NotPetya- The Exploit that would Lead to Many Attacks Part 1

In Light of Covid19

Before I start our newest series I wanted to write a quick note in regards to what is happening all around us.

It probably feels like your world has gone upside-down. Either you have nothing to do, or you are busier than ever!

During this crazy time, you need to watch out for one more thing: Scam emails.

Most cybercriminals are amoral and asocial opportunists.

Check out some of the latest COVID-19 scams they’re running to try and kick us while we’re down.

Stay healthy. Stay strong. Stay on-guard, everyone!

-Kip

The Breakdown of NotPetya

I would like to start a new series of posts about a malicious string of code called NotPetya, and how it crippled many shipping companies around the world by breaching security in inconspicuous ways. This story starts with, oddly enough, the NSA. The NSA produced the exploit that would then lead to NotPetya and kept it in a catalog of similar exploits that are used for things like surveillance and other monitoring activities. This exploit was called EternalBlue by the NSA, just a codename with no meaning. However, the meaning was added when the exploit was weaponized, as I will discuss shortly.

There is a fundamental problem with organizations such as the NSA stockpiling digital weapons, which is that they can ultimately be leaked, either one by one or all at once. This is exactly what happened with EternalBlue when it was stolen by a group we only know as the Shadow Brokers (although we suspect we know who they are). The Shadow Brokers released the exploit to the public on April 14, 2017. Curiously, the NSA seemed to anticipate this happening, and a Microsoft update that patched the hole in the software’s security was released in early 2017 before the exploit was leaked. So, shouldn’t everyone have been protected? Theoretically, yes, but not everyone updates their software when prompted to by Microsoft. EternalBlue then became NotPetya as we know it when it was weaponized by cybercriminals to destroy the computers of everyone who had not installed the update provided by Microsoft.
The first casualty of NotPetya was a Ukrainian tax software called M.E. Doc, similar to American counterparts like QuickBooks, Quicken, or Turbo Tax. An update for the software was released to its users, but it had been compromised, and everyone that installed that update inadvertently let a cyberweapon into their networks. Analyzing M.E. Doc’s servers, it was easy to see why the update was compromised. As a company, they had what I would call terrible cyber hygiene. They had not been applying security updates since 2013, becoming increasingly vulnerable to attacks over time. There was evidence that employee accounts had been hacked and that there was a Russian presence on M.E. Doc’s servers.

This is just a prelude to the devastating damage that NotPetya caused to companies around the world. In my next post, I’ll get into more details on the NotPetya attack that was eventually commenced in June of 2017.

Leave a Reply

fifteen − 9 =