M.E.Doc servers seized by police

Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months.

The information comes from several security researchers that have analyzed the servers, but also from Ukrainian authorities, who on Tuesday, two days ago, seized the company's servers.

Attackers gained access to M.E.Doc via employee login

One of the most credible sources for this information is Cisco, who sent on-the-ground experts to analyze the M.E.Doc servers, the origin point of the NotPetya ransomware outbreak.

In a report released last night, Cisco experts say that the NotPetya group — suspected to be a cyber-espionage group named TeleBots — had infiltrated the company's infrastructure by gaining access to an employee's credentials.

Cisco says the NotPetya gang used these credentials to embed a backdoor in the M.E.Doc software package, but also place a PHP webshell on the company's web server.

NotPetya group inserts backdoor in M.E.Doc software

The M.E.Doc software backdoor was hidden in a file named "ZvitPublishedObjects.dll," part of the M.E.Doc software installation/update package. ESET has an in-depth report on how this backdoor works.

Both ESET and Cisco confirmed that the TeleBots crew shipped this backdoor part of three M.E.Doc software updates, on three separate occasions.

  • M.E.Doc version 01.175-10.01.176, released on 14th of April 2017
  • M.E.Doc version 01.180-10.01.181, released on 15th of May 2017
  • M.E.Doc version 01.188-10.01.189, released on 22nd of June 2017

The backdoor in the code allowed attackers to execute code on computers where M.E.Doc was installed, which is how they sent the NotPetya ransomware to users and companies that installed these boobytrapped updates.

The first of these tainted M.E.Doc software updates appear to have been a test, while the second and third were used to push the XData and NotPetya ransomware.

Backdoor was very sophisticated, incredibly stealthy

According to ESET researcher Anton Cherepanov, the backdoor is very sophisticated and used a few ingenious tricks. For example, the backdoor didn't communicate with an external command-and-control server.

The TeleBots (NotPetya) group hosted their C&C server right on Intellect Service's M.E.Doc update server at upd.me-doc.com[.]ua. Furthermore, all communications with these servers were disguised as regular cookies.

This allowed the group to hide any malicious operations as legitimate traffic that would have never caught the eye of any researcher.

M.E.Doc server last updated in February 2013

This was possible because the M.E.Doc software update mechanism ran on a woefully insecure server. A blog post from Fujitsu' UK team lists a series of vulnerable systems that ran on the server, such as old OpenSSH, web server, and FTP software.

Dmytro Shymkiv, the Deputy Head of the Presidential Administration of Ukraine, told Reuters yesterday that Intellect Service had not installed any updates on the affected servers since February 2013.

The lack of a properly secured server allowed the TeleBots crew to install a PHP file named medoc_online.php, which received or sent commands from/to the backdoor inserted in the M.E.Doc software client.

PHP webshell on M.E.Doc update server
PHP webshell on M.E.Doc update server

Furthermore, attackers also altered the server's nginx.conf file to redirect any local traffic to an OVH server controlled remotely from a Latvian IP.

Connections to the OVH server began and ended in the same timeframe as the NotPetya ransomware outbreak, and is believed that attackers used the Latvian host to start, control, and end the spread of the NotPetya ransomware payload. Below is an infographic provided by Cisco detailing the events.

Timeline of M.E.Doc server activity and NotPetya attacks

According to ESET, the TeleBots (NotPetya) crew burned a valuable resource (M.E.Doc infrastructure) when they carried out the NotPetya ransomware outbreak.

The backdoor module inserted in the tainted M.E.Doc software had the ability to collect a unique ID that each company entered in their M.E.Doc software settings panel. This ID is a financial code unique for each Ukrainian business. This means that the TeleBots/NotPetya crew could have used this backdoor module to target any Ukrainian business that used M.E.Doc to manage their finances.

Police raid stopped another wave of cyber-attacks

All this ended when Ukrainian police stormed in force on Tuesday and seized M.E.Doc server equipment.

Initially, Intellect Service had offered to help authorities with the investigation, but on Tuesday, Ukrainian officials told The Associated Press they detected another cyber-attack coming from M.E.Doc's infrastructure.

This second attack was reported on Facebook by Ukraine's Interior Minister Arsen Avakov and was also seen by independent security researchers.

Below is a YouTube video published by Ukrainian police documenting the Intellect Service raid.

With the M.E.Doc servers down, Bleeping Computer was told that most Ukrainian companies are now sharing older versions of the M.E.Doc software via Google Drive links. The software provided by Intellect Service is so crucial to Ukrainian companies that even after the NotPetya outbreak, many businesses cannot manage their finances without it, despite the looming danger of another incident.

Because of the way the software is currently shared between some usrs, Ukrainian companies are now exposing themselves to even more dangerous threats, such as installing boobytrapped M.E.Doc versions from unofficial sources like Dropbox or Google Drive.

M.E.Doc software uploaded on Google Drive

Image credits: Ukrainian Cyber Police, ESET, Cisco Talos, Bleeping Computer

Article updated on July 7 to reflect the fact that the M.E.Doc Nginx server was used to redirect connections too the OVH host, not the PHP webshell.