<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1626328370711236&amp;ev=PageView&amp;noscript=1">
banner-blog.jpg

blog

Blog-Hero.jpg

You Are a Bad Rabbit!

iStock-484428001 600x300.jpg

It’s another day and another cyber attack headline in the media. This time it’s another ransomware-style attack; this one is called “Bad Rabbit”. According to media reports, it has impacted organizations in Russia and Ukraine mostly, with reports of some businesses in Turkey and Germany (and possibly in Poland and Japan) also being affected (that we know of so far).

Various vendors have reports on the infection mechanisms used. The consistent information in these is that various popular Russian and Ukrainian (and possibly Bulgarian) websites were the source of the initial stage of the attack. The attack is initiated by a dropper in the form of a fake Adobe Flash update being downloaded onto the visitors’ PC which is then executed. McAfee has provided a detailed write-up on the attack here. The Cylance blog highlighted 5 components featured in the ‘Bad Rabbit’ code:

  • Two versions of Mimikatz used for credential theft
  • Two versions of a signed driver used for physical access to boot sector and full disk encryption
  • One module that infects the MBR and produces the ransomeware message

Once again, the attack is initiated by a web browser going to a trusted media website that was infected. Just two weeks ago, we saw a malvertising campaign against Pornhub via a third-party advertising provider.

Most businesses continue to rely on anti-virus and URL categorisation as their sole defences against website security issues. These controls are inadequate when trusted websites and trusted advertising networks are compromised (which they are on a regular basis). When the JavaScript injected in your desktop browser is no longer good but bad, the reality is that your existing security controls don’t know about it until it’s too late.

No doubt we will see recommendations over the coming hours and days on how to mitigate ‘Bad Rabbit’. My guesses are we should expect experts to suggest:

  • Removing Flash off your browsers (Adobe Flash patched another 0 day just last week used by the BlackOasis APT group)
  • Using a browser extension such as Adblocker and/or NOscript
  • Ensuring your browsers are patched and up to date
  • Training your users not to click on suspicious links
  • Making regular backups
  • And so on.

My opinion: all of these things will help, but they won’t stop the next website attack. Your browser remains an open hole to the Internet as long as it allows JavaScript to execute client-side. This risk has to be removed to eliminate the infection, but critically, employees still need to do their job. Businesses need to allow employees to do their jobs and accept the risk that comes with it. The risk outweighs the technology for most businesses today, which means they are rolling the dice with inadequate web security controls. 

The risk of fetching, downloading and executing JavaScript and other active code client-side remains a major threat to users on the web. Ransomware is just the latest threat that rides on the basic design weakness of web browsers that the security industry needs to address. Organisations need to embrace new security capabilities such as Isolation that enable browsers to be more resistant and hardened to attacks, and that prevent infections from occurring but enable employees to do their job securely.

Learn more about Menlo’s approach to solving the web browser risk via Isolation here.

Tags: ransomware, credential theft, cyber threats, web isolation, isolation technology, javascript, bad rabbit

Connect with us

Lists by Topic

see all

Recent Posts