Petya, M.E.Doc and the problem of trust. I’ve already mentioned in “Petya the Great and why *they* don’t patch vulnerabilities“, that NotPetya ransomware seems trivial from Vulnerability Management point of view. It uses known Windows vulnerabilities, that were patched by Microsoft long time ago.
Despite of this, I was really interested in M.E.Doc (servers were confiscated by Ukrainian police and website is not operational) role in the initial phase of malware spreading. In my opinion, we have a pretty interesting example of an attack vector, that will be very hard to detect and mitigate. And moreover, it’s once again shows that protected perimeter won’t be a panacea anymore.
M.E.Doc – My Electronic Document Circulation System. “m.e.doc” sounds like the word, that mean “honey” in Russian and Ukrainian. That’s why all these bees in promo materials.
M.E.Doc is an Document Circulation System very popular in Ukraine. It makes possible to send reports to the government authorities in electronic form. It can be used in any organization. I can even imagine situation when usage of this kind of software may be even mandatory. Now the researchers [Eset, Dr.Web] say that M.E.Doc servers sent updates with backdoors to the customers.
This backdoor has abilities:
- Data collection for accessing mail servers
- Arbitrary commands execution in the infected system
- Running any executables
- Downloading arbitrary files to the infected computer
- Uploading arbitrary files to a remote server
- Identify the exact organization using EDRPOU number.
I don’t really care about technical details about this backdoor. For me it’s enough that malicious code was on official server of the vendor and was spread to legitimate customers. Boom!
What can be the reason?
- Maybe update servers was compromised
- Maybe server with source codes was compromised
- Maybe there was an insider who did this
- Maybe vendor added this backdoor intentionally
It doesn’t really matter.
You purchased some software and installed official updates from the official server and got backdoor. And it will be a starting point of ransomware attack inside your infrastructure. How can you even detect that something bad happened if update servers were compromised? You see some traffic between legit software and it’s update server. Who knows, what information it sends. Are worrying what information Windows sends to Microsoft servers? And maybe we all should? =)
Earlier we heard this only in stories about foreign cyber aggression and import substitution. That all foreign products have implants that will be activated at the right time. And so you need to use only our domestic products. 🙂 Well, I haven’t seen real proofs that there were backdoors in, for example, CISCO products that were installed by the vendor itself. And now we all see a local domestic product vendor (for Ukrainians) that installed real backdoors on of it’s customers hosts. Apparently because this vendor didn’t pay enough attention to information security issues.
So what is the real threat: malicious functionality in products of foreign vendors or local products/vendors that are not safe enough, even if they have all the necessary certificates? And should we now think not only about our own security, but also about the security of the vendor’s infrastructure?
Well, everything is possible. And all risks should be considered. But, first of all, the end user should understand that
- Any computer in your internal network can be infected at any time. It’s comfortable to think that we are protected by some perimeter, but actually it’s not true
- Internal processes in security vendor should be taken into consideration when you are choosing a product
- Theoretically, the backdoor and malware can be installed in your system with the update of any product, including Widows, CentOS, SAP, etc.
Of course last one in the real life will be a global disaster. =)
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Carbon Blacking your sensitive data it’s what the agents normally do | Alexander V. Leonov
Pingback: MIPT/PhysTech guest lecture: Vulnerabilities, Money and People | Alexander V. Leonov