Petya Ransomware Outbreak Originated In Ukraine Via Tainted Accounting Software

An anonymous reader quotes a report from Bleeping Computer: Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos, ESET, MalwareHunter, Kaspersky Lab, and others, an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory. Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware.

Re:Putin will find and punish those responsible

[CaptainDork]

Trump doesn't know bullshit from wild honey about any of this shit.

Rewarmed malware finds some networks?

[AHuxley]

How people wanted something more interesting to comment on?
https://it.slashdot.org/story/...

Its just ransomware, not some national cyber drama.

Re: Rewarmed malware finds some networks?

You support the Russian line too often and too obviously, AHuxley. I also find your use of that name offensive.

Re: Rewarmed malware finds some networks?

[AHuxley]

AC most skilled nations don't just lose control of a well defined cyber operation. Or get detected in the wild
Thats why they have experts to do cyber things.
They have skills so their own interests are fully protected and any cyber effort is totally undetected.
Random malware just spreads around lots of random nations as expected and that anyone in the private sector can track in the wild.
If the malware has a name, the private sector is/can track it, its spreading like malware in really random nations?
Its just malware and a slow news day.

Re: Rewarmed malware finds some networks?

[Zontar+The+Mindless]

If you really think this is random, I've got some beachfront property in Kiruna I'm prepared to let you have at a really great price.

But I suspect that the AC's right, and you do really know better.

Re: Rewarmed malware finds some networks?

[AHuxley]

Lets consider some real nation backed code found in the wild over the years and read about what the reaction was? By experts, the security services and AV vendors.
The Inside Story of How British Spies Hacked Belgium’s Largest Telco (December 13 2014)
https://theintercept.com/2014/...
".. The hack would remain undetected for two years, until the spring of 2013."
When a nation does it the method works, stay in place and is undetected. Not an in the wild, random malware effort thats detected by AV.
What happens when something really interesting is detected? All over the news? Global experts?
Lets keep reading to find out what happened later. Same wide in public discussion like now?
" ... never got a chance to study the routers."
The story of Stuxnet https://en.wikipedia.org/wiki/... ?
The story of Equation Group https://en.wikipedia.org/wiki/...
'been active since at least 2001, with more than 60 actors"
Some history of Longhorn https://www.symantec.com/conne...

When nations do their cyber things, they do it to a good standard, the really code works and not many people get to read about it in the news in real time.
Nations also really, really try not to risk their own domestic systems.
Nations don't talk much about what they find or let their staff talk about results in real time.
Very different to the average gov reaction to malware that spreads randomly and does malware things. People talk, the news is told details. Sites talk about the news. AV vendors talk.

Re: Rewarmed malware finds some networks?

[Zontar+The+Mindless]

Privyetik!

Microsoft needs to update

Where's your "Total Cost of Ownership" now, Redmond?

Re:Microsoft needs to update

The same place as "I'm a stupid moron who can't manage to install automatic security updates". They tend to congregate at the "I'm a stupid moron who can't correctly configure my OS and network infrastructure".
Frankly I am still amazed that the ass hats running the extortion ring think Bitcoins cannot be traced. All it takes is doing something that catch the attention of the various intelligence agencies causing them to expend a little of their considerable resources to track down and eliminate these criminals. The minute someone describes these type of attacks as a threat to National Security the perpetrators are basically fucked.

And seeing how Russia got hammered in this attack I doubt they will be extending asylum to anyone fleeing in their general direction. If the US gets their hands on the perpetrators first maybe Russia would be open to making an exchange with the US. Russia must have access to someone the US really wants and after all Trump is a deal maker.

Hell at the very least killing the main and secondary players of these schemes should serve as an adequate deterrent to others thinking of doing the same thing. It may even make an impression on the idiots who think crimes committed using only their computer the Internet are not really "real world" crimes worthy of any punishment. Pirating music and movies are not crimes because it is not like breaking in to the Amazon warehouse and loading CD's and DVD's into the trunk of the car.

Re:Microsoft needs to update

This really isn't Microsoft's fault. Businesses needs to update to Windows 10. Those of you on Windows 10 were not affected, yes?

Re:Microsoft needs to update

Windows 10 prior to KB4013429 is/was vulnerable to this since the original exploit was discovered in 2016.

Re:Microsoft needs to update

Incorrect, people running Windows 10 Enterprise, fully patched, still got infected.

Re: Microsoft needs to update

[Zero__Kelvin]

Hey dumbshit. There is no way to install (just) security updates with Windows. You have to swallow the whole, possibly rotten, enchilada.

Re:Microsoft needs to update

If you are going to do something illegal to get money and intend to compromise accounting software, why not just have the money transferred directly by accounting instead of messing the RansomWare? Then you do not need to worry about people who have reasonable backups simply ignoring you.

Title

The ransomware attack in Ukraine is called NotPetya exactly because it's NOT the Petya strain, as initially thought.

Automatic unrefusable update are such a good idea

If your a ranomware criminal, good jorb Silicon valley your helpful contribution to the downfall of civilization will not be remembered in the post technological society that rises after the failure of techno utopia and the total non existence of the singularity

Evil Daemon?

[mentil]

Let me guess, M.E.Doc opens a port that expects a certain protocol handshake, upon which an unsigned blob is downloaded then executed? An attacker could connect to any computer with the program installed, and send a malware payload.
Either that or their GitHub equivalent was compromised (although given it's happened before, I'd bet on the former.)

Knock knock

[bestweasel]

"Back in May, the company's software update mechanism also helped spread the XData ransomware."

Pardon me M.E.Doc but I think you left your backdoor open.

Re:Knock knock

[rtb61]

Far more likely to be an insider job. Ukraine is in economic melt down, which puts enormous pressure on it already corrupt work force, all sorts of insider shenanigans will occur and basically any Ukraine digital source should be kept way outside the security loop. It will get much worse. Great examples were provided out of China, Russia and the US, the more economic impact felt by the digital class, the far more likely they will corrupt their own systems for money. Never to forget, as budgets tighten, so system security spending collapses and successful attacks become inevitable. When countries economies go bad, so they become a much higher cyber risk and should be avoided, else you will be saving pennies to spend pounds.

Haha

You said "taint"

Anyway, the fucking Nazis that took over in Kiev RUINED Ukraine, and now their software firms can't even patch properly.