<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Microsoft:
<a class="moz-txt-link-freetext"
href="https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/">https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/</a><br>
<br>
Цитата: <br>
...<br>
Initial infection appears to involve a software supply-chain
threat involving the Ukrainian company M.E.Doc, which develops tax
accounting software, MEDoc. Although this vector was speculated at
length by news media and security researchers—including Ukraine’s
own Cyber Police—there was only circumstantial evidence for this
vector. Microsoft now has evidence that a few active infections
of the ransomware initially started from the legitimate MEDoc
updater process. As we highlighted previously, <a target="_blank"
href="https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/">software
supply chain attacks</a> are a recent dangerous trend with
attackers which requires advanced defense.
<p>We observed telemetry showing the MEDoc software updater
process (EzVit.exe) executing a malicious command-line matching
this exact attack pattern on Tuesday, June 27 around 10:30 GMT.<br>
</p>
...<br>
<br>
On 28.06.2017 1:03, Виталий Туровец wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKB6gViNiMpg4dY0ZLrj0fBBzURxFhuHkooWbxvzEx-TG114gw@mail.gmail.com">
<div dir="ltr">Чекнул сегодня VirusTotal'ом последний апдейт
медка, скриншот в аттаче.
<div>Через пару часов билд перезалили уже без малварей, равно
как и без уведомления вроде "Мы - мудаки и из нашего so
fucking much trusted репозитория нашего сраного говнокода в
вашу сеть пролезло дерьмище, которое потратит очень много
ваших время/деньги ресурсов". Мудаки, в общем.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">27 июня 2017 г., 23:30 пользователь
Vasiliy P. Melnik <span dir="ltr"><<a
href="mailto:basil@vpm.net.ua" target="_blank"
moz-do-not-send="true">basil@vpm.net.ua</a>></span>
написал:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">2.5 битка ни о чем для такого размаха, но я
так понимаю админы пока разбираются и ждут инфу.</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-06-27 22:43 GMT+03:00
Oleg Cherevko <span dir="ltr"><<a
href="mailto:olwi@icyb.kiev.ua" target="_blank"
moz-do-not-send="true">olwi@icyb.kiev.ua</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On
<a href="tel:27.06.2017%2022" value="+12706201722"
target="_blank" moz-do-not-send="true">27.06.2017
22</a>:19, Oleg Cherevko wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
По вымогателю.<br>
Накопитель известной информации: <a
href="https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://gist.github.com/vulner<wbr>sCom/65fe44d27d29d7a5de4c176ba<wbr>ba45759</a><br>
Краткий анализ: <a
href="https://www.youtube.com/watch?v=vtDgA_aasfc"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://www.youtube.com/watch?<wbr>v=vtDgA_aasfc</a><br>
</blockquote>
<br>
Ещё: <a
href="https://securelist.com/schroedingers-petya/78870/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://securelist.com/schroed<wbr>ingers-petya/78870/</a><span
class="m_8287849405397727446HOEnZb"><font
color="#888888"><br>
<br>
-- <br>
Olwi<br>
<br>
______________________________<wbr>_________________<br>
uanog mailing list<br>
<a href="mailto:uanog@uanog.kiev.ua"
target="_blank" moz-do-not-send="true">uanog@uanog.kiev.ua</a><br>
<a
href="http://mailman.uanog.kiev.ua/mailman/listinfo/uanog"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://mailman.uanog.kiev.ua/m<wbr>ailman/listinfo/uanog</a></font></span></blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
uanog mailing list<br>
<a href="mailto:uanog@uanog.kiev.ua" moz-do-not-send="true">uanog@uanog.kiev.ua</a><br>
<a
href="http://mailman.uanog.kiev.ua/mailman/listinfo/uanog"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://mailman.uanog.kiev.ua/<wbr>mailman/listinfo/uanog</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><br>
<br>
<br>
<br>
~~~<br>
WBR,<br>
Vitalii Turovets<br>
<div>Software Engineer<br>
VITU-RIPE<br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
uanog mailing list
<a class="moz-txt-link-abbreviated" href="mailto:uanog@uanog.kiev.ua">uanog@uanog.kiev.ua</a>
<a class="moz-txt-link-freetext" href="http://mailman.uanog.kiev.ua/mailman/listinfo/uanog">http://mailman.uanog.kiev.ua/mailman/listinfo/uanog</a></pre>
</blockquote>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Olwi
</pre>
</body>
</html>