The group behind last week’s destructive NotPetya attack was able to access M.E.Doc’s update server and use it for their nefarious purposes courtesy of stolen credentials, Cisco has discovered.
Last week, multiple security companies determined that the tax software company’s update server was used as the initial attack vector. Although M.E.Doc denied possible compromise several times during the first days of the outbreak, it eventually agreed to allow a security firm to perform forensic analysis of the server.
Earlier this week, Ukraine police seized the M.E.Doc servers believed to have been used in the incident, to prevent any subsequent attacks from happening. The local authorities suggested the threat group might use the server for further attacks, and not without reason, it seems: a fake WannaCry ransomware family was distributed in the shadow of NotPetya using the same vector.
Cisco was the security company M.E.Doc provided with access to its server, and the company now confirms not only that the server was compromised, but also that the attack was destructive in nature, and that a backdoored module was pushed to M.E.Doc clients several times over the past months.
RSA Webinar – July 13 at 1PM ET: Evolution from Two-Factor Authentication to Identity Assurance
Disguised as ransomware, the NotPetya wiper (which Cisco refers to as Nyetya), was designed to overwrite the infected system’s Master Boot Record (MBR) to prevent access to the operating system. The malware also encrypts specific file types, but the process wasn’t meant to allow file decryption, the security researchers suggested.
In a new report presenting the findings of their analysis of the M.E.Doc server, Cisco confirms that the attack was destructive in nature and that all malware installations came through the M.E.Doc update system.
The investigators discovered a web shell at http://www.me-doc[.]com[.]ua/TESTUpdate/medoc_online.php and found it to be a slightly modified version of the open source PHP web shell PAS. Stored in an encrypted form, the web shell requires a passphrase to decrypt.
Using stolen admin credentials, the malicious actor logged into the M.E.Doc server, acquired root privileges, and started modifying the configuration file for the NGINX web server so that “any traffic to upd.me-doc.com.ua would be proxied through the update server and to a host in the OVH IP space with an IP of 176.31.182.167.”
The actor restored the original server configuration several hours later. They also wiped the OVH server to erase evidence.
Further analysis confirms the ESET report claiming that a backdoor had been inserted into the M.E.Doc software on multiple occasions: on April 14, May 15, and June 22. The malicious actor behind this activity was TeleBots, also known as BlackEnergy and Sandworm, ESET revealed.
“The .net code in ZvitPublishedObjects.dll had been modified on multiple occasions to allow for a malicious actor to gather data and download and execute arbitrary code,” Cisco notes.
The backdoor, the security company confirms, was used to retrieve the EDRPOU and name of M.E.Doc clients, as well as to steal sensitive information (SMTP hosts, usernames, passwords, and email addresses) and download and execute payloads. All traffic was masqueraded as requests to the legitimate M.E.Doc server.
According to Cisco, the concerning matter is that the actor behind NotPetya “burned a significant capability in this attack” by compromising both “the backdoor in the M.E.Doc software and their ability to manipulate the server configuration in the update server.” The actor was able to “deliver arbitrary code to the 80% of UA businesses that use M.E.Doc,” as well as to any other multinational corporation using the software.
“This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor,” Cisco continues.
The company also advises organizations with ties to Ukraine software like M.E.Doc and with systems in Ukraine to take extra caution, given that these resources have been shown to be targeted by advanced threat actors. The security firm advises companies to use separate network architectures and increased monitoring, as well as to patch their systems for any known vulnerabilities, and even upgrade to more secure platform versions.
“Talos places this attack in the supply-chain category. Rather than targeting organizations directly, an actor compromises trusted hardware and software vendors to deliver compromised assets to a high-priority environment. We believe that these types of malicious capabilities are highly desired by sophisticated actors. All vendors, regardless of size or geographic region, must be increasingly vigilant,” the company concludes.
Related: Researchers Dissect Stealthy Backdoor Used by NotPetya Operators
Related: NotPetya Connected to BlackEnergy/KillDisk: Researchers
