NotPetya Hits the Soft Underbelly of the Patching Process

Among the Internet’s many talents is its seemingly inexhaustible capacity for reminding us how much we still have to learn about technology, about security, and most of all, about human nature.

Sometimes these reminders are subtle, but more and more these days they’re incredibly painful. The current kick in the teeth is the outbreak of a ransomware worm this week that has hit a slew of high-profile companies in Europe and the United States. The worm shares a lot of code and capabilities with the Petya ransomware, but security researchers said it is a separate strain, one that already has caused a tremendous amount of trouble. Among the victims of the worm, known as ExPetr or NotPetya, are Maersk, the massive global shipping company, the Ukrainian power company, a Ukrainian bank, Merck, the huge pharmaceutical company, and many smaller organizations.

Like the WannaCry ransomware worm before it, this variant uses the EternalBlue exploit for a vulnerability in the SMB implementation in Windows to spread once it’s on a network. The main initial infection vector is a little fuzzy still, but one of the methods appears to be a hacked update server for an accounting software package called MEDoc from Ukraine. The compromised server was installing updates that included the ExPetr ransomware files, and researchers say there also are watering hole attacks installing the malware.

“Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense,” Microsoft researchers said.

This is not the typical ransomware infection chain, which usually involves spam messages with infected attachments that install the malware once opened. The ExPetr ransomware avoids that method, perhaps because it relies on users for infection. While spamming out millions of infected messages can be effective, it’s also inefficient. Hacking an update server can be a much more efficient method for spreading ransomware or any other kind of malicious code, and it’s a technique that some security researchers have been warning about for several years.

Users have been trained for more than 15 years now to install updates when they’re available in order to keep their systems safe. Microsoft, Apple, Google, and the other major software makers have rightly stressed the importance of installing patches and have created trusted channels through which users can obtain them. Those channels are among the more well-defended assets those companies have, as they represent highly attractive targets for attackers, both financially motivated ones and nation-states.

But it’s not just the big vendors that are at risk for this kind of operation, as this latest ransomware campaign shows. Smaller third-party software makers are easier pickings for attackers, as they might lack the tight defenses that Microsoft or Google have while still offering the opportunity to get malware onto a large number of machines in one fell swoop.

Telling users to patch and avoid opening attachments from unknown sources isn’t enough at this point. High-level attackers are intimately familiar with corporate defenses, security policies, and user behavior, and they know where the soft spots are. The ExPetr ransomware attackers found one of those spots and exploited it. This wasn’t the first attack to use this vector, just the loudest to date, and it could have been far worse had it hit a more popular software package. But now that the effectiveness of the technique has been demonstrated for all to see, there will likely be many more to come.

NotPetya infection screen image via Krebs on Security.
Dennis Fisher


The Incident Responder's Field Guide

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.