I came across this write up by boozallen yesterday, and found it had some very interesting thoughts and insight to how and what happened.
1. Four VirusTotal users uploaded the compiled VBS backdoors along with other malicious files, including the
TeleBots telegram-based backdoor, PowerShell post-exploitation scripts, Mimikatz, and other tools. For each
user, these uploads occurred within the same one- to two-day time period.
2. In most cases, these files were uploaded several months prior to the 27 June Petya incident.
3. Booz Allen Cyber4Sight also determined that in several cases, these submitters also uploaded files
associated with the MEDoc update utility to VirusTotal. This shows that these submitters were also likely
users of the MEDoc software, and the inclusion of these files with the files identified in number 1 (above)
demonstrates that MEDoc-related processes may have facilitated the installation vector for this software.
These past few months have been quite interesting. The scale and ease of WannaCry and the more recent Petya/Non Petya attacks, have created a greater awareness for individuals outside of the security world. Major news outlets are interested in these events as they transpire and this can only be a good thing. I still believe we are many years away from individuals and business truly changing their mindsets and realise that just reacting to these events is not enough, and more time and effort is spent on how these applications are designed and how we approach security. We need to try harder to make applications and hardware secure by design and not rely on 3rd party products afterwards to make the product “secure”.
We are going to have several more large scale events like this until the mindset changes, humans are stubborn and we do not like to change – however this is something we must do.
I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week. This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.
This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.
I suggest you read this very good article!
Analysis of TeleBots’ cunning backdoor
On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.
Another good write up by bleeping computer that contains more information.
Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).
An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”