Many firms hit by global cyber-attacks

"Ukraine scrambles to contain new cyber threat after 'NotPetya' attack...

...Security experts from U.S.-based Cisco Systems Inc. said they had examined Intellect's machines at its invitation and determined that an attacker had used a password stolen from an employee to log in on company computer...

After escalating the access rights of that user, the attacker rewrote configuration files, directing customers seeking updates to tampered versions stored elsewhere,...

...[T]he big worry is what else might have been pushed out by earlier tainted updates, Williams said. With Intellect's servers disabled for now, it cannot push out 'clean' updates to fix what customers have installed."

http://uk.reuters.com/article/uk-cyber-attack-ukraine-backdoor-idUKKBN19Q14J

 

Still doesn't add up for me.

Remote log-on to the production server containing the production code should have been prohibited. This means someone had to have physical access to internal M.E. Doc computer facilities to perform the noted activities. Additionally, why a normal employee log-on credentials would even be allowed access to the production update server in any form let alone escalate access privileges is unlikely. Even if the stolen logon was for a software developer, he should not have had any direct access rights to the production server containing the update code. The only one allowed access to the production update server would be personnel in computer operations.

But since this is the Ukraine, who knows.

 

"Petya attackers expected to return via new vector...

[Cisco's] Talos believes the attackers could return through some other attack vector.

'In short, the actor has given up the ability to deliver arbitrary code to the 80 percent of UA businesses that use MEDoc as their accounting software, along with any multinational corporations that leveraged the software,' the researchers wrote.

'This is a significant loss in operational capability, and ... it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.'...

With administrator access to much of MEDoc's networked systems, the attackers were able to release at least three software updates containing backdoors..."

https://www.itnews.com.au/news/pety...urce=feed&utm_medium=rss&utm_campaign=iTnews

 

Keep in mind we are looking at a company that uses a single 18", non high-velocity, home pedastal fan to cool a room full of server racks.

https://www.wilderssecurity.com/thr...bal-cyber-attacks.395036/page-11#post-2690085

Also, given Ukraines' widely accepted rankings on the corruption scale (society and government), an "inside job" motivated by blackmail, greed, or political leanings can not be ruled out.

 

Only if the existing backdoor code contained remote C&C capability. The Eset analysis of the backdoor stated it did not; only access to the M.E. Doc update server. It would hinge on what other malware was installed on the M.E. Doc customer devices besides the #NotPetya ransomware. Again, the Eset analysis did not indicate any additional malware.

The funny part about this attack was that the backdoor wasn't permanent. It could have very well be left in place after the initial April attack. The next subsequent update after each attack removed the backdoor. Appears the attacker was afraid of its discovery which would would "tip off" its recipients to its origin - the M.E. Doc update server.

 

hawki will leave that one for Talos and ESET to argue about.

 

"Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak...

Researchers from antivirus provider Eset, in a blog post published Tuesday, said...

As our analysis shows, this is a thoroughly well-planned and well-executed operation,' Anton Cherepanov, senior malware researcher for Eset, wrote. 'We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors.'..."

https://arstechnica.com/security/20...any-that-seeded-last-weeks-notpetya-outbreak/

 

I am now ready to offer my hypothesis on how this attack occurred.

First, there is a "subtlety" in the Eset analysis of the backdoor existing on the M.E. Doc user device prior to the actually malicious download from the M.E. Doc server. How did it get there?

Next, review the prior posted NH-ISAC article in reference to the backdoor they found on the M.E. Doc web site. This backdoor would enable the attacker to remotely monitor all activity from the web site.

I assume the M.E. Doc application works similar to let's say Thunderbird e-mail. The user logs on the M.E. Doc web site and receives all documents, etc. waiting for him. The web site then informs the user an update is available and he clicks on the yes button. The attacker is monitoring for this activity, intercepts it, and then downloads his backdoor instead. The backdoor then connects to the M.E. Doc update server and proceeds to download the previously "planted" ransomware instead, installing it using a downloaded hijacked M.E. Doc updater.

All I can say is this is ingenious. This also explains how the client based backdoor "disappeared" on the next subsequent valid M.E. Doc update. It was simply deleted/overlaid in the update process.

 

If your hypothesis is right could they have done this without any insider help? A mole or possibly a mule in the mix.

 

No. Someone would need internal access to the update server, assuming the web server was not accessible remotely, to plant the malware and ensure the incoming backdoor connection could access it. Additionally, that same someone could have planted the web site backdoor although an external hack to the web site could have done the same but would be more discoverable.

-EDIT- There is another possibility. There is no update server! The same server for uploading/downloading documents is used for updating. Oh, my .................

 

Below is a screen shot of how the M.E. Doc server was hacked. Basically its configuration files were modified to establish a proxy connection to the attacker's server in Latvia from which the malicious ransomware was downloaded from. At least this part of the mystery is solved:

~ Removed Copyrighted Image - Image is Included in the Article Link Below ~

Ref.: https://www.bleepingcomputer.com/ne...imes-servers-left-without-updates-since-2013/

-EDIT- OVH server is located in France. No need to mention what its reputation is.

 

I am also "sticking to my guns" that the backdoor was delivered via M.E. Doc's infected web site connection.

This a much more likely scenario than a like code modification to a M.E. Doc update would have gone unnoticed in the internal M.E. Doc's QC production installation of updates. But who knows from a vendor that is using a 18" floor fan to assist the cooling of its servers.

