CCleaner Malware Targeted Tech Giants Cisco, Google, Microsoft

Razer g2s at riseup.net
Thu Sep 21 19:06:12 PDT 2017 

Links on page:
https://www.darkreading.com/endpoint/ccleaner-malware-targeted-tech-giants-cisco-google-microsoft/d/d-id/1329949

CCleaner Malware Targeted Tech Giants Cisco, Google, Microsoft
Kelly Sheridan

The backdoor discovered in Avast's CCleaner targeted top tech companies
including Google, Microsoft, Samsung, Sony, VMware, and Cisco.

When Cisco Talos and Morphisec discovered a version of Avast CCleaner
had been compromised to deliver malware, it was bad enough to learn
millions of endpoints were threatened. Now, security experts say the
attackers had espionage in mind.

Earlier this week, both firms published research detailing the
compromise of CCleaner version 5.33, which was available for download
from August 15, 2017 until the release of v5.34 on September 12. The
binary included in v5.33 contained a multi-stage malware payload to
collect information including a list of running processes and all
software installed on the machine.

Further analysis on the attack, published by Talos on Sept. 20,
unearthed some concerning details.

Researchers acquired an archive of files stored on the attackers'
command and control (C2) server, which contained code listing major
organizations targeted with a second-stage loader. If a machine from one
of those networks connected, it would be hit with a secondary payload.

"What happened is the attacker was using this giant net," says Craig
Williams, senior technical lead at Cisco Talos. "In the four days the
command and control server had data for, 700,000 victims connected with
it … but [the attackers] only wanted a tiny fraction of them."

Analysis of the C2 tracking database, which spanned four days in
September, revealed at least 20 victim machines hit with specialized
secondary payloads. Targeted organizations included Microsoft, Google,
HTC, Sony, Samsung, D-Link, Akamai, VMware, Linksys, and Cisco itself.

During that timeframe, the malware regularly contacted the C2 server to
send information about infected systems. This included IP addresses,
online time, hostname, domain name, process listings, and other data.
Researchers believe attackers likely used this to determine which
machines they should target during the campaign's final stages.

"This is pretty much exactly what we expected," says Williams. "It quite
literally fits the definition of an APT."

Because Cisco Talos was only able to analyze four days of activity
during the time CCleaner v5.33 was available for download, he continues,
they have no idea how often this list of corporations was altered. They
believe the target list was changed during the period the C2 server was
active in order to compromise different businesses.

"When you hear two million machines were infected, it implies a
commodity criminal," says John Bambenek, manager of threat systems at
Fidelis Cybersecurity. "Now we're talking corporate environments, and
it's hard to see that as anything other than an espionage attack."

Williams says the recommendations stay the same for affected businesses:
systems should be wiped, restored from backup, or reinstalled. This is
an example of why users need to have reliable backups amid the rise of
supply-chain attacks.

"From the advent of this discovery, we had been warning users to recover
from backups," he emphasizes. "We had been telling people, nobody knows
what happened so you have to recover from backups."

Who did it?

Both Bambenek and Williams say the attack is well-made and likely the
work of a sophisticated actor, though it's still unclear who it might be.

The contents of the Web directory taken from the C2 server included PHP
files responsible for controlling communications with infected machines.
One of these files, which contains core variables and operations used,
specifies the People's Republic of China (PRC) as the time zone.

Williams says this does not mean Chinese actors are responsible. In
fact, he believes the opposite. This is especially well-crafted malware,
made with a significant amount of development time and complex database.
If it really was China, why leave the timestamp?

"I suspect it's a false flag," he proposes, though it's hard to say for
certain.

Interestingly, Bambenek points out, CCleaner was a curious choice for
this victim pool.

"My first thought was, I'm not entirely sure how many of these
enterprises would have used CCleaner," says Fidelis' Bambenek. "This is
casting a broad net for an app you probably wouldn't find in enterprise
environments."

While he says this may not be a particularly successful attack in terms
of the hackers' true objectives, it shows threat actors are willing to
think outside the box to achieve their goals.

"Two million infected computers is nothing to shake a fist at," he
notes. "It shows they're willing to try new things and experiment. The
adversary doesn't have complete visibility into what's typically used in
enterprises. They need to make guesses."

--30--

More information about the cypherpunks mailing list