Wordfence posted an interesting article about the ransom ware attack that been happening lately, it was written by Mark Maunder.
Author’s notes:
This is a technical blog post which I’m hoping server administrators and web hosting providers will find helpful. It also includes malware history and video footage which I hope you enjoy. ~Mark Maunder
How and Why the Attacker Used NGINX Reverse Proxying to Control Infected Machines
M.E.Doc is a company in Ukraine that makes accounting software. They have many clients, and they distribute their software directly to their customers. Around April this year, their network was compromised because an attacker managed to acquire stolen credentials belonging to an administrator. Using these credentials, the attacker was able to log in and start modifying server configurations and software.
The attacker modified the nginx.conf config file on an M.E.Doc update server to reverse proxy requests to a server hosted at OVH. The server was being used by a hosting reseller called THCServers.com. This server had been compromised by the attacker prior to launching the attack on M.E.Doc.
How the Attacker Distributed Ransomware
Once the attacker controlled a large enough number of machines using the above technique, they simply ran a command that caused the controlled machines to fetch ransomware and install it. It was that simple. The rest is the story of the Petya/Nyetya/NotPetya ransomeware infection you’ve read about in the news recently.
Takeaways for Web Hosting Providers and Server Admins
As I mentioned at the start of this post, the hackers in this attack were able to compromise the M.E.Doc network using stolen credentials. If you are a hosting provider or server admin, consider using two-factor authentication for any server access, including SSH. Assuming the attacker did not have access to the credential owner’s other devices, two-factor authentication would have stopped this attack, or at least made it significantly harder for the attacker to gain access.
Better configuration management might have helped alert a system administrator to a change in an nginx.conf file. This might have also caught the malicious change in the M.E.Doc software when the file hashes changed.
Source:
NGINX and PHP Malware Used in Petya/Nyetya Ransomware Attack
