Many firms hit by global cyber-attacks

https://www.castanet.net/news/Business/200925/Charges-over-cyber-attack

 

Here is Eset's May blog post "pointing the finger" at M.E. Docs: https://www.welivesecurity.com/2017...making-rounds-amid-global-wannacryptor-scare/

Must be "something in the drinking water" in the Ukraine.

 

"Police seize servers of Ukrainian software firm after cyber attack: official

Ukrainian police have seized the computer servers of Ukrainian accounting software firm M.E.Doc as part of an investigation into last week's cyber attack, Cyber Police Chief Serhiy Demedyuk told Reuters on Tuesday..."

http://www.reuters.com/article/cyber-attack-ukraine-police-idUSS8N1GY03X?rpc=401&

 

I don't know if this realization has occurred to others but it has to me. With the multiple backdoor findings attributed to M.E. Doc and its widespread use(80%) in the Ukraine, we are witnessing the first country-wide malware apocalypse. It is definitely a "wake up call" to commercial concerns worldwide that no third party software can be absolutely trusted and internal policies be developed for vetting of such software prior to distribution to their network devices.

 

Also don't know what NATO's involvement with this incident is since Ukraine is not a member and appears won't be able to meet the entry requirements till 2020:

https://www.bloomberg.com/news/arti...es-nato-membership-as-key-foreign-policy-goal

Maybe NATO's getting ready to bomb the Ukraine?

 

Any software can be sabotaged. Intellect Service in Kiev were an ideal mark for such an enterprise.

I do not consider the owners of the company to be criminals. They were negligent (allegedly) and some very nasty predators took advantage. The cost to businesses, state and individuals has been extremely high. The owners will probably lose their govt. software accreditation, their reputation and their company. The perpetrators will disappear back into the shadows.

I do hope that it is a lesson learned to all software companies. However, I'd hazard a guess that it will probably be fleeting.

 

In the U.S. it would be a civil proceeding versus a criminal one as noted below. Overwhelmingly, recklessness has to be proven for a criminal action. Recklessness in this case would be to hard too prove.

http://www.nolo.com/legal-encyclopedia/what-criminal-negligence.html

-EDIT- Additionally if M.E. Doc did hire an outside security firm to perform an audit on its systems after the May ransomware incident which is somewhat implied by its public statements and complied with its recommendations -or- no issues were found, it could be absolved of all legal claims since this would show they performed "due diligence."

 

"In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine

While the (cyber-)world was still shaking under the destructive ExPetr/Petya attack that hit on June 27, another ransomware attack targeting Ukraine at the same time went almost unnoticed.

So far, all theories regarding the spread of ExPetr/Petya point into two directions:

Distribution via trojanized updates to MeDoc users
Distribution via waterhole attacks in Ukrainian news websites (one case known)

While there is little doubt that MeDoc users were infected via malicious updates with ExPetr, it appears that ExPetr was not the only malware they received. Our telemetry confirms that MeDoc users received at least one other malicious program at the same time...

The malware, which unsurprisingly, is also ransomware, is written in .NET and includes a “WNCRY” string,..."

https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/

 

Yes indeed, the Eset analysis posted today shows a backdoor was set on each update recipients device. Do hope that does not go unnoticed by any affected parties. The backdoor if still in existence would allow any additional malware to be downloaded and executed at the time of its choosing.

The Eset analysis stated that the backdoor was not using any external C&C server in the initial attacks since it was not needed; the M.E. Doc update server served that purpose. However, it would be presumptuous to assume that backdoor code does not exist to employ an external C&C server.

-EDIT- Re-read the Eset article and the backdoor was M.E. Doc update specific. That is the next subsequent M.E. Doc update would overlay the previous update backdoor code in effect removing all traces of it.

 

Who Let The Dogs Out [In] !?!?

M.E. Doc, M.E. Doc, M.E. Doc

Who Let The Dogs Out [In] !?!?

M.E. Doc, M.E. Doc, M.E. Doc

 

Analogous to the stories of the arsonist who started a fire to destroy a single house but ended up burning down an entire city block is:

https://www.infosecurity-magazine.com/news/ukraine-blames-petya-russia/

Without a doubt "the heat is being felt" by the perpetrators of this incident.

-EDIT- My new saying, "If you play with worms, your entire family will get slimed."

 

"Ukraine software firm says computers compromised after cyber attack

A Ukrainian software firm at the centre of a cyber attack that spread around the world last week said on Wednesday that computers which use its accounting software are compromised by a so-called "backdoor" installed by hackers during the attack.

The backdoor has been installed in every computer that wasn't offline during the cyber attack, said Olesya Bilousova, the chief executive of Intellect Service, which developed M.E.Doc, Ukraine's most popular accounting software..."

http://www.reuters.com/article/us-cyber-attack-ukraine-backdoor-idUSKBN19Q14P

 

I noted this in my reply #259.

-UPDATE- Forgot to mention that Eset previously created a signature for the backdoor. As a result of its analysis, all the major AV vendors listed on VirusTotal now have signatures for the backdoor except; Microsoft, Avira, Sophos, VIPRE, Panda, and Webroot.

Of note is that none of the NextGen/AI solutions listed on VT can detect the backdoor.

However as the Eset analysis noted below shows, the backdoor should be removed by a subsequent M.E. Doc's update. So the solution is for the Ukrainian authorities to allow this to happen under close supervision while at the same time preserving existing server software for forensic analysis. However, this is the Ukraine ...........

-EDIT-
Assuming the backdoor used in the June 22 incident is the same as the one used in the May 15 incident which I suspect is the case, one way for Ukraine M.E. Doc users to remove the backdoor is to apply from backup the May 17 M.E. Doc update which removes the backdoor. Unfortunately this option does not exist for downstream users infected with the backdoor.

 

I wish the News Media would also concentrate on HOW an update for a legitimate application could have been compromised. There are malware in the Wild whose sole purpose is to steal ftp credentials (the grandaddy of these is probably Gumblar from 2009).

Once the credentials are stolen, a malicious "update" file can be easily substituted for a legit one. Then all one has to do is to make this change sometime during an update cycle (preferably during off-hours), infect a number of clients, then delete the malicious update and re-insert the legit one thereby covering ones' tracks.

Although stuff like this is a Clear and Present Danger and in no way new, it is as usual being ignored.

 

I have my own theory on this. Take a page from the NSA and CIA "playbooks."

M.E. Doc appears to be a small software development concern. It is common practice for concerns like this and also large corporations to hire outside contractors/consultants to assistant in major software upgrades and the like. My strong suspicion is one of contractors/consultants installed the backdoor code in the updates and then immediately removed it after each ransomware incident.

Additionally, anyone with the necessary skills that had access to the M.E. Doc internal network could have done the same. Note that they would need credentials to access the network and then perform a code update either directly via compilation or code replacement.

At this point, it appears to me that M.E. Doc was targeted and an internal hack occurred.

 

"...

"...On Wednesday morning they [Ukranian Police] advised every computer using M.E.Doc software to be switched off. M.E.Doc is installed in around 1 million computers in Ukraine, Bilousova [CEO of Intellect Services] said...

'As of today, every computer which is on the same local network as our product is a threat. We need to pay the most attention to those computers which weren’t affected (by the attack). The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.' "

https://www.voanews.com/a/ukraine-s...rs-compromised-after-cyberattack/3928965.html

 

ITMan- Agreed. An inside job is always the easiest as bribery always goes a long way (Blackmail is more efficient, but by necessity more time-consuming to implement).

The thing is no one ever wants to think that they were compromised externally, so it is always good for giggles to see an organization vet everyone who works there and their cat looking for a guilty party when none actually exists.

 

"...[NotPeyta] Group asks 100 Bitcoin [$250,000 USD] for NotPetya [user-mode-encrypted] decryption key

[The NotPeyta Group] posted two messages online, on PasteBin and DeepPost.

Both messages featured the same text, reading: 'Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks).'...

Researchers have already proven that NotPetya bungles the MFT encryption process, but even if they repair their hard drives MFT and MBR sectors, they still have encrypted files on disk.

The "petya" user has told Bleeping Computer they are selling the private key that will decrypt the files encrypted via the user-mode component only. ...

In addition, according to the supposed NotPetya representative to whom Bleeping Computer spoke, they are willing to provide a demo of the private key to anyone interested in buying the product. The "petya" user also says they already received offers for the private key, albeit it is unclear from who..."

https://www.bleepingcomputer.com/ne...ir-bitcoin-posts-proposition-on-the-dark-web/

 

Yes. Anyone previously infected by the ransomware or not infected but had file shares accessible from any Ukrainian concern with M.E. Docs software could have the backdoor installed. Additionally, once the outside concerns are infected, they in turn could infect anyone whom they have file sharing with. Etc., etc..

Maybe people will start listening to what I have been saying about backdoors.

 

"KIEV, Ukraine (AP) —July 5, 2017 10:27 am - Ukrainian Interior Minister Arsen Avakov says that authorities have avoided a second cyberattack.

The announcement suggests that the effort to wreak electronic havoc across Ukraine is ongoing...

Avakov said in a statement posted to his Facebook page that what he described as the second stage of that malware attack had been timed to hit its peak at 4 p.m. Ukraine time on Tuesday...

Avakov said that, like the first attack, Tuesday’s originated from the Ukrainian tax firm M.E. Doc..."

http://talkingpointsmemo.com/world-news/ukraine-avoided-second-cyberattack

 

Very confusing reporting.

Appears the authorities kept the M.E. Doc servers running but blocked any outbound network update activity. So either this latest hacked update was triggered externally - highly unlikely, or most likely - the servers have embedded malware that syncs with a M.E. Docs update cycle.

 

"New Video Shows Dramatic Raid of Software Firm Linked to NotPetya Attack

[video in this article shows such details as the actual M.E.Doc servers being cooled by a 18" home pedastal fan ]

http://gizmodo.com/new-video-shows-dramatic-raid-of-software-firm-linked-t-1796643508

"Servers of hacked Ukraine software firm not updated since 2013: presidential official..."

http://www.reuters.com/article/cyber-attack-ukraine-presidential-idUSS8N1GY040?rpc=401&

 

One thing I can emphatically state about this attack is "Sometimes you are your worst enemy."

If the worm in this attack had been confined to M.E. Doc customers within the Ukraine, it wouldn't have gathered the attention of the worldwide security community as evidenced by the attention given to the like May attack. It is also fair to assume that concerns in the Ukraine would still be struggling to directly link the attack to M.E. Doc. The morale of this story is as clever as a malware perpetrator you think you are, the odds are you will do something to mess up that will "unleash the hounds worldwide" to flush you out.

 

Of note in this attack was the use of another utility from the SysInternals(Microsoft) toolbox:

http://www.securityweek.com/fake-wannacry-ransomware-uses-notpetyas-distribution-system