The lateral movement techniques used by NotPetya and Bad Rabbit are not new, particularly to those of us who have to clean up the mess following breaches perpetrated by “sophisticated actors”. Those techniques, in fact, are a pretty common feature in many targeted attacks. Until recently, however, they have been carried out by a person, or team, sitting at a keyboard, meaning the damage of a single campaign was more or less contained to a single organization, usually with the intention of surreptitiously stealing data, rather than wanton destruction. Many such breaches likely either go unnoticed or unreported.
NotPetya and Bad Rabbit are changing the economics of these techniques. What was the domain of “sophisticated actors” targeting a specific entity has now been largely automated in manner that can target an arbitrary number of victims simultaneously. The move to wide-spread system and data destruction rather than targeted exfiltration means that organizations generally can’t hide the fact that they’ve been compromised.
NotPetya was seeded into victim organizations through a tainted auto-update to relatively obscure tax software used by some Ukrainian organizations, and yet had dramatic impacts around the world. Bad Rabbit was seeded into victim organizations through compromised web servers pushing fake Flash updates. While both NotPetya and Bad Rabbit are alleged to have come from the same actor, it’s not a far leap to expect to see copy cats using use all manner of entry techniques like exploit kits, trojaned downloads, and USBs in the parking lot, to deliver malware that drops RATs, garden variety ransomware, data stealers, and so on that uses these automated lateral movement techniques to broadly infect victim systems.
As the apology letters of most breached organizations state, they take security very seriously. Likely those letters really mean they take security seriously after the breach. Most people in IT security can relate to this: it’s tough to get management to invest in mitigating a risk until after a loss is realized from that risk. NotPetya and Bad Rabbit style attacks have a potential to change that dynamic, though. These attacks are HIGHLY visible in the media, and for once, the victims weren’t “missing a patch” that “caused” the breach, and damages publicly reported by victims are significant. The perception of “vulnerability” is also dramatically different in these instances: traditional threats generally impacted only a single employee system, and maybe the data that employee had access to*. (*remember, the no one thinks the “sophisticated actor” is coming after them)
This type of attack also highlights one of the challenges with relying on the “human” firewall. Exceptional organizations are able to get their rate of falling for phishing attacks down from the 30-40% average range to the low single digits. In an organization of any size though, that means at least a few people are likely to fall for any given campaign. If the attack is one that moves laterally such as Bad Rabbit, the 98% of people that do not fall for the attack don’t change the outcome. It only took one person to bring the house down. This is likely true in many other types of targeted attacks on organizations, but that is a post for another day.
The challenge, as always, is figuring out what to do. Fortunately or unfortunately depending on your perspective, robust architecture design and solid operational processes are an effective mitigant to the types of attacks we have seen thus far. Security is hard, and remains so. Possibly NotPetya and Bad Rabbit, and the inevitable next volley that follow in their foot steps, begins to raise interest in making the fundamental improvements necessary to avoid being another statistic in these attacks.