Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/21/2017
04:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

CCleaner Malware Targeted Tech Giants Cisco, Google, Microsoft

The backdoor discovered in Avast's CCleaner targeted top tech companies including Google, Microsoft, Samsung, Sony, VMware, and Cisco.

When Cisco Talos and Morphisec discovered a version of Avast CCleaner had been compromised to deliver malware, it was bad enough to learn millions of endpoints were threatened. Now, security experts say the attackers had espionage in mind.

Earlier this week, both firms published research detailing the compromise of CCleaner version 5.33, which was available for download from August 15, 2017 until the release of v5.34 on September 12. The binary included in v5.33 contained a multi-stage malware payload to collect information including a list of running processes and all software installed on the machine.

Further analysis on the attack, published by Talos on Sept. 20, unearthed some concerning details.

Researchers acquired an archive of files stored on the attackers' command and control (C2) server, which contained code listing major organizations targeted with a second-stage loader. If a machine from one of those networks connected, it would be hit with a secondary payload.

"What happened is the attacker was using this giant net," says Craig Williams, senior technical lead at Cisco Talos. "In the four days the command and control server had data for, 700,000 victims connected with it … but [the attackers] only wanted a tiny fraction of them."

Analysis of the C2 tracking database, which spanned four days in September, revealed at least 20 victim machines hit with specialized secondary payloads. Targeted organizations included Microsoft, Google, HTC, Sony, Samsung, D-Link, Akamai, VMware, Linksys, and Cisco itself.

During that timeframe, the malware regularly contacted the C2 server to send information about infected systems. This included IP addresses, online time, hostname, domain name, process listings, and other data. Researchers believe attackers likely used this to determine which machines they should target during the campaign's final stages.

"This is pretty much exactly what we expected," says Williams. "It quite literally fits the definition of an APT."

Because Cisco Talos was only able to analyze four days of activity during the time CCleaner v5.33 was available for download, he continues, they have no idea how often this list of corporations was altered. They believe the target list was changed during the period the C2 server was active in order to compromise different businesses.

"When you hear two million machines were infected, it implies a commodity criminal," says John Bambenek, manager of threat systems at Fidelis Cybersecurity. "Now we're talking corporate environments, and it's hard to see that as anything other than an espionage attack."

Williams says the recommendations stay the same for affected businesses: systems should be wiped, restored from backup, or reinstalled. This is an example of why users need to have reliable backups amid the rise of supply-chain attacks.

"From the advent of this discovery, we had been warning users to recover from backups," he emphasizes. "We had been telling people, nobody knows what happened so you have to recover from backups."

Who did it?

Both Bambenek and Williams say the attack is well-made and likely the work of a sophisticated actor, though it's still unclear who it might be.

The contents of the Web directory taken from the C2 server included PHP files responsible for controlling communications with infected machines. One of these files, which contains core variables and operations used, specifies the People's Republic of China (PRC) as the time zone.

Williams says this does not mean Chinese actors are responsible. In fact, he believes the opposite. This is especially well-crafted malware, made with a significant amount of development time and complex database. If it really was China, why leave the timestamp?

"I suspect it's a false flag," he proposes, though it's hard to say for certain.

Interestingly, Bambenek points out, CCleaner was a curious choice for this victim pool.

"My first thought was, I'm not entirely sure how many of these enterprises would have used CCleaner," says Fidelis' Bambenek. "This is casting a broad net for an app you probably wouldn't find in enterprise environments."

While he says this may not be a particularly successful attack in terms of the hackers' true objectives, it shows threat actors are willing to think outside the box to achieve their goals.

"Two million infected computers is nothing to shake a fist at," he notes. "It shows they're willing to try new things and experiment. The adversary doesn't have complete visibility into what's typically used in enterprises. They need to make guesses."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...