since Russia was the origin of the attack, by the time the US had woken up it had already been blocked by signature-based antivirus and identified by products that relied on generic or behaviour-based malware detection. CrowdStrike’s analysis found that Bad Rabbit and NotPetya DLL (Dynamic Link Library) share 67 per cent of the same code, prompting speculation that the same group might be behind both attacks. This attribution is sketchy, at best. Bad Rabbit is similar to NotPetya in that it is also based on the earlier Petya ransomware. Major portions of the code appear to have been rewritten. Recovery of infected machines might be difficult but not impossible. Some experts reason that the intent may have been disruption rather than the profit-making cybercrime associated with ransomware strains such as Locky. “Bad Rabbit appears to be a disruption campaign designed to look like a ransomware campaign, similar to NotPetya and WannaCry,” commented Allan Liska, senior solutions architect at threat intel outfit Recorded Future. Bootnote The hackers behind the ransomware seem to be fans of Game of Thrones as the source code contains references to dragons from the popular TV series (Drogon, Rhaegal and Viserion). The as-yet unidentified crooks also allude to a human character, “GrayWorm”, as the product name for the .exe file. http://gearsofbiz.com/hop-on-average-rabbit-latest-extortionware-menace-flopped/157252 Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 28, 2017 Share Posted October 28, 2017 According to ESET, 65 per cent of the victims are in Russia, 12.2 per cent in Ukraine. The nasty also hit some other Eastern European countries as well as Turkey and Japan. so was not russia doing this Link to comment Share on other sites More sharing options...
hacker7 Posted October 28, 2017 Author Share Posted October 28, 2017 Quote Security experts found that Bad Rabbit did not use EternalBlue – the stolen and leaked NSA-created exploit previously abused by both NotPetya and WannaCry – to spread. Instead it relies on local password dumps, as well as a list of common passwords, in attempts to hop from an infected machine to other Windows PCs. So the news in first page wasn't correct and NSA exploit had nothing to do with it .? Quote CrowdStrike’s analysis found that Bad Rabbit and NotPetya DLL (Dynamic Link Library) share 67 per cent of the same code, prompting speculation that the same group might be behind both attacks. This attribution is sketchy, at best. Bad Rabbit is similar to NotPetya in that it is also based on the earlier Petya ransomware. Major portions of the code appear to have been rewritten. And it was indeed the same Russian GROUP Quote Since Russia was the origin of the attack, by the time the US had woken up it had already been blocked by signature-based antivirus and identified by products that relied on generic or behaviour-based malware detection. sEEM suspicious this part @steven36 Link to comment Share on other sites More sharing options...
steven36 Posted October 28, 2017 Share Posted October 28, 2017 17 minutes ago, hacker7 said: And it was indeed the same Russian GROUP Unless there is any proof of this it is totally speculation . 17 minutes ago, hacker7 said: sEEM suspicious this part Same thing happen with wantacry hardly no one in the USA hardly got infected .. ransomware and malware outbreaks happen all the time in the USA most witch are for profit it just depends of were the hacker attacks 1st were the most get infected and how fast vendors get the signatures . Stop trying to make malware topics about politics and conspiracy theories there is enough of this in the news already Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted October 28, 2017 Share Posted October 28, 2017 CrowdStrike’ lies all the time and have proof they lied about russian hacking befor Link to comment Share on other sites More sharing options...
steven36 Posted October 28, 2017 Share Posted October 28, 2017 9 minutes ago, knowledge said: CrowdStrike’ lies all the time and have proof they lied about russian hacking befor Always security firms try too blame on it somebody.. but in this day in age were they use TOR and VPNs they cant never confirm these hackers real location . If they could get there real IP they would stop them. but they hardly catch any hackers a group like this is just doing this for shits and giggles too stir up crap. the old skool way and not for profit would try too make people think they from some place they are not . Link to comment Share on other sites More sharing options...
hacker7 Posted October 28, 2017 Author Share Posted October 28, 2017 9 hours ago, steven36 said: Unless there is any proof of this it is totally speculation . Same thing happen with wantacry hardly no one in the USA hardly got infected .. ransomware and malware outbreaks happen all the time in the USA most witch are for profit it just depends of were the hacker attacks 1st were the most get infected and how fast vendors get the signatures . So if you would or had to speculate.? is it hard to believe that it's the same Russian hacker group attacking their own country and others to? Quote Stop trying to make malware topics about politics and conspiracy theories there is enough of this in the news already Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.