The Bad Rabbit ransomware was detected targeting businesses mainly in Russia and Ukraine. In addition, security researchers at Cisco provided information about the connection between leaked NSA exploit EternalRomance and the ransomware. It turns out that attackers used EternalRomance to spread out the malware on compromised networks.
This announcement disagrees with earlier reports that neither EternalRomance nor EternalBlue were used in the ransomware attacks.
In addition, the security firm provided information and analysis of Bad Rabbit and indicated that the implementation of the exploit used in attacks has been adjusted.
Martin Lee, a technical lead of security research at Cisco Talos wrote that “This is a different implementation of the EternalRomance exploit. It’s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.”
The leaked exploit EternalRomance is one of Windows exploits leaked by unidentified attackers called Shadow Brokers in April. It is known that this group has been leaking Equation Group exploits for over a year. A Microsoft security bulletin MS17-010-Critical introduced patches for vulnerabilities in the SMBv1 protocol that allowed to mitigate the attacks.
It is worth mentioning that many attacked companies had SMBv1 exposed to the Internet that allowed NotPetya and WannaCry to withdraw to the Internet and impact devices outside the infected network.
Microsoft published the analysis of the NSA leaked EternalRomance exploit which included:
This exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write. As with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed.
So what Cisco found by looking at Bad Rabbit was a similarity to EternalRomance:
We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor. Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.
The DoublePulsar payload hooks onto x86 and 64-bit systems that enables the hacker to operate any raw shellcode payload. According to Sean Dillon, a senior security analyst at RiskSence, DoublePulsar can provide full control over the system and attackers can do whatever they want with it.