 

Cisco Talos has a full detailed analysis of the incident here: http://blog.talosintelligence.com/2017/07/the-medoc-connection.html

It confirms first that the M.E. Docs web site was compromised:

And that the backdoor was delivered via web site access:

And finally that the web site coding had been modified to facilitate the backdoor delivery.

No statement was made on how all the above was done but at this point it looks internally.

Also is this advisory for anyone having systems interfacing with anything in the Ukraine:

 

Eset has a new blog posting on the ransomware portion of this attack along with a few recommendations on how to protect yourself here: https://www.welivesecurity.com/2017/07/06/everything-need-know-latest-variant-petya/

 

"Special Communications Agency warns Ukraine of threat of another cyberattack...

'Network owners who were hit by Petya.A Ransomware may become potential targets of another cyberattack, even after recovering their computers,' the report says.

It is reported that the CERT-UA team has developed updated recommendations to reduce the risks of being repeatedly affected and minimize (avoid) the consequences of hacking..."

https://www.unian.info/society/2015...ukraine-of-threat-of-another-cyberattack.html

 

"Germany says cyber threat greater than expected, more firms affected

HAMBURG (Reuters) - Germany's BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.

Analyses by computer experts showed that waves of attacks had been launched via software updates of the M.E.Doc accounting software since April, the BSI said in a statement.

That meant that companies that used the software might have been infected by the malicious software, even if there were no obvious signs of a breach, BSI said. Data backups carried out after April 13 should also be viewed as compromised..."

http://in.reuters.com/article/us-cyber-attack-ukraine-germany-idINKBN19S1EU

 

And very likely earlier than that since I believe the Eset analysis of the backdoor did not "look back" for any backdoor deployment prior to that time.

And as I have mentioned in previous postings, the problem with a backdoor is you really have no way of knowing how it has been used in the past and what may have been installed using it.

 

https://www.infosecurity-magazine.com/news/nurofen-maker-admits-petya-attack/

 

"The Petya Plague Exposes the Threat of Evil Software Updates..."

https://www.wired.com/story/petya-plague-automatic-software-updates/

 

Also of note in the article is software update hacking is increasingly being used to bypass the increased use of whitelisting as a mitigation. To quote an old truism, "The mouse will always figure out a way to defeat the mouse trap."

 

"PR - May 1, 2016 - MyWayOnTheHiWay, Inc.Releases XTD1 Extreme Radar Detector - Detects X Band Speed Detectors - MSP $225 "

"PR - June 1, 2016 - HiWayPatrol, Inc. Announces that its XY Band Speed Detectors Now In Use by 35 State Highway Patrols"

"PR - Nov 1, 2016 - MyWayOnTheHiWay, Inc. Releases XTD ExtremePlus Radar Detector - Detects XY Band Speed Detectors - MSP $250"

"PR - yad-ah, yad-ah, yad-ah..."

"The Road Goes on Forever and The Party Never Ends"

Robert Earl Keen,1989

 

In regards to cruelsister's comments, there is a way to prevent software update hijacking both external and internally if properly executed. It is something we're all familiar with called "two factor authorization." Also some application software already employs it. And it's not "rocket science" either.

Whenever an application receives an update, it suspends execution of it. The app then connects to a "validation server" to verify the integrity of the update by hash value, etc.. Encrypted key based on update software characteristics would be ideal. Only after validation approval has been received is the update allowed to proceed.

For this to an effective mitigation, the validation server is not directly accessible by the application vendor and is maintained by a third party. Any communication of update validation data is done off-line and by vendor security personnel or management whom have no involvement with the software development process.

Barring a hack of the client site application software in regards to the validation process code, this technique should prevent most if not all update hijacking. If the validation process involved an encrypted key, hijacking the connection to the validation server would be futile.

 

"Ukraine Official: Worm Likely Hit 1 in 10 State, Company PCs...

Ukrainian government official [Dmytro Shymkiv, the deputy head of Ukraine's presidential administration and a former director of Microsoft Ukraine] estimates that as many as one in 10 personal computers at companies and government offices across the country may have been compromised in the cyberattack that erupted on June 27....

'Ten percent of PC install base (in gov and commerce segment) in Ukraine were compromised, half of which become bricks," he wrote in an email, adding that the assessment was both approximate and personal. "Some critical infrastructure organizations were also impacted, but primarily businesses.'...

...officials have yet to provide a comprehensive assessment of what happened.

However, an outline of the worm's furious spread is beginning to emerge. On Wednesday, the firm behind the rogue tax software told reporters that its program had been present on 1 million machines. The same day, National Bank of Ukraine official Anton Kudin told a workshop that a third of the nation's banks had been affected,..."

http://www.data-storage-today.com/article/index.php?story_id=0130019LO1RM

 

I came across a U.S. based document management app that I believe is similar to M.E. Doc. It's web site is: http://www.doc-it.com/

From the specification .pdf for a small practice given here: http://www.doc-it.com/wp-content/uploads/2016/04/2016_DocIt_SystemRequirementsOverview.pdf , is noted the use of a web portal which is common for these apps. The web portal allows clients of the concern which the document management software is installed to logon via Internet connection to the portal and upload/download documents. So now you have a good idea on how this ransomware worm spread like wildfire.

 

ITMan- Sadly in the Enterprise space one must differentiate between what can be done from what will be done.

Far too often those who should know better live in Wolkenkuckucksheim where they cannot conceive of any scenario where their defenses can be breached, even though they get undeniable evidence that they were just owned by some pre-pubescent Script Kiddie.