Cyber Threats, Backdoors and More: Three Lessons from NotPetya -- How can organizations protect their software from exploits and backdoors similar to the ones involved in the NotPetya ransomware attack?
In late June, many organizations across the globe were impacted by the NotPetya ransomware campaign. Ukraine was especially devastated by the attacks; Kiev's Boryspil Airport, the nation's central bank and multiple government agencies were significantly compromised. Out of a sense of caution, officials even switched the radiation monitoring systems at the Chernobyl nuclear plant to manual.
In their response to the attack, Ukrainian law enforcement officials seized the servers of Intellect Service, the makers of the M.E.Doc accounting software, which was widely exploited during the ransomware campaign. Researchers have since analyzed the servers used by Intellect Service and found the machines to be poorly secured. Reuters reports M.E.Doc is used by 80% of Ukrainian companies and installed on about 1 million computers in the country.
As reporter Mathew Schwartz writes: "Researchers at Slovakian security firm ESET… found that 'a very stealthy and cunning backdoor' had been added to the source code of at least three versions of M.E. Doc that were then automatically distributed via Intellect Service's update server to its 400,000 customers. Malware researcher Anton Cherepanov at ESET said attackers were able to access the backdoor and push malware to PCs, including NotPetya."
NotPetya was much more than a ransomware attack: the backdoor in the M.E.Doc application was able to collect usernames, passwords, machine identities, and other uniquely identifiable data. According to reporter Kelly Sheridan: "[The backdoor] also collect[ed] EDRPOU numbers, or unique legal entity identifiers for companies doing business in Ukraine. Attackers could use the EDRPOU numbers to pinpoint the exact organizations using the backdoored M.E.Doc, and use this data to target specific business networks."
The attack was aided by the poorly secured machine identities used to distribute M.E.Doc software and keep the software tamper-proof. Historical forensics from Venafi indicates M.E.Doc was not using digital certificates with authenticated and encrypted HTTPS to authenticate their webservers and download sites.
Furthermore, public malware analysis has shown M.E.Doc software did not use digital certificates with code signing to make themselves tamper-proof. As a result, attackers could easily make malicious changes to M.E.Doc software, including redirecting traffic and software downloads, all while remaining undetected.
As a result of the broad risks to business beyond just a ransomware attack, Ukranian police suggest that all organization change out passwords and machine identities like TLS keys and digital certificates, SSH keys, and code signing keys and certificates.
The backdoor found in Intellect Service's software represents a destructive future for businesses across the world. This future will be aided by poor security practices, such as not using HTTPS with digital certificates and not code signing software. Organizations should anticipate a new level of sophistication from cyber attacks, one where cyber criminals can weaponize networks of machines. Attackers are now directly targeting machines -- from IoT devices to business software. It's quite possible that armies of machines will be forced to self-destruct, and obey commands for malicious purposes.
So how can organizations protect their software from exploits and backdoors similar to the ones that infected M.E. Doc? There are three distinct lessons we can learn from the fallout surrounding Intellect Service.
Lesson #1: Every machine must have a unique identity.
M.E.Doc failed the most basic security test: don't allow machines to be spoofed. M.E.Doc did not use digital certificates to identity their web servers with the most basic HTTPS authentication and encryption. This allowed attackers to easily redirect traffic from one place to another with complete freedom.
Lesson #2: Make sure your software is code-signed.
Without code signing, M.E.Doc software could easily be manipulated. Every software developer -- whether inside an enterprise or an ISV -- must use code signing to make sure the software is not tampered with and the source of software is clear.
Lesson #3: Machine credentials must be expertly defended.
The theft of administrator credentials was critical to the siege of M.E.Doc. These attacks likely used SSH keys that are vital for secure and authenticated machine-to-machine communication. SSH keys provide sensitive access to critical systems and authorize communication through encrypted tunnels but the security connected with them is often overlooked. Every SSH key must be carefully protected and changed regularly -- or wide-open backdoors can persist for years.
Like other aspects of the Petya attack, revelations surrounding the security of Intellect Service’s M.E.Doc software are still developing. Machines, and their identities, are valuable targets for attackers. If our machines are properly protected, cyber attacks are much more difficult to execute and may be detected before damage is done.
Its imperative organizations use this latest story as a learning opportunity because we should all expect an increase in similar attacks in the very near future.
About the author: Kevin Bocek is Chief Security Strategist for Venafi