Police seize servers of Ukrainian software firm after cyber attack

[Jim K Global Moderator]

Quote

Ukrainian police on Tuesday seized the servers of an accounting software firm suspected of spreading a malware virus which crippled computer systems at major companies around the world last week, a senior police official said.

 

The head of Ukraine's Cyber Police, Serhiy Demedyuk, told Reuters the servers of M.E.Doc - Ukraine's most popular accounting software - had been seized as part of an investigation into the attack.

 

Though they are still trying to establish who was behind last week's attack, Ukrainian intelligence officials and security firms have said some of the initial infections were spread via a malicious update issued by M.E.Doc, charges the company's owners deny.

 

The owners were not immediately available for comment on Tuesday.

Premium Service, which says it is an official dealer of M.E.Doc's software, wrote a post on M.E.Doc's Facebook page saying masked men were searching M.E.Doc's offices and that the software firm's servers and services were down.

 

Premium Service could not be reached for further comment.

Cyber Police spokeswoman Yulia Kvitko said investigative actions were continuing at M.E.Doc's offices, adding that further comment would be made on Wednesday.

 

/snip

Full articles at Reuters

 

 

This also comes after a Microsoft blog regarding the Petya malware and it spreading (at least in small part) by the MEDoc updater process.

Quote

Delivery and installation

 

Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense.

 

We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.

 

/snip

 

Full Blog at Technet