Activity Summary – Week Ending October 27, 2017

This week the ransomware called “Bad-Rabbit” was spotted for the first time, initially attacking users in Russia and Ukraine, but has been spotted spreading from there.

It had a much more contained spread compared to the other recent ransomware families of WannaCry and Petya/NotPetya, mainly because it is a watering hole attack that relies on a user to actively interact with the malware by executing a downloaded malicious file and not by exploiting a specific vulnerability like the other attacks. If you want to know more about this ransomware, scroll down to the Malware Activity section and the Threat & Insights section for more information.

In other news, this week a vulnerability called DUHK was announced. This is a flaw in the ANSI X9.3 pseudorandom number generator used to decrypt TLS/IPSec traffic that was used by a number of security and VPN gateway products several years ago. This flaw affects some older Fortinet products that had been designated as End Of Support over a year ago. We released a blog post addressing this issue along with details on how organizations running outdated FortiGate solutions can update their devices using a patch released last November. You can find it in the Threat & Insights section below.

Malware Activity

Bad Rabbit Ransomware breaks out – Bad Rabbit is a new ransomware family which has been wreaking limited havoc primarily in Russia and the Ukraine, along with a small number of infections reported in other Eastern European countries. The attack now appears to be slowly spreading to other regions, affecting both government agencies and private businesses alike.

The profile of Bad Rabbit is similar to the WannaCry and NotPetya outbreaks that hit in May and June of this year. While Bad Rabbit does not exploit the Eternal Blue or DoublePulsar vulnerabilities like those other attacks did, it does still target the Microsoft SMB (Server Message Block) Protocol. The initial threat vector appears to occur through malicious copies of Flash Player or other malicious software downloaded from infected websites. Victims are tricked into opening up a .exe file and then launching the ransomware application. The malware then attempts to steal Windows cached user credentials (username and passwords) and encrypt user files. Unlike other known ransomware, this malware does not rename or change the filename of the files it encrypts.

As for Bad Rabbit, the ransomware is a disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user’s computer and then replaces the MBR (Master Boot Record). Once Bad Rabbit has done its job, it reboots the victim’s PC and then delivers a custom MBR ransom note. This ransom note is almost identical to the one used by NotPetya in the June outbreak.

FortiGuard Labs has been monitoring this malware carefully since it was first discovered. Fortinet’s AV/Malware engine is detecting all versions of the known malware through the W32/Diskcoder.D!tr.ransom signature. Additionally, Fortinet Web Filtering and DNS engines are blocking known C&C (command and control) servers. We will continue to track this malware family and share our findings with readers as new details come to light.

Application Vulnerabilities / IPS

Struct-ural damage – Apache Struts is an open source web application framework used to develop Java EE web apps. This application has been plagued with multiple vulnerabilities affecting it. This week FortiGuard Labs noticed a significant increase in the popularity of exploits leveraging a known vulnerability (CVE-2017-5638). It is triggered by an error handling issue that occurs when the application mishandles a crafted HTTP request containing a malicious “Content-Type” or “Content-Disposition” field. This attack – which triggers the signature Apache.Struts.Jakarta.Parser.Code.Execution – allows an attacker to execute arbitary code within the context of the application via a crafted request.

FortiGuard Labs recommends that all users of Struts 2.3.5 to 2.3.31 and 2.5 to the latest patch released by Apache to fix this issue.

Web Filtering

Thelashgroup dot ca – FortiGuard Labs recently discovered malspam pushing Word documents using Microsoft’s Dynamic Data Exchange (DDE) technique. Victims must click through several warnings before opening the documents in order to get infected. FortiGuard has blacklisted all the domains.

Systembootupdatexxxvirusfound dot info – FortiGuard Labs has identified this domain as a Tech Support scam page. Reverse whois reveals that the threat actor, shubham dot micrsoft at gmail dot com, also owns two other phishing domains created for a similar purpose. All of these domains have been added to our blacklist.

Threat Research & Insights

A new Ransomware on the block – A new ransomware campaign dubbed “Bad Rabbit” has hit a number of high profile targets in Russia and Eastern Europe. Read More

DUHK vulnerability – A vulnerability called “DUHK”, affecting older End-Of-Support Fortinet products, made the news this week. Read More