A deep-level investigation by Cisco Talos on the NotPetya ransomware attack that kicked off one week ago reveals that the agent behind the attack infiltrated the malware host MeDoc six weeks prior to the attack and most likely retains the ability to launch a similar attack in the future.
Cisco analysts, which worked with MeDoc to mitigate the disaster, found the malicious actors gained entry to MeDoc servers using a stolen admin credential, placed a backdoor into versions of the accounting software being pushed out by its update server, and then inserted the ransomware through that opening starting at about 9 a.m. UTC on June 27.
What leads the Talos team to believe the malicious actors retain the ability to pull off another similar attack is the fact that in launching NotPetya, they exhausted a very valuable resource: the backdoors that allowed them to weaponize MeDoc's accounting software product and attack the huge number of business that use this software.
“This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor,” the report states.
Craig Williams, senior technical leader and global outreach manager for Cisco Talos, told SC Media that he believes this attack was not a test run and was meant to cause as much damage as possible. Talos also described the NotPetya event as an intentional effort to cause damage disguised as a ransomware attack.
The team was also able to permanently dismiss early reports that NotPetya was being delivered via email. What caused this initial confusion regarding the attack vector is many of the NotPetya-infected end points were simultaneously hit with a Loki Bot variant that was delivered via email.
In its report, Talos explains that the cyberattackers gained entry to MeDoc by stealing the credentials of one of its corporate administrators. Using this information they logged onto the server, acquired root privileges and gained the ability to reconfigure the system's NGINX update server. This included being able to redirect any incoming traffic to another server owned by thcservers.com that had been previously compromised by the attackers.
Talos also learned that the cyberattackers had been in control of the upgrade server for at least six weeks prior to the attack. It found versions of MeDoc released on three different occasions, April 14, May 15 and June 22, all containing the backdoor.
With this prior legwork completed, the attack itself took place over a compressed time period. The timeline looked like this:
- On June 27 8:59:14 UTC the malicious actor used the stolen credentials and Unix command “su” to obtain root privileges on the update server.
- Between 9:11:59 UTC and 9:14:58 UTC the attacker modifies the web server configuration to proxy to the thcserver.com unit.
- The last proxy connection the thcserver.com server is noted.
“The initial log message was at 9:11:59 UTC and the last message was seen at 12:31:12 UTC. In our telemetry we see no new organizations infected outside of this timeframe,” Talos wrote.
At the end of this period, the NGINX server was returned to its original configuration and MeDoc confirmed to Cisco that the proxy server at tchserver.com has no connection with the company.
The only piece of evidence discovered that indicated a potential point of origin is a Latvian IP address disconnected from the system at 11:07 PM UTC, and MeDoc confirmed that address has no connection to the company or its software.