A series of
powerful cyberattacks using Petya malware began on 27 June 2017 that swamped
websites of Ukrainian organizations, including banks, ministries, newspapers
and electricity firms. Similar infections were reported in France , Germany ,
Italy , Poland , Russia ,
United Kingdom , and the United States Ukraine ,
with Germany
Security experts believe the attack originated from an update of a Ukrainian tax accounting package calledMeDoc (M.E.Doc). MeDoc is widely used among tax
accountants in Ukraine MeDoc provides periodic updates to its program through an
update server. On the day of the attack, 27 June 2017, an update for MeDoc was pushed out by the update server, following
which the ransomware attack began to appear. British malware expert Marcus
Hutchins claimed "It looks like the software's automatic update system was
compromised and used to download and run malware rather than updates for the
software." The company that produces MeDoc
claimed they had no intentional involvement in the ransomware attack, as their
computer offices were also affected, and they are cooperating with law
enforcement to track down the origin. Similar attack via MeDoc
software was carried out on 18 May 2017 with a ransomware XData. Hundreds of
accounting departments were affected in Ukraine
It was shown that the domain used for updatingMeDoc software was served by a
single host located at WNet Internet-provider server. Previously, on June 1,
Ukrainian security agency SBU raided offices of WNet, claiming that it passed
its technical facilities to a firm controlled by Russian intelligence agency FSB.
Since the domain was configured to a very short TTL of 60 seconds, the provider
could easily redirect all update traffic to a fake host with malware disguised
as MeDoc updater within a short period of
time.
The cyberattack was based on a modified version of the Petya ransomware. Like the WannaCry ransomware attack in May 2017, Petya uses the EternalBlue exploit previously discovered in older versions of the Microsoft Windows operating system. When Petya is executed, it encrypts the Master File Table of the hard drive and forces the computer to restart. It then displays a message to the user, telling them their files are now encrypted and to send US$300 in bitcoin to one of three wallets to receive instructions to decrypt their computer. At the same time, the software exploits the Server Message Block protocol in Windows to infect local computers on the same network, and any remote computers it can find.
The EternalBlue exploit had been previously identified, and Microsoft issued patches in March 2017 to shut down the exploit for the latest versions of Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. However, the WannaCry attack progressed through many computer systems that still used older Windows operating systems or previous releases of the newer ones, which still had the exploit, or that users had not taken the steps to download the patches. Microsoft issued new patches for Windows XP and Windows Server 2003 as well as previous versions of the other operating systems the day after the WannaCry attack.
Security experts found that the version of Petya used in theUkraine
Approach of the Cyberattack
Security experts believe the attack originated from an update of a Ukrainian tax accounting package called
It was shown that the domain used for updating
The cyberattack was based on a modified version of the Petya ransomware. Like the WannaCry ransomware attack in May 2017, Petya uses the EternalBlue exploit previously discovered in older versions of the Microsoft Windows operating system. When Petya is executed, it encrypts the Master File Table of the hard drive and forces the computer to restart. It then displays a message to the user, telling them their files are now encrypted and to send US$300 in bitcoin to one of three wallets to receive instructions to decrypt their computer. At the same time, the software exploits the Server Message Block protocol in Windows to infect local computers on the same network, and any remote computers it can find.
The EternalBlue exploit had been previously identified, and Microsoft issued patches in March 2017 to shut down the exploit for the latest versions of Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. However, the WannaCry attack progressed through many computer systems that still used older Windows operating systems or previous releases of the newer ones, which still had the exploit, or that users had not taken the steps to download the patches. Microsoft issued new patches for Windows XP and Windows Server 2003 as well as previous versions of the other operating systems the day after the WannaCry attack.
Security experts found that the version of Petya used in the
No comments:
Post a Comment