Archives for 

advanced persistent threat

ESET security researchers Dissect the Backdoor Used by NotPetya Operators

What was first considered a ransomware attack turned into a much more complicated situation as researchers at the Slovakian security software firm ESET found a backdoor written into some software updates the Ukrainian M.E.Doc, the main source of infection breakout unleashed last week in Ukraine.

According to a post by Security Week, ESET researchers had performed an exhaustive analysis of the infected software and found out that the malware identified as NotPetya was intended to remove data not withhold it encrypted for money. Reuters had reported earlier, but could not confirm, an announcement allegedly by the people behind the attack demanding 256,000$ in bitcoins in return for decryption of all infected devices.

However, researchers linked the attack with TeleBots, a persistent threat group previously known as BlackEnergy and Sandworm. The cybercriminals in questions had made several attempts to compromise Ukrainian establishments before. Their choice of M.E.Doc is rather interesting. The tax accounting software is used by 80 percent of the Ukranian companies and is installed on around 1 million computers across the country.

Researchers confirmed that had the attackers not had access to the source code, the backdoor installation in the software would not have been possible. They estimated that the attackers had the source code since the beginning of the year. Infectious updates were distributed at least three times: as early as April 14th as a test, on May 15th to drop the XData ransomware which comprised the smokescreen attack to distract attention and on June 22nd to drop NotPetya.

These updates occurred without alarming the M.E.Docs developers as several other clean updates were released during that time.

The 5 megabytes backdoor written in .NET framework was injected in one of the application modules and then pushed as an update. The methods of the backdoor class which is called MeCom are invoked by the request for updates called periodically by the legitimate code to check for updates. Therefore, attackers were able to send the harvested information in cookies files without generating alarmingly excessive network traffic.

The backdoor also features code that gives cybercriminals the chance to control infected machines through a binary blob the analysis of which revealed it to be “an XML file that could contain several commands at once.”

The commands include but are not limited to: RunCmd, DumpData, MinInfo, GetFile, Payload and AutoPayload.

According to ESET notes, this makes the backdoor a “fully-featured cyberespionage and cybersabotage platform at the same time” since using this commands will allow attackers to run shell command, gather system and user information such as proxies, emails and passwords, collects files and execute payloads.

The malicious backdoor allows the attackers to know exactly which organisation were infected using EDRPOU a unique legal entity identifier all companies in Ukraine have and thus target specific companies with customised strategies.

The backdoor kept the harvested data waiting to be sent in the Windows registry under the HKEY_CURRENT_USER\SOFTWARE\WC key. According to ESET, this will allow investigators to distinguish compromised machines. Although malware fingerprints were found on network-connected devices that didn’t even have the infected software installed, which means that the size of the attack is yet unknown and other backdoors are probably still out there waiting for a signal.

Due to security reasons, M.E.Doc servers were seized by the police and experts could not perform a forensic analysis. However, ESET researchers are sure the servers were compromised.

As the servers remain offline, further updates to resolve the backdoor are still not possible and many unanswered questions will keep everyone working on the matter awake at night until they know for sure: for how long the backdoor had been activated and whether or not it was used to distribute other malware.

What we might view as worthy discoveries, the Ukrainian police views as a national security threat as major companies across Ukraine were compromised. The M.E.Doc servers were seized by the police pending investigations, the Russian government was initially accused of the attack and now Ukraine’s security service is teaming with NATO to  better deal with future cyber threats.

The preparation and patience the attackers behind the NotPetya demonstrated are both admirable and disturbing; many researchers agree that we have not yet seen the end of this well-planned attack. Hopefully, any other backdoors will be detected and contained before the attackers’ next move.

Share Button

Credentials of 13 million users breached from 000Webhost, a free webhosting company

The Lithuanian 000Webhost is one of the most popular free webhosting services and has over 13.5 million users. It ranks among the top search results in Google and is quite popular for its services. However, according to a report from Forbes, the login credentials of these users, that includes their usernames, passwords, email addresses, last […]
Share Button
Continue reading →

Thousands of medical systems are exposed to widespread cyber-attacks – Derbycon

Recent reports presented by Scott Erven and Mark Collao at Derbycon have revealed that thousands of medical systems are exposed to widespread cyber-attacks. The researchers reported that a giant U.S. medical organization with 12,000 staff and 3,000 physicians has over 68,000 systems that are vulnerable. The researchers indicate that this is just the tip of […]
Share Button
Continue reading →

50 million users users impacted by WINRAR bug

On 28th September 2015, a vulnerability was detected in WinRAR SFX v5.21. It is the latest version of WinRAR, a commonly used file compression tool. Attackers can exploit the vulnerability and compromise a computer with WinRAR installed on it. The bug is in the “text and icon function” under the module “Text to display in […]
Share Button
Continue reading →

Smartphone browsers can deliver powerful DDoS attack with 4.5billion requests causing Flood Attack

One of the most malicious attacks that can ever be launched on a website is being flooded with multiple requests that it cannot handle, otherwise known as DDoS’es. According to internet security researchers, this nightmare may have recently become a reality after one site was targeted in such a manner with an aim of overwhelming […]
Share Button
Continue reading →

U.S. Government OPS Breach: 5.6 million fingerprints of Federal workers were stolen

The Office of Personnel Management and the Department of Defense are analyzing a data breach which has resulted in stealing of around 5.6 million fingerprint records of federal workers. Initial reports put the number at 4.5 million, however the latest report released on Wednesday 23rd September suggests that the number is as high as 5.6 […]
Share Button
Continue reading →

SUCEFUL – A new Malware capable of copying data from ATM cards

A new kind of malware named SUCEFUL capable of stealing information from ATM cards and capable of retaining them in the ATM machines has been detected by FireEye Labs. The malware has been uploaded on VirusTotal and the researchers at FireEyes Labs traced it as Backdoor.ATM.Suceful. It seems that the name of the virus is […]
Share Button
Continue reading →

Blue Termite – An APT with sophisticated Cyber Espionage campaign targeting Japan

An Advanced Persistent Threat termed Blue Termite has targeted several Japanese companies since November 2013. Antivirus major Kaspersky Lab started working on the APT in the month of October 2014. Although the instance is not unprecedented, it is the first time that an APT has targeted Japanese companies that have their Client to Server (C2S) […]
Share Button
Continue reading →