{"id":332536,"date":"2017-06-28T16:23:01","date_gmt":"2017-06-28T16:23:01","guid":{"rendered":"http:\/\/citifmonline.com\/?p=332536"},"modified":"2017-06-28T16:23:01","modified_gmt":"2017-06-28T16:23:01","slug":"tax-software-blamed-for-cyber-attack-spread","status":"publish","type":"post","link":"https:\/\/citifmonline.com\/2017\/06\/tax-software-blamed-for-cyber-attack-spread\/","title":{"rendered":"Tax software blamed for cyber-attack spread"},"content":{"rendered":"

A global cyber-attack that affected companies around the world may have started via corrupted updates on a piece of accountancy software.<\/p>\n

Fingers are increasingly pointing to a piece of Ukrainian tax-filing software, MEDoc, as the source of the infection, although the company denies it.<\/p>\n

Malware generally infiltrates networks via email attachments that users click on in error.<\/p>\n

Microsoft described the method as “a recent dangerous trend”.<\/p>\n

The cyber-attack has caused disruption around the world and infected companies in 64 countries, including banks in Ukraine, Russian oil giant Rosneft, British advertising company WPP and US law firm DLA Piper.<\/p>\n

Automatic updates<\/strong><\/p>\n

Shipping giant Maersk said it was unable to process new orders and was expecting delays to consignments, while one of Europe’s largest port operators in Rotterdam said that it had to use manual processes, and Dutch global parcel service TNT said it was operating with restrictions.<\/p>\n

A Cadbury’s factory on the island state of Tasmania ground to a halt when computer systems went down, according to Australian Manufacturing and Workers Union state secretary John Short.<\/p>\n

Ukraine was hit hardest, suggesting the attack might be politically motivated.<\/p>\n

According to anti-virus vendor ESET, 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.<\/p>\n

A growing number of security experts, including the British malware expert Marcus Hutchins – credited with ending the WannaCry ransomware outbreak – claim to have logs that reveal MEDoc as the source.<\/p>\n

In email correspondence with the BBC, Mr Hutchins said: “It looks like the software’s automatic update system was compromised and used to download and run malware rather than updates for the software.”<\/p>\n

It was not yet clear how it had been compromised, he added.<\/p>\n

MEDoc has denied the claims, in a Facebook post – but in a blog post analysing how the infection had taken hold on Windows machines, Microsoft also points the finger at the accounting software.<\/p>\n

“Active infections of the ransomware initially started from the legitimate MEDoc update process,” it writes.<\/p>\n

Possible channel<\/strong><\/p>\n

Alan Woodward, a computer scientist from the University of Surrey, said: The ironic thing about this situation (if it proves to be the case) is that we always advise users to keep their software up to date, ideally using automated updates.<\/p>\n

“However, it assumes hackers can’t take over the update process and misuse it.<\/p>\n

“This process is normally a very tightly controlled process, so this is unusual.<\/p>\n

“I can imagine many vendors are now triple-checking to make sure they don’t end up being an attack vector.”<\/p>\n

He said that it showed “hackers will probe every possible channel” to find a route into systems.<\/p>\n

“As users there isn’t a lot we can do as we are in the hands of the software vendors.”<\/p>\n