Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months.
The information comes from several security researchers that have analyzed the servers, but also from Ukrainian authorities, who on Tuesday, two days ago, seized the company's servers.
One of the most credible sources for this information is Cisco, who sent on-the-ground experts to analyze the M.E.Doc servers, the origin point of the NotPetya ransomware outbreak.
In a report released last night, Cisco experts say that the NotPetya group — suspected to be a cyber-espionage group named TeleBots — had infiltrated the company's infrastructure by gaining access to an employee's credentials.
Cisco says the NotPetya gang used these credentials to embed a backdoor in the M.E.Doc software package, but also place a PHP webshell on the company's web server.
The M.E.Doc software backdoor was hidden in a file named "ZvitPublishedObjects.dll," part of the M.E.Doc software installation/update package. ESET has an in-depth report on how this backdoor works.
Both ESET and Cisco confirmed that the TeleBots crew shipped this backdoor part of three M.E.Doc software updates, on three separate occasions.
The backdoor in the code allowed attackers to execute code on computers where M.E.Doc was installed, which is how they sent the NotPetya ransomware to users and companies that installed these boobytrapped updates.
The first of these tainted M.E.Doc software updates appear to have been a test, while the second and third were used to push the XData and NotPetya ransomware.
According to ESET researcher Anton Cherepanov, the backdoor is very sophisticated and used a few ingenious tricks. For example, the backdoor didn't communicate with an external command-and-control server.
The TeleBots (NotPetya) group hosted their C&C server right on Intellect Service's M.E.Doc update server at upd.me-doc.com[.]ua. Furthermore, all communications with these servers were disguised as regular cookies.
This allowed the group to hide any malicious operations as legitimate traffic that would have never caught the eye of any researcher.
This was possible because the M.E.Doc software update mechanism ran on a woefully insecure server. A blog post from Fujitsu' UK team lists a series of vulnerable systems that ran on the server, such as old OpenSSH, web server, and FTP software.
Dmytro Shymkiv, the Deputy Head of the Presidential Administration of Ukraine, told Reuters yesterday that Intellect Service had not installed any updates on the affected servers since February 2013.
The lack of a properly secured server allowed the TeleBots crew to install a PHP file named medoc_online.php, which received or sent commands from/to the backdoor inserted in the M.E.Doc software client.
Furthermore, attackers also altered the server's nginx.conf file to redirect any local traffic to an OVH server controlled remotely from a Latvian IP.
Connections to the OVH server began and ended in the same timeframe as the NotPetya ransomware outbreak, and is believed that attackers used the Latvian host to start, control, and end the spread of the NotPetya ransomware payload. Below is an infographic provided by Cisco detailing the events.
According to ESET, the TeleBots (NotPetya) crew burned a valuable resource (M.E.Doc infrastructure) when they carried out the NotPetya ransomware outbreak.
The backdoor module inserted in the tainted M.E.Doc software had the ability to collect a unique ID that each company entered in their M.E.Doc software settings panel. This ID is a financial code unique for each Ukrainian business. This means that the TeleBots/NotPetya crew could have used this backdoor module to target any Ukrainian business that used M.E.Doc to manage their finances.
All this ended when Ukrainian police stormed in force on Tuesday and seized M.E.Doc server equipment.
Initially, Intellect Service had offered to help authorities with the investigation, but on Tuesday, Ukrainian officials told The Associated Press they detected another cyber-attack coming from M.E.Doc's infrastructure.
Below is a YouTube video published by Ukrainian police documenting the Intellect Service raid.
With the M.E.Doc servers down, Bleeping Computer was told that most Ukrainian companies are now sharing older versions of the M.E.Doc software via Google Drive links. The software provided by Intellect Service is so crucial to Ukrainian companies that even after the NotPetya outbreak, many businesses cannot manage their finances without it, despite the looming danger of another incident.
Because of the way the software is currently shared between some usrs, Ukrainian companies are now exposing themselves to even more dangerous threats, such as installing boobytrapped M.E.Doc versions from unofficial sources like Dropbox or Google Drive.
Image credits: Ukrainian Cyber Police, ESET, Cisco Talos, Bleeping Computer
Article updated on July 7 to reflect the fact that the M.E.Doc Nginx server was used to redirect connections too the OVH host, not the PHP webshell.