The world is still reeling from the NotPetya ransomware campaign from late June. Ukraine was especially affected by the attacks, where the nation’s central bank, Kiev's Boryspil Airport and multiple government agencies were seriously impacted. Out of a sense of caution, officials even switched the radiation monitoring systems at the Chernobyl nuclear plant to manual.
In response, Ukrainian law enforcement officials seized the servers of Intellect Service, the makers of the M.E.Doc accounting software that was used for the exploit during the ransomware campaign. Researchers have since analyzed the servers used by Intellect Service and found the machines to be insecure.
According to reporter Mathew Schwartz: “Researchers at Slovakian security firm ESET… found that ‘a very stealthy and cunning backdoor’ had been added to the source code of at least three versions of M.E. Doc that were then automatically distributed via Intellect Service's update server to its 400,000 customers. Malware researcher Anton Cherepanov at ESET said attackers were able to access the backdoor and push malware to PCs, including NotPetya.”
The backdoor in the M.E.Doc application was able to collect sensitive email settings, usernames, passwords and more. “[The backdoor] also collect[ed] EDRPOU numbers, or unique legal entity identifiers for companies doing business in Ukraine, writes reporter Kelly Sheridan. “Attackers could use the EDRPOU numbers to pinpoint the exact organizations using the backdoored M.E.Doc, and use this data to target specific business networks.”
Obviously, the revelations surrounding Intellect Service has alarmed officials in the Ukraine. According to Reuters, M.E.Doc is used by 80% of Ukrainian companies and installed on about 1 million computers in the country. The prevalence of the software has been crucial to the success of these attacks. Interior Minister Arsen Avakov said police had blocked a second cyber attack by seizing the servers hosting the software.
This latest ransomware campaign represents a new and destructive future for businesses across the world. “We’re heading into the next level of sophistication for cyber attacks, one where networks of machines can be weaponized by sophisticated cyber criminals,” says Kevin Bocek, chief security strategist for Venafi. “Attackers are directly targeting machines – from IoT devices to business software. It’s quite possible that armies of machines will be forced to self-destruct, and obey commands for malicious purposes.”
According to Bocek, the Intellect Service machine identities were not protected in three distinct ways that allowed NotPetya attacks to be successful:
Oversight #1:Every machine did not have a unique identity. “M.E.Doc failed the basic security test: don’t allow machines to be spoofed,” says Bocek. “The software did not use digital certificates to identity web servers. This allowed anyone to easily redirect or proxy traffic from one place to another with complete freedom.”
Oversight #2:M.E. Doc software wasnot code signed. “Without code signing, M.E.Doc software could easily be manipulated,” explains Bocek. “Every software developer – whether inside an enterprise or an ISV – must use code signing to make sure the software is not tampered with and the source of software is always clear.”
Oversight #3:Machine credentials were poorly defended. “The theft of administrator credentials was critical to the siege of M.E.Doc,” concludes Bocek. “These credentials use SSH keys and are vital for secure machine-to-machine communication. Unfortunately, SSH keys a provide sensitive access to critical systems and authorize communication through encrypted tunnels, but the security connected with them is often overlooked. Every SSH key must be carefully managed and changed regularly – or wide-open backdoors can persist for years.”
Like other aspects of the Petya attack, revelations surrounding the security of Intellect Service’s M.E.Doc software are still developing. However, this story confirms that machine identities are valuable targets for attackers.
Are you protecting your organizations machine identities against similar backdoor attacks?