[uanog] New virus attack
Oleg Cherevko
olwi at icyb.kiev.ua
Wed Jun 28 11:33:25 EEST 2017
Microsoft:
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
Цитата:
...
Initial infection appears to involve a software supply-chain threat
involving the Ukrainian company M.E.Doc, which develops tax accounting
software, MEDoc. Although this vector was speculated at length by news
media and security researchers—including Ukraine’s own Cyber
Police—there was only circumstantial evidence for this vector.
Microsoft now has evidence that a few active infections of the
ransomware initially started from the legitimate MEDoc updater process.
As we highlighted previously, software supply chain attacks
<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>
are a recent dangerous trend with attackers which requires advanced
defense.
We observed telemetry showing the MEDoc software updater process
(EzVit.exe) executing a malicious command-line matching this exact
attack pattern on Tuesday, June 27 around 10:30 GMT.
...
On 28.06.2017 1:03, Виталий Туровец wrote:
> Чекнул сегодня VirusTotal'ом последний апдейт медка, скриншот в аттаче.
> Через пару часов билд перезалили уже без малварей, равно как и без
> уведомления вроде "Мы - мудаки и из нашего so fucking much trusted
> репозитория нашего сраного говнокода в вашу сеть пролезло дерьмище,
> которое потратит очень много ваших время/деньги ресурсов". Мудаки, в
> общем.
>
> 27 июня 2017 г., 23:30 пользователь Vasiliy P. Melnik
> <basil at vpm.net.ua <mailto:basil at vpm.net.ua>> написал:
>
> 2.5 битка ни о чем для такого размаха, но я так понимаю админы
> пока разбираются и ждут инфу.
>
> 2017-06-27 22:43 GMT+03:00 Oleg Cherevko <olwi at icyb.kiev.ua
> <mailto:olwi at icyb.kiev.ua>>:
>
> On 27.06.2017 22 <tel:27.06.2017%2022>:19, Oleg Cherevko wrote:
>
> По вымогателю.
> Накопитель известной информации:
> https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
> <https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759>
> Краткий анализ:
> https://www.youtube.com/watch?v=vtDgA_aasfc
> <https://www.youtube.com/watch?v=vtDgA_aasfc>
>
>
> Ещё: https://securelist.com/schroedingers-petya/78870/
> <https://securelist.com/schroedingers-petya/78870/>
>
> --
> Olwi
>
> _______________________________________________
> uanog mailing list
> uanog at uanog.kiev.ua <mailto:uanog at uanog.kiev.ua>
> http://mailman.uanog.kiev.ua/mailman/listinfo/uanog
> <http://mailman.uanog.kiev.ua/mailman/listinfo/uanog>
>
>
>
> _______________________________________________
> uanog mailing list
> uanog at uanog.kiev.ua <mailto:uanog at uanog.kiev.ua>
> http://mailman.uanog.kiev.ua/mailman/listinfo/uanog
> <http://mailman.uanog.kiev.ua/mailman/listinfo/uanog>
>
>
>
>
> --
>
>
>
>
> ~~~
> WBR,
> Vitalii Turovets
> Software Engineer
> VITU-RIPE
>
>
>
> _______________________________________________
> uanog mailing list
> uanog at uanog.kiev.ua
> http://mailman.uanog.kiev.ua/mailman/listinfo/uanog
--
Olwi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uanog.kiev.ua/pipermail/uanog/attachments/20170628/072aac22/attachment.html>
More information about the uanog
mailing list