Skip to main content
banner image
venafi logo

NotPetya Fallout: Server Attacks, Backdoors, and Security Oversights

NotPetya Fallout: Server Attacks, Backdoors, and Security Oversights

July 6, 2017 | Eva Hanscom

The world is still reeling from the NotPetya ransomware campaign from late June. Ukraine was especially affected by the attacks, where the nation’s central bank, Kiev's Boryspil Airport and multiple government agencies were seriously impacted. Out of a sense of caution, officials even switched the radiation monitoring systems at the Chernobyl nuclear plant to manual.

In response, Ukrainian law enforcement officials seized the servers of Intellect Service, the makers of the M.E.Doc accounting software that was used for the exploit during the ransomware campaign. Researchers have since analyzed the servers used by Intellect Service and found the machines to be insecure.

According to reporter Mathew Schwartz: “Researchers at Slovakian security firm ESET… found that ‘a very stealthy and cunning backdoor’ had been added to the source code of at least three versions of M.E. Doc that were then automatically distributed via Intellect Service's update server to its 400,000 customers. Malware researcher Anton Cherepanov at ESET said attackers were able to access the backdoor and push malware to PCs, including NotPetya.”

The backdoor in the M.E.Doc application was able to collect sensitive email settings, usernames, passwords and more. “[The backdoor] also collect[ed] EDRPOU numbers, or unique legal entity identifiers for companies doing business in Ukraine, writes reporter Kelly Sheridan. “Attackers could use the EDRPOU numbers to pinpoint the exact organizations using the backdoored M.E.Doc, and use this data to target specific business networks.”

Obviously, the revelations surrounding Intellect Service has alarmed officials in the Ukraine. According to Reuters, M.E.Doc is used by 80% of Ukrainian companies and installed on about 1 million computers in the country. The prevalence of the software has been crucial to the success of these attacks. Interior Minister Arsen Avakov said police had blocked a second cyber attack by seizing the servers hosting the software.

This latest ransomware campaign represents a new and destructive future for businesses across the world. “We’re heading into the next level of sophistication for cyber attacks, one where networks of machines can be weaponized by sophisticated cyber criminals,” says Kevin Bocek, chief security strategist for Venafi. “Attackers are directly targeting machines – from IoT devices to business software. It’s quite possible that armies of machines will be forced to self-destruct, and obey commands for malicious purposes.”

According to Bocek, the Intellect Service machine identities were not protected in three distinct ways that allowed NotPetya attacks to be successful:

Oversight #1: Every machine did not have a unique identity. “M.E.Doc failed the basic security test: don’t allow machines to be spoofed,” says Bocek. “The software did not use digital certificates to identity web servers. This allowed anyone to easily redirect or proxy traffic from one place to another with complete freedom.”

Oversight #2: M.E. Doc software was not code signed. “Without code signing, M.E.Doc software could easily be manipulated,” explains Bocek. “Every software developer – whether inside an enterprise or an ISV – must use code signing to make sure the software is not tampered with and the source of software is always clear.”

Oversight #3: Machine credentials were poorly defended. “The theft of administrator credentials was critical to the siege of M.E.Doc,” concludes Bocek. “These credentials use SSH keys and are vital for secure machine-to-machine communication. Unfortunately, SSH keys a provide sensitive access to critical systems and authorize communication through encrypted tunnels, but the security connected with them is often overlooked. Every SSH key must be carefully managed and changed regularly – or wide-open backdoors can persist for years.”

Like other aspects of the Petya attack, revelations surrounding the security of Intellect Service’s M.E.Doc software are still developing. However, this story confirms that machine identities are valuable targets for attackers.

Are you protecting your organizations machine identities against similar backdoor attacks?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat