Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak

Enlarge (credit: National Police of Ukraine)
The third-party software updater used to seed last week’s NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack…

Enlarge (credit: National Police of Ukraine)

The third-party software updater used to seed last week's NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed.

Researchers from antivirus provider Eset, in a blog post published Tuesday, said the malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that's widely used in Ukraine. The report echoed findings reported earlier by Microsoft, Kaspersky Lab, Cisco Systems, and Bitdefender. Eset said a "stealthy and cunning backdoor" used to spread the worm probably required access the M.E.Doc source code. What's more, Eset said the underlying backdoored ZvitPublishedObjects.dll file was first pushed to M.E.Doc users on May 15, six weeks before the NotPetya outbreak.

"As our analysis shows, this is a thoroughly well-planned and well-executed operation," Anton Cherepanov, senior malware researcher for Eset, wrote. "We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors."

Read 6 remaining paragraphs | Comments

NotPetya developers may have obtained NSA exploits weeks before their public leak

Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers. (credit: Matthew Hickey)
Update:This post was revised throughout to reflect changes F-Secure made to Thursday’s blog post. The company n…

Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers. (credit: Matthew Hickey)

Update:This post was revised throughout to reflect changes F-Secure made to Thursday's blog post. The company now says that the NotPetya component completed in February didn't have any definitive bearing on when the NSA exploits were obtained. F-Secure Security Advisor Sean Sullivan tells Ars that the component weaves in the NSA exploits so well that it's likely the developers had access to the NSA code. "It strongly hints at this possibility," he said. "We feel strongly that this is the best theory to debunk." This post is being revised to make clear the early access is currently an unproven theory.

The people behind Tuesday's massive malware outbreak might have had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according to evidence unearthed by researchers from antivirus F-Secure.

EternalBlue and EternalRomance, as the two exploits were codenamed, were two of more than a dozen hacking tools leaked on April 14 by an as-yet unknown group calling itself the Shadow Brokers. Almost immediately, blackhat and grayhat hackers used EternalBlue to compromise large numbers of computers running out-of-date versions of Microsoft Windows. Within a week or two, blackhats started using EternalBlue to install cryptomining malware. No one really noticed until the outbreak of the WCry ransomware worm on May 12, which infected an estimated 727,000 computers in 90 countries.

Read 10 remaining paragraphs | Comments

Tuesday’s massive ransomware outbreak was, in fact, something much worse

Enlarge / Code in Tuesday’s attack, shown on the left, was altered to permanently destroy hard drives. (credit: Matt Suiche)
Tuesday’s massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransom…

Enlarge / Code in Tuesday's attack, shown on the left, was altered to permanently destroy hard drives. (credit: Matt Suiche)

Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying hard drives.

Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.

In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently destroy as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.

Read 8 remaining paragraphs | Comments

NotPetya Ransomeware Wreaking Havoc

The latest splash has been made by the Petya or NotPetya Ransomware that exploded in Ukraine and is infecting companies all over the World. It’s getting some people in deep trouble as there’s no way to recover the files once encrypted. The malware …

The latest splash has been made by the Petya or NotPetya Ransomware that exploded in Ukraine and is infecting companies all over the World. It’s getting some people in deep trouble as there’s no way to recover the files once encrypted. The malware seems to be trying to hide it’s intent as it doesn’t really […] The post NotPetya Ransomeware...

Read the full post at darknet.org.uk