Monthly Archives: October 2017

BadRabbit

BadRabbit has munched through cyber-defences, sowing ransomware far and wide. So how does it work? And can you protect your customers against it?

“Run rabbit, run”, goes the song – and ransomware attack BadRabbit has certainly done some running over the past few days!

It has got its teeth into Russia, Ukraine and many other Eastern European countries besides, with some sources also reporting cases in Germany, Turkey, and the US. It seems only a matter of time before it spreads further afield.

So what is BadRabbit – and is there any defence that can protect your customers against it?

What’s up, Doc? What BadRabbit does and how

BadRabbit Screenshot
What users see when BadRabbit bounces into view

BadRabbit is cryptolocker ransomware – it encrypts Windows users’ files using a private key that is known only to the hackers’ own servers. The user must pay for access to this key, in order to decrypt and recover their files (a Bitcoin wallet appears on screen to enable this transaction to take place).

Technically, according to this specialist cyber-security website, BadRabbit is closely related to the recent NotPetya attack, using much of the same code.

However, it executes in a different way, using hacked websites to display a fake Adobe Flash update that, if clicked on, triggers the attack (it drives users to these sites using malicious links.)

Additionally, according to this threat alert website, BadRabbit can move laterally across a network and propagate or spread without user interaction!

Can security vendors stop the naughty bunny?

In short, it seems some of them can.

Bitdefender, for example, states on its website that if your customers are “running a Bitdefender antimalware product for either home or business, you don’t need to worry, as our solutions detect this threat…”

machine-learning
Bitdefender’s inbuilt machine-learning recognises the signs of ransomware and stops it before it can execute

Enabling machine-learning in Trend Micro’s solutions also appears to detect BadRabbit, according to the former’s website, whilst Malwarebytes states that “Users of Malwarebytes for Windows, Malwarebytes Endpoint Protection, and Malwarebytes Endpoint Security are protected from BadRabbit.”

An interesting take on keeping the cunning coney at bay, however, comes from Heimdal, who point out in this very comprehensive ransomware resource that some 85% of ransomware attacks target vulnerabilities in existing applications.

By this logic, updates to software (and not just security software) are, in themselves, a key anti-ransomware security layer.

Damage caused by Ransomware graphic
The consequences of ransomware. Source: Heimdal Security

What other steps can you take to protect customers against BadRabbit?

For systems admin and IT people, of course, quick technical fixes in the form of ‘kill switches’ or similar are indispensable, and it turns out that BadRabbit, like NotPetya and Goldeneye before it, can be tamed by changing the properties of certain files (scroll down to the bottom of this article to find them).

But fundamentally, ransomware works by holding your customers’ data hostage. If this data is backed up and easily accessible, as we discussed in this recent post, ransomware, by definition, loses pretty much all of its bite.

It’s important, therefore, that you advise your customers well on how to choose an appropriate data backup and recovery solution.

For a comprehensive list of all the other steps your customers need to take to protect themselves against ransomware, this recent article from the Carnegie-Mellon Software Engineering Institute offers some thorough advice.

BadRabbit is on the loose. So share what we’ve told you above with your customers and they’ll be all ears.

Failing to correctly configure your security solutions is one of the biggest risks to you and your customers. Security health checks can prevent it.

So, you’ve got your customers’ security covered from all angles, right?

Layered protection that shares security intelligence across applications. Endpoint security that spots malware traditional anti-virus solutions miss. Machine-learning that gets better and better at understanding threats. Belt and braces.

But then you fail to configure it all correctly and your customers get hit anyway!

Sceptical? Look at Amazon’s AWS solution, which has suffered a number of critical security and other misconfigurations, resulting in compromised user data.

Read Gartner, who say that in 2017 misconfiguration will be the most common source of breaches in mobile applications.

And take heed of the Infosec Institute, who place security misconfiguration right in the middle of the top ten cyber-risks in 2017.

Whichever way you slice it, the evidence shows that even the cleverest solutions can be useless if they’re not set up correctly – but how do you go about making sure the security solutions you deliver don’t fall into this trap?

Health checks: an MOT for your security solutions

The answer isn’t rocket science, but it is common sense.

You get your car checked out regularly to ensure it’s running as it should, and to inform you of any action you need to take to keep it fit for purpose. Essentially, it’s a health check for your motor – and you can do exactly the same for the security solutions and services you deliver.

But the even better news is that the security healthcheck is often far less disruptive and time-consuming than taking your car to the local garage.This is because the health check can often be performed by an engineer remotely, using the same web consoles you use to deliver and manage your security offerings every day.

As the engineer finds configuration faults or errors, they document these in a report that includes recommendations for the actions you need to take to fix them.

Who delivers security health checks, and what do they cover?

Where and how you get your security health checks often depends on the support and services arrangements you have with the vendors of the security solutions you sell – although this is not the only way to access them.

You could, for example, go through a specialist security software distributor who has vendor-accredited technical expertise in-house. This means you get vendor-quality product knowledge but through an organisation that is typically smaller, more agile and delivers a more personal service.

Typically, a product security health check delivered in this way will cover the full spectrum of security configuration points (it could be 60 or more) that can become an issue if not properly attended to, including (amongst others):

  • Unresolved malware
  • Patching and security updates
  • Licence status
  • Choice of deployed modules and scan engines
  • Policy and protection compliance
  • Impending end-of-life, end of support, and other OS-related issues
  • Settings (e.g. threat sensitivity); options enabled and disenabled
  • Identification and authentication

Security health checks; who fixes what’s not working?

If you have technically proficient people in your organisation, they can of course take the recommendations of the health check report and act on them.

But how does it work if you haven’t got the necessary technical resources?

Again, think of your car: you have no hesitation in handing over your keys to a trusted specialist to carry out work you couldn’t. Depending on who you get your security health check services from, the same model is potentially available – hands-on, on-site corrective work, billed according to an agreed estimate of the time it takes to complete the job.

(But no expensive mechanical components to cause the sucking in of air between the teeth, of course!)

Insights: safer than consequences

“Prevention is better than cure”, runs the old adage – but when there’s no cure available, the need for prevention becomes even more urgent.

Sadly, you can’t “cure” breach and theft of your customers’ data, for example – once the data’s been taken, it’s an irreversible action.

And if it occurs because a solution you provide wasn’t set up correctly or hadn’t been kept up to date, the legal, reputational and financial consequences for your organisation – particularly under the imminent GDPR regulations – would be severe.

But regular insight into the status of your security solutions and how they have (or haven’t) been applied can wrongfoot the risk before it trips you up.

A healthier situation all round.