The Cybereason Intelligence Team has created a flowchart mapping out the intrusion vectors and methods the malware might have taken to infect up to 12,000 endpoints, the majority of which in Ukraine. Intrusion vectors are the ways by which the NotPetya files might have gotten onto the compromised networks and computers.
There are a few possible vectors the malware might have taken. Out of the three, the only one we have the most amount of information on is the MeDoc Update Server method (illustrated by vector A).
MeDoc is a Ukrainian software provider whose servers have been compromised prior to the attack. The attackers leveraged their access they gained to add the NotPetya files to the servers that deliver automatic updates to the users of MeDoc’s software. In this way NotPetya was able to spread by disguising itself as a legitimate update to MeDoc’s software. Users had very little reason to suspect that this most recent update was out of the ordinary.
Luckily, this is a relatively uncommon intrusion vector, but not unheard of- the Monju power station in Japan, for example, was compromised via an update to a video playback program.
Some are pointing towards a phishing campaign as the intrusion vector (vector B), primarily the Ukrainian Computer Emergency Response Team, that was asked to assist in the early hours of the infection.
In their inspection, they report finding phishing emails containing a malicious program called Myguy. It is believed that perhaps the Myguy malware, once it infected a computer, downloaded the NotPetya malware as well. This hypothesis has not yet been fully confirmed.
While most evidence currently point towards vectors A and B, we cannot rule out for sure the existence of any alternative infection vectors, such as purchasing access to a computer already compromised, or infecting a computer with a relatively benign malware first, and later having it download the NotPetya malware. Due to NotPetya’s robust array of lateral movement tools, it is able to spread from one computer to the entire network in a short amount of time.
Movement between computers in a computer network, also known as lateral movement, is accomplished in several ways:
Eliad Kimhy is on the Cybereason Marketing team, leading production of the Malicious Life podcast.
Disruptions to the world’s internet cables happen more often than you think: Whether it be ship anchors or animals or saboteurs, cut a few wires in the right places and at nearly the speed of light you can disrupt or shut off the internet for broad populations of people at a time. It is an immense power that runs through these lines -- a power that can be sabotaged or, in the right hands, weaponized. – check it out...
Smart TVs - equipped with microphones, cameras, and an internet connection - are the weakest link in smart home security. So, is a person's smart home still their castle? Check it out...
