Earlier this week a new wave of ransomware attacks was spotted locking computers in Russia, Europe, Turkey, and United States. Initial reports had suggested that unlike some previous ransomware strains Bad Rabbit did not include EternalBlue, the now-infamous NSA exploit that was leaked by The Shadow Brokers earlier this year. However, turns out it was indeed an NSA exploit that helped attackers move Bad Rabbit laterally through networks infecting everything in its wake.
The latest report highlights how the failure of government intelligence agencies (who, by the way, continue to demand weakening encryption in the name of national security) to keep their treasure troves of malware and spyware safe from leaking through their own contractors continue to wreak havoc for small businesses and end users.
EternalRomance, another NSA exploit powering ransomware attacks
Contrary to initial reports, the latest breed of ransomware did in fact leverage an NSA exploit called EternalRomance. This exploit takes advantage of an issue in SMB - protocol for transferring data between connected computers - to propagate from one infected machine to others. Security researchers at Cisco Talos confirmed the presence of this leaked NSA exploit in Bad Rabbit.
We identified the usage of the EternalRomance exploit to propagate in the network. This exploit takes advantage of a vulnerability described in the Microsoft MS17-010 security bulletin.
Researchers believe the Bad Rabbit is probably started by the same group responsible for NotPetya ransomware that had also used EternalRomance, and focused on energy and infrastructure companies at first in Ukraine and then elsewhere too. "It is very similar to the publicly available Python implementation of the EternalRomance exploit that is also exploited by [NotPetya]," Talos researchers said. "However, the BadRabbit exploit implementation is different than the one in [NotPetya], although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak."
Notably, the vulnerability that EternalRomance exploits was patched up by Microsoft earlier this year in March. However, millions of computers remain at continued risk. The Redmond software maker had fixed the flaw (along with EternalBlue and several other Eternal- vulnerabilities) right ahead of the leak by Shadow Brokers in April, a group that claimed to have stolen these exploits from NSA. At the time, it was reported that NSA knew about the upcoming leak and had informed Microsoft that had then released the patches.
While Microsoft may have patched up the flaw before they were sold to criminals and/or publicly dumped, the security vulnerabilities that the United States' National Security Agency likely sat on for years continue to prove devastating. So far a number of major ransomware epidemics have been powered by these SMB-focused flaws leaked from NSA, including WannaCry - one of the most disastrous attacks that crippled entire networks of major hospitals.
