Ukraine Police Trace Petya Attack Source

Uploaded on 2017-07-05 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A vulnerability within an obscure piece of Ukrainian accounting software is the root cause of the massive Petya cyberattack that  broke out last week, according to the Ukrainian law enforcement. 

The attack hit Ukrainian utilities and airline services, US based pharmaceutical company Merck, Russian oil giant Rosneft and even forced operators at the Chernobyl nuclear power plant to switch to manual radiation monitoring of the site. 

The software is called Me.DOC, it’s basically an application for tax reporting and filing for companies that do business in Ukraine. At about 10:30 a.m. GMT Tuesday 27th June. Me.Doc ran an automatic update on the software, a routine event and that connected every version of Me.Doc on every computer on which it had been installed (so long as it was online) to this address: 92.60.184.55.

That by itself is not unusual.
As the Ukrainian police’s cyber division explained in a Facebook post, updates from Me.doc are usually rather small, about 300 bytes. This update ran 333 kilobytes, orders of magnitude larger. Once host computers download the update, becoming infected, the malware creates a new file called Rundll32.exe. Next it contacts a different network. It then starts running new commands, taking advantage of a particular Windows vulnerability, the same Microsoft vulnerability, called EternalBlue SMB, targeted by WannaCry. 

The US National Security Agency detected the vulnerability and it was contained in a group of stolen documents that made their way onto the Web via a group called the Shadowbrokers. However, the NSA did disclose the vulnerability to Microsoft, which issued a patch, long before the WannaCry virus spread. 

Defense One verified the Ukrainian police’s post with a second researcher who had direct knowledge of the attack and the malware in question. Other cyber security researchers with Russia-based Kaspersky Labs also began pointing to Me.DOC  as the likely point of spread.

At this point, no one has claimed responsibility for the attack and authorities have yet to make a hard determination about attribution. 

Actors backed by the Russian government have been targeting portions of Ukrainian infrastructure since 2015 when a massive attack by a group knocked out power to more than 225,000 people in Ukraine. But WannaCry has been linked to actors outside of Russia, namely North Korea. It’s a finding that some researchers dispute. 

DefenseOne

You Might Also Read:

How A Nation Became Russia's Cyberwar Experiment:

 

« Cyberwar: A New Front For US Military
Cybersecurity Is Too Important To Leave To IT »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

Phirelight Security Solutions

Phirelight Security Solutions

Phirelight empowers an enterprise to easily understand how their networks behave, while at the same time assessing and managing cyber threats in real time.

SIGA

SIGA

SIGA provides cyber security solutions for Industrial Control Systems SCADA systems used in critical infrastructures and industrial processes.

Nozomi Networks

Nozomi Networks

Nozomi Networks is a leader in Industrial Control System (ICS) cybersecurity, with a comprehensive platform to deliver real-time cybersecurity and operational visibility.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

Exein

Exein

Exein are on a mission to build the world’s first ecosystem for firmware security so that all different types of firmware are secure around the world.

Steganos

Steganos

Steganos offers highly secure and easy to use software tools that protect and secure on and offline data.

Lepide

Lepide

LepideAuditor is a powerful Data Security Platform that enables you to reduce risk, prevent data breaches and prove regulatory compliance.

European Healthcare Fraud & Corruption Network (EHFCN)

European Healthcare Fraud & Corruption Network (EHFCN)

EHFCN is the only organisation dedicated to combating fraud, corruption and waste in the healthcare sector across Europe.

CUJO AI

CUJO AI

CUJO AI is the global leader in the development and application of artificial intelligence to improve the security, control and privacy of connected devices in homes and businesses.

Liquid Intelligent Technologies

Liquid Intelligent Technologies

Liquid Intelligent Technologies is a leading communications solutions provider across Africa, providing reliable connectivity, hosting, co-location, and digital services including cyber security.

GovernmentCIO

GovernmentCIO

GovernmentCIO was founded with a single purpose: to transform government IT. We are thought leaders in data analytics, machine learning, cybersecurity and IT transformation.

Auvik Networks

Auvik Networks

Auvik is easy-to-use cloud-based networking management and monitoring software - true network visibility and control without the hassle.

LGMS - LE Global Services

LGMS - LE Global Services

LGMS is a leading cyber security penetration testing and assessment firm in the Asia Pacific region.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

ASRC Federal

ASRC Federal

ASRC Federal’s mission is to help federal civilian, intelligence and defense agencies achieve successful outcomes and elevate their mission performance.