NotPetya Patient Zero: Ukrainian Accounting Software Vendor

Backdoored Software Facilitated Malware Attack, ESET Finds

Want to launch a targeted attack designed to infect large numbers of PCs in a specific country? Then target a specific software application used by 80 percent of all businesses in the nation.

To wit: There’s increasing evidence that the outbreak of NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – that began June 27 was facilitated by attackers gaining access to the source code of a widely used accountancy and bookkeeping package called M.E. Doc, which counts 400,000 clients.

In addition, a backdoor in the same software may have also been used in May to distribute a strain of apparent ransomware called XData, aka AESNI.C.

That’s according to an analysis published Tuesday by Slovakian security firm ESET, which has been reviewing software updates released by M.E. Doc.

Ukrainian police and multiple security firms – including Cisco Talos, Microsoft and Symantec – have also traced the NotPetya outbreak to M.E. Doc, although it had been unclear if the attack might have been distributed directly via the software vendor’s update servers. In addition, the M.E. Doc software provides messaging capabilities, which in theory could have been used to facilitate phishing attacks. But there are no reports of such attacks.

Continue reading…