CCleaner attack targeted large technology and communication companies

Shawn Knight

Posts: 12,179   +120
Staff member

Security researchers in the days following the CCleaner malware disclosure have made an alarming, albeit not entirely surprising, discovery.

According to Cisco Talos and Avast, this wasn’t your run-of-the-mill hack but rather, a seemingly sophisticated attack that targeted nearly two dozen large technology and telecommunication companies in the US, Germany, Japan, Taiwan and the UK.

Analysis of the hackers’ command-and-control server reveals that it was an APT (Advanced Persistent Threat) designed to deliver a second-stage payload to select users. Server logs indicates that at least 20 machines across eight organizations were indeed served the secondary payload although as Avast notes, the logs only cover a period of about four days.

The actual number of systems that received the secondary payload is likely in the order of hundreds, Avast indicates.

High-profile targets included Intel, Microsoft, Sony, Akami, Epson, MSI, Cisco, Linksys, Samsung and HTC, among others. According to Talos, the specific targets indicate a “very focused” attacker seeking valuable intellectual property.

It was disclosed earlier this week that a signed version of CCleaner, a staple in the toolbox of many PC repair technicians and IT professionals, had been leveraged to delivery malware to unsuspecting victims. At the time, it seemed no different than any other malware attack but of course, we now know it was a watering hole attack.

Talos also recommends that, if possible, impacted users should restore from a backup or reimage systems to ensure the threat is removed.

Permalink to story.

 

Uncle Al

Posts: 6,920   +5,204
Considering all the "ho-hum" things that it does, I find it really hard to believe all these cutting edge companies would ever use or allow it to be used ..... If it is true, it serves them right!
 

Kenrick

Posts: 631   +401
The fact that the installer's signature was compromised and hosted in their own server is alarming.
 

seeprime

Posts: 453   +491
The fact that the installer's signature was compromised and hosted in their own server is alarming.
Send Avast a thank you letter for letting this happen in, what I believe was, the first version released under their watch. Did they fire the QA department?
 

misor

Posts: 1,397   +303
From other websites reporting the 'attack', it seems only 32-bit installer of ccleaner 3.33 is affected and not 64-bit. they were recommending to upgrade to version 3.34 (3.35 as of yesterday, local time, Philippines)
 

captaincranky

Posts: 16,043   +4,834
I hate to be the grammar police, but wouldn't this be a better syntactic solution, "(CCleaner), had been leveraged to facilitate the delivery of malware" ?
I fixed that for ya!(y) But, who knows if staff will take the hint. They have deadlines, I don't.
 

fadingfool

Posts: 144   +145
Unfortunately the installer contains both binaries though I believe the malware is only installed on the 32 bit version. I had the 64 bit installed and MSE (or Defender or whatever it is now called)did recognise the installer as a risk though only after the event. Whilst I may not be at immediate risk a nice win10 reset clears out the cobwebs.
 

captaincranky

Posts: 16,043   +4,834
This has Chinese state hackers written all over it.
Well it also says that, "this was more than likely an inside job. Given the highly charged, sensitive, and public environment of business hiring practices in this day and age, you're liable to pickup a 'discrimination' lawsuit for turning someone of obvious Asian descent away. What's a poor multi-billion dollar company to do? :D
 
Last edited:

roberthi

Posts: 454   +139
Coming on the heals of an embargo and other restrictions upon North Korea. What are the chances they might be stealing something?