Image

Websites being compromised to serve malicious content is common and it appears that CFM's website was leveraged in the same way. This can be achieved through exploitation of existing vulnerabilities in server-side software or brute-forcing weak credentials, allowing attackers to gain remote administrative access. The fact that it is an accounting software company in Ukraine and the timing of the attack increased visibility.CFM isn't the first Ukrainian accounting software company to suffer a compromise in recent history, after all. In June 2017, researchers discovered that MeDoc, a small Ukrainian financial technology company which also makes accounting software, experienced a hack through which attackers gained access to its update servers. The nefarious individuals then used those servers to push out a software update infected with NotPetya. That wiper malware spread to other machines using EternalBlue, the same Microsoft vulnerability exploited by WannaCry ransomware less than two months previously. Unlike MeDoc, bad actors didn't compromise CFM's update servers. They used the firm's website only to distribute malware retrieved from malware downloaders as part of an email spam campaign. The accounting software company's website was just one of the domains used to host the malware payload.
Image

Image

As we saw repeatedly throughout 2017, attackers are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers as a means of obtaining a foothold within the environments they are targeting. As organizations deploy more effective security controls to protect their network environments attackers are continuing to refine their methodologies.To learn how Tripwire can help your organization use foundational controls to defend against digital attackers, click here.