Ukrainian software company and IT service provider SoftServe was attacked by ransomware on September 1, which may have led to the theft of their customers' source code.
With more than 8.000 employees and 50 offices worldwide, SoftServe is one of the largest companies in Ukraine offering software development and IT consulting services.
Οι ειδήσεις για μια διαδικτυακή επίθεση στο SoftServe άρχισαν να κυκλοφορούν για πρώτη φορά στο κανάλι «Telegram DС8044 Kyiv Info», όπου κοινοποιήθηκε ένα φερόμενο μήνυμα που έστειλε η εταιρεία στους υπαλλήλους της.
"Today at 1 p.m. SoftServe was attacked. The hackers have access to the company's infrastructure and managed to start ransomeware encryption along with some other malware. "
In a later statement on a Ukrainian technology news page, SoftServe confirmed that an attack had taken place, prompting them to disconnect their customers to prevent it from spreading.
“Ναι, υπήρξε επίθεση σήμερα. Οι πιο σημαντικές συνέπειες της επίθεσης είναι η προσωρινή απώλεια λειτουργικότητας ενός μέρους του συστήματος αλληλογραφίας και η διακοπή ορισμένων από τα βοηθητικά περιβάλλοντα δοκιμών. Από όσο μπορούμε να εκτιμήσουμε, αυτό είναι το μεγαλύτερο αντίκτυπο της επίθεσης και τα άλλα συστήματα ή data customers were not affected.”
"In order to prevent the spread of the attack, we have isolated certain parts of our network and restricted communication with customer networks. We prepare a message to our customers about the situation. At the same time as resuming services, we are investigating the incident itself, so we are not prepared to comment on who exactly did it. " said Adrian Pavlicevic, Senior Vice President of Informatics at SoftServe.
According to the SoftService incident, the attackers exploited a DLL vulnerability that violated the legal application Rainmeter to develop their ransomware.
Rainmeter is a legitimate Windows customization tool that loads a Rainmeter.dll at startup.
During the attack, hackers replaced the legal Rainmeter.dll with a malicious one version compiled from the source code of the application.
According to her scouts VirusTotal, Rainmeter.dll is recognized as Win32 / PyXie.A.
In one reference of BlackBerry since 2019, PyXie is a Python remote access trojan (RAT) known to exploit vulnerabilities with malicious DLLs in other software such as LogMeIn and Google Update.
BlackBerry researchers say they have seen evidence that this RAT has been used in ransomware attacks.
