The Ukrainian company MeDoc that is widely believed to be the source of the NotPetya/ExPetr might have been using outdated software.
The discovery was made by independent security analyst Jonathan Nichols who after analysis of Medoc’s security system found that the firm was running outdated FTP software on its central update servers.
“Notably, this ProFTPD software (version 1.3.4c) is vulnerable to CVE-2015-3306 which allows for trivial exploitation to read and write files to the hard drive,” Nichols wrote in a blog.
The researcher says that further investigation is required to determine that this vulnerability was indeed the attack vector but if it is a “any hacker with rudimentary capabilities” could write malicious files to the update server.
So why is Nichols bring this to light? Quite simply – damage control.
Since the ransomware spread there has been talk that the attack was perpetrated by a nation state. Following those theories a Nato researcher has said that the attack could warrant countermeasures.
Nichols says that while it is not beyond the realm of possibility that the attack was commissioned by a nation state there is simply not enough evidence to make that claim with any sort of confidence.
As he points out, the faceless black hat hackers of the internet can very easily make themselves look like complex organisations but nation states can also make themselves look like Mickey Mouse organisations. The point is we do not know and an urge to lash out at suspected actors won’t help anybody.
“We should urge moderation and accuracy in our analysis. I, for one, have a distaste for wars started on faulty premises,” Nichols concludes in his blog post and we can’t help but agree.