Last week’s globe-spanning ransomware outbreak may have started with a remarkably simple attack. This morning, independent security analyst Jonathan Nichols discovered an alarming vulnerability in the update servers for Ukrainian software company MeDoc, one of the companies at the center of the attack.
Researchers believe that many of the initial Petya infections were the result of a poisoned update from MeDoc, which sent out malware disguised as a software update. But according to Nichols’ research, sending out that poisoned update may have been a relatively simple task, thanks to underlying weaknesses in the company’s security.
“It’s very possible that anyone could have done it”
Scanning the company’s infrastructure, Nichols found that MeDoc’s central update servers was running outdated FTP software with a outstanding vulnerability that is easily exploited by publicly available software. It’s a serious security issue, and could have let nearly anyone spread poisoned updates through the system. It’s unclear if that particular vulnerability was used by the Petya attackers — or if it was exploitable at all — but the presence of such outdated software indicates there may have been several ways into the system.
“It’s very possible that anyone could have done it,” Nichols said, although he acknowledged he hadn’t tried to exploit the vulnerability for fear of committing a crime. “One would have to hack the server to be 100 percent confident.”