Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
...some quotes from the article:

M.E.Doc servers initially spread NotPetya
While Intellect Service denied any wrongdoing, Microsoft, Bitdefender, Kaspersky, Cisco, and ESET have gone on record saying the M.E.Doc update servers were responsible for the initial NotPetya infections.

Ukrainian police saw the same thing, as well as independent researchers.

Evidence suggests that the servers were compromised many times in the past. Security researchers have seen M.E.Doc's servers spewing ransomware as early as May, and so did M.E.Doc's own users, who complained about infections on the company's forum. Ukrainian press also reported on incidents of compromised M.E.Doc servers in May, a month before NotPetya.

Bleeping Computer has reported on three ransomware campaigns that spread through the M.E.Doc servers: XData, NotPetya, and an unnamed WannaCry clone. All of these were configured to target Ukraine, and Ukraine alone.


Real problem: M.E.Doc servers had poor security
Despite some wild conspiracy theory, there is tons of tangible evidence that M.E.Doc's servers were behind the infection, including internal telemetry data from both Microsoft and Bitdefender.
An ESET report released today even includes visual evidence, an image of a PHP backdoor (medoc_online.php) found on the company's update server during past incidents.
...
...
...
Furthermore, an analysis of the server during the NotPetya outbreak revealed glaring security vulnerabilities.
For example, the update server was running proftpd v1.3.4c, an older version for which publicly known remote code execution exploits exist, along with step-by-step tutorials, easy discoverable via a Google search.
On top of this, M.E.Doc's server also ran outdated versions of Nginx and OpenSSH, information that at one point was shared by Ukraine's cyber police Twitter account in the midst of the NotPetya outbreak, before being deleted.

Intellect Service can claim it did not intentionally participate in NotPetya's distribution, but that doesn't excuse its poor efforts in securing its update server, or for that matter the M.E.Doc software update mechanism, which didn't use HTTPS or cryptographically-signed binaries.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top