Double Whammy: When One Attack Masks Another Attack

In some contexts, a double whammy can mean a good thing: when your favorite team wins two games in a row, when two candy bars fall from the vending machine, etc. However, in the context of cyber security, a double whammy may translate to being attacked while still reeling from the impact of another threat.

In cyber security, many organizations focus on addressing individual weaknesses and exploitable vulnerabilities, thinking this will be enough to stop an attack. While this is sometimes true, today’s hackers are much more sophisticated and determined than cyber criminals of the past. If one avenue into a target doesn’t work, a hacker will keep trying until they’re able to successfully breach the system.

Recently, a new style of hacking has emerged, which leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar - providing a path for additional infections, or to making off with stolen data and other intellectual property. Hackers will typically utilize particularly visible ransomware samples for the initial attack, providing an ideal distraction tool within this style of double whammy breach. This approach is something that will take place increasingly frequently into 2018.

But what, exactly, does this kind of attack look like? And how can organizations protect themselves when a double whammy cyber security instance of this kind hits their systems? Let’s take a closer look at what happens when one attack masks another:

Bad Rabbit hides spear phishing

A recent example of one attack masking another more damaging hacker activity involves Bad Rabbit. This ransomware sample first emerged in the fall of 2017 when it was used as the launch pad for the infection of more than 200 organizations in Russia and Ukraine, The Hacker News reported. The Bad Rabbit exploit utilized an NSA exploit stolen by the Shadow Brokers hacking group, enabling it to quickly infiltrate and spread across victims’ networks.

Other well-known samples have recently leveraged EternalBlue - like the NotPetya ransomware, which we’ll discuss a bit later. Bad Rabbit, on the other hand, used the EternalRomance RCE exploit to drive its malicious activity. This vulnerability works by exploiting a Microsoft Windows Server Messaging Block flaw identified as CVE-2017-0145. The vulnerability impacts the transfer of data between Windows endpoints, and enables hackers to bypass security protocols to support remove code execution.

When the attacks first emerged, researchers found that the infection began with a drive-by download stemming from infected Russian media sites which utilized a fake Flasher player to install the malware.

From the successful infections, though, researchers quickly discovered that Bad Rabbit wasn’t just a run-of-the-mill ransomware infection: The sample also hid a powerful spear phishing campaign.

“[A] number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread,” KnowBe4 contributor Stu Sjouwerman wrote. “Those campaigns intended to compromise financial information and other sensitive data.”

In this way, the initial Bad Rabbit ransomware was just a smoke screen for a more targeted attack seeking out valuable company data. Serhiy Demedyuk, head of the Ukrainian state cyber police, called the instances “hybrid attacks,” and noted that the first attack garners much of the attention, enabling the second attack to succeed with “devastating results.”

Don’t be fooled: Bad Rabbit initially appeared to leverage a Windows vulnerability, but it actually masked a powerful spear phishing attack.

NotPetya aims to destroy

NotPetya also serves as a powerful example of a double whammy style attack. However, whereas Bad Rabbit masked other, malicious spear phishing activity, NotPetya appeared as a ransomware sample that just aimed to destroy, and not steal from victims’ systems.

The first time many heard about this attack was when its predecessor, Petya, emerged in March of 2016, according to CSO Online contributor Josh Fruhlinger. Petya leveraged an infected email to breach victims, and then moved on to encrypting individual files, including .exe files.

Then, in June 2017, NotPetya emerged, and initially appeared like a typical ransomware infection able to spread quickly from victim to victim and network to network. Although NotPetya looked very similar to Petya - including encrypting files and displaying a notification requesting Bitcoin in exchange for returned access - NotPetya quickly set itself apart.

Fruhlinger pointed out that while Petya used an infected email, much like many ransomware samples, NotPetya was able to spread all on its own, using several different approaches to spur infection including a forced backdoor that doesn’t require human interaction for successful breach. NotPetya is also capable of encrypting more files, to the point that the hard drive is inoperable.

Finally, as Fruhlinger noted, NotPetya isn’t actually ransomware. Its process of infection and encryption is used to mask its true intentions: destruction.

“It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet,” Fruhlinger explained. “For Petya, this screen includes an identifying that they’re supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.”

"NotPetya’s process of infection and encryption is used to mask its true intentions: destruction. "

Surprisingly, NotPetya’s aim isn’t to steal data and then sell this information for profit or use it for identity theft or other malicious purposes. NotPetya appears to simply want to break victims’ systems, whether or not they pay the ransom.

Guarding against hybrid attacks

As hacking becomes more complex and sophisticated and attackers continually flex their skills, it’s imperative that businesses are able to keep up with and protect against the latest styles of threats. These hybrid, or masked attacks demonstrate the importance of having as much visibility into network activity as possible, ensuring that even if suspicious activity is detected in one area, victims aren’t distracted to the point that it allows for a secondary, damaging attack.

Precautions including end-to-end monitoring is ideal, helping to prevent malicious and suspicious commands from flying under the radar. IT leaders and decision-makers should seek out solutions that can help pinpoint activity associated with a targeted attack, and providing granular visibility across the network. Trend Micro’s Deep Discovery and Connected Threat Defense can help ensure that your organization has all-encompassing security.

To find out more about how Deep Discovery and Connected Threat Defense can benefit your company’s security posture, contact Trend Micro today.