Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

What was it all about?

Read: 14186 Comments: 3 Rating: 8

Thursday, July 19, 2018

Doctor Web’s 2017 report on the presence of a vulnerability on Russia’s civil service website literally blew up the world’s online media outlets.

Dr.Web discovered malicious code on the civil service portal. "Gosuslugi.ru": The threat is not severe

Doctor Web reports malicious code found on civil service portal

Dr.Web discovered unknown malware on the Russian civil service portal. The anti-virus developer Dr.Web discovered an unknown virus on the civil service portal. According to its security researchers, the malicious code could at any moment infect the computers of the site’s 50 million registered visitors.

Dr.Web: Civil service portal compromised by dangerous malware

Doctor Web: gosuslugi.ru may steal user data at any moment

Doctor Web: Russian Federation's civil service portal hosts malicious code

Dr.Web reports civil service portal infected by personal-data-stealing malware

Doctor Web: Malware infecting civil service site poses severe threat to users

Was the civil service site really compromised? Expert opinion

...
Those were typical news headlines at that time

Meanwhile, the text of our announcement contained no references to viruses or malware being present on the portal.

Doctor Web: Russian Federation Government Services Portal (gosuslugi.ru) compromised and could start infecting visitors and stealing information at any time

Doctor Web specialists have detected potentially malicious injected code of an unknown source in the Government Services Portal of the Russian Federation (gosuslugi.ru).

https://news.drweb.ru/show/?c=5&i=11373&lng=ru
https://habrahabr.ru/company/drweb/blog/333008

What actually happened? And how dangerous was the incident?

To understand the situation, let's compare it with the MeDoc breach in Ukraine. At first glance, the incidents aren’t comparable: on the one hand, we have just an announcement with no infected computers, and on other hand, we have a real outbreak with a large number of infections. But that's only at first glance.

In reality, the incidents have a great deal in common:

  • A backdoor that threat actors could exploit to deploy or remove malicious code (on the site or in the product update releases).
  • The attackers remained inactive for quite some time after they deployed their backdoor.

So, the vulnerability that Doctor Web discovered back then was a backdoor that could potentially be used by threat actors to carry out their activities. The discovered code was not a Trojan or a virus, but it could perform malicious tasks whenever criminals needed it to. The Ukrainian company's infrastructure was infected in a similar fashion.

What did the attackers try to accomplish by deploying the code? Did they really want to use the backdoor to target multiple computers? We'll probably never know. But it could have happened at any moment.

#vulnerability #security

The Anti-virus Times recommends

  1. Vulnerability scanners can't solve all security problems, and they won't notify you about dangers they know nothing about since they can only detect vulnerabilities that have already been discovered.
  2. Statistics show that 80% of websites are vulnerable.
  3. A threat may lurk on each one of them.
  4. Doctor Web discovered just ONE piece of malicious code on ONE site. No one knows how many backdoors of this kind are scattered across the World Wide Web.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments