Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak

[LASER_oneXM]

...some quotes from the article:

Operation that hit thousands was “thoroughly well-planned and well-executed.”


The third-party software updater used to seed last week's NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed.

Researchers from antivirus provider Eset, in a blog post published Tuesday, said the malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that's widely used in Ukraine. The report echoed findings reported earlier by Microsoft, Kaspersky Lab, Cisco Systems, and Bitdefender. Eset said a "stealthy and cunning backdoor" used to spread the worm probably required access the M.E.Doc source code. What's more, Eset said the underlying backdoored ZvitPublishedObjects.dll file was first pushed to M.E.Doc users on May 15, six weeks before the NotPetya outbreak.

"As our analysis shows, this is a thoroughly well-planned and well-executed operation," Anton Cherepanov, senior malware researcher for Eset, wrote. "We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors."

Researchers have said NotPetya is unable to decrypt the hard drives it encrypts. The shortcoming, many researchers say, means NotPetya isn't financially motivated ransomware. Instead, it is the equivalent of a disk wiper with the objective of permanently destroying data. On Wednesday, researchers at antivirus-provider Kaspersky Lab added to the intrigue by saying that the M.E.Doc backdoor that spread NotPetya was used to distribute at least one other malicious program at the same time.

 

[shmu26]

The less stuff you install on your computer, the better off you are. Try to be a minimalist.

 

[LASER_oneXM]

in this article i found some details about the attack:

M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013

Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months.

The information comes from several security researchers that have analyzed the servers, but also from Ukrainian authorities, who on Tuesday, two days ago, seized the company's servers.

NotPetya group ... ... .... had infiltrated the company's infrastructure by gaining access to an employee's credentials. Cisco says the NotPetya gang used these credentials to embed a backdoor in the M.E.Doc software package, but also place a PHP webshell on the company's web server.

The M.E.Doc software backdoor was hidden in a file named "ZvitPublishedObjects.dll," part of the M.E.Doc software installation/update package. ESET has an in-depth report on how this backdoor works.

The backdoor in the code allowed attackers to execute code on computers where M.E.Doc was installed, which is how they sent the NotPetya ransomware to users and companies that installed these boobytrapped updates.

...
...

Dmytro Shymkiv, the Deputy Head of the Presidential Administration of Ukraine, told Reuters yesterday that Intellect Service had not installed any updates on the affected servers since February 2013.

The lack of a properly secured server allowed the TeleBots crew to install a PHP file named medoc_online.php, which received or sent commands from/to the backdoor inserted in the M.E.Doc software client.

 

[shmu26]

Ah, so it was a cloud-based software service, and their server got hacked. That is pretty hard for the consumer to protect himself against.

 

[ForgottenSeer 58943]

The less stuff you install on your computer, the better off you are. Try to be a minimalist.

Absolutely! I like to be as spartan as possible on systems. It reduces your threat surface.

 

[orthonovum]

Those guys are all in big trouble, didn't the police just raid the company?

 

[soccer97]

So, at the end of the day all of this resulted from an update mechanism from a single piece of software that was compromised? That is still one of the things most surprising. Hopefully they lock down things in the future. Not even speculating who is at fault.

Yikes, I may want to check and see any software that I use uses an auto-update mechanism and consider turning it off (and manually applying updates if necessary).

 

[AtlBo]

The less stuff you install on your computer, the better off you are. Try to be a minimalist.

Well said @shmu26. LOL except o/c known safe security softs. I have very few other apps other than security. On this computer, I use LibreOffice portable and about 10 others from PortableApps (great source for portables in my experience even some good games). When I back up it's more or less the security set up and a few files. That's about all. Backup drives are the best!