Earlier this week, Ukrainian police seized servers belonging to accounting software provider Intellect Service as part of an investigation into last month's massive NotPetya ransomware attack, which hit the country's government, transport systems, banks and power utilities.
Intellect Service's M.E.Doc accounting software is used by about 80 percent of companies in the Ukraine, according to Reuters.
Intelligence officials and security companies have traced the initial infections to an M.E.Doc software update -- Reuters reports that investigators say the attack was planned months in advance by skilled hackers who had planted a vulnerability in M.E.Doc's software.
"During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc's legitimate modules," ESET malware researcher Anton Cherepanov wrote in an analysis of the attack. "It seems very unlikely that attackers could do this without access to M.E.Doc's source code."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Crucially, Cherepanov noted, NotPetya wasn't typical ransomware -- it was masquerading as ransomware in order to disguise its actual intention. "In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely," he wrote.
Closing the Back Door
Despite earlier denials that a back door had been inserted into its software, Intellect Service chief executive Olesya Bilousova told Reuters on Wednesday, "Yes, there was. And the fact is that this back door needs to be closed."
Bilousova said any computer on the same network as one using M.E.Doc is now vulnerable. "We need to pay the most attention to those computers which weren't affected by [the NotPetya attack]," she said. "The virus is on them waiting for a signal. There are fingerprints on computers which didn't even use our product."
Dmytro Shymkiv, deputy head of the Presidential Administration of Ukraine, told Reuters that Intellect Services' servers hadn't been updated since 2013. "Worrying is a very light word for this," he said. "How many back doors are still open? We don't know."
In a separate post, ESET's Cherepanov identified the attackers responsible for NotPetya as members of the TeleBots group, which was responsible for a series of similar attacks in Ukraine, and has connections with the BlackEnergy group that was behind power outages in western Ukraine in December of 2015.
Last weekend, Ukranian intelligence officials claimed that Russian security services were responsible for the attack.
A Need for Risk Management
CyberGRX CEO Fred Kneip told eSecurity Planet that understanding which third parties pose a threat to your organization is one of the most pressing challenges security teams now face. "M.E.Doc is likely just one of hundreds or thousands of third parties that most organizations impacted by this breach were tasked with tracking," he said.
"While even the most thorough risk assessment can't guarantee there's no malware inside a vendor's network, it can uncover red flags pointing to weak security controls that leave it vulnerable," Kneip added. "This would allow organizations to work with a vendor like M.E.Doc to mitigate potential vulnerabilities before they are exploited."
As the number and complexity of cyber attacks expand, the need for cybersecurity risk management continues to grow. Still, a recent NetWrix survey of 723 IT professionals found that 87 percent of organizations don't use any software for information security governance or risk management.
Just 25 percent of respondents at large enterprises and 26 percent of those at SMBs said they feel prepared to beat cyber risks. "Even though large organizations are believed to have significant resources for maintaining security, they are no less vulnerable than SMBs when it comes to actual IT risks," Netwrix CEO and co-founder Michael Fimin said in a statement.