CCleaner attack targeted large technology and communication companies

By Shawn Knight ยท 12 replies
Sep 21, 2017
Post New Reply
  1. Security researchers in the days following the CCleaner malware disclosure have made an alarming, albeit not entirely surprising, discovery.

    According to Cisco Talos and Avast, this wasn’t your run-of-the-mill hack but rather, a seemingly sophisticated attack that targeted nearly two dozen large technology and telecommunication companies in the US, Germany, Japan, Taiwan and the UK.

    Analysis of the hackers’ command-and-control server reveals that it was an APT (Advanced Persistent Threat) designed to deliver a second-stage payload to select users. Server logs indicates that at least 20 machines across eight organizations were indeed served the secondary payload although as Avast notes, the logs only cover a period of about four days.

    The actual number of systems that received the secondary payload is likely in the order of hundreds, Avast indicates.

    High-profile targets included Intel, Microsoft, Sony, Akami, Epson, MSI, Cisco, Linksys, Samsung and HTC, among others. According to Talos, the specific targets indicate a “very focused” attacker seeking valuable intellectual property.

    It was disclosed earlier this week that a signed version of CCleaner, a staple in the toolbox of many PC repair technicians and IT professionals, had been leveraged to delivery malware to unsuspecting victims. At the time, it seemed no different than any other malware attack but of course, we now know it was a watering hole attack.

    Talos also recommends that, if possible, impacted users should restore from a backup or reimage systems to ensure the threat is removed.

    Permalink to story.

  2. Uncle Al

    Uncle Al TS Evangelist Posts: 3,995   +2,477

    Considering all the "ho-hum" things that it does, I find it really hard to believe all these cutting edge companies would ever use or allow it to be used ..... If it is true, it serves them right!
  3. EClyde

    EClyde TS Evangelist Posts: 1,458   +508

    Your data is safe with us
  4. OutlawCecil

    OutlawCecil TS Maniac Posts: 398   +245

    I hate to be the grammar police but... "had been leveraged to delivery malware" ?
  5. Kenrick

    Kenrick TS Evangelist Posts: 627   +402

    The fact that the installer's signature was compromised and hosted in their own server is alarming.
  6. seeprime

    seeprime TS Maniac Posts: 211   +174

    Send Avast a thank you letter for letting this happen in, what I believe was, the first version released under their watch. Did they fire the QA department?
  7. misor

    misor TS Evangelist Posts: 1,305   +254

    From other websites reporting the 'attack', it seems only 32-bit installer of ccleaner 3.33 is affected and not 64-bit. they were recommending to upgrade to version 3.34 (3.35 as of yesterday, local time, Philippines)
  8. captaincranky

    captaincranky TechSpot Addict Posts: 13,646   +3,107

    I fixed that for ya!(y) But, who knows if staff will take the hint. They have deadlines, I don't.
  9. fadingfool

    fadingfool TS Booster Posts: 62   +71

    Unfortunately the installer contains both binaries though I believe the malware is only installed on the 32 bit version. I had the 64 bit installed and MSE (or Defender or whatever it is now called)did recognise the installer as a risk though only after the event. Whilst I may not be at immediate risk a nice win10 reset clears out the cobwebs.
  10. R00sT3R

    R00sT3R TS Booster Posts: 48   +59

    This has Chinese state hackers written all over it.
  11. captaincranky

    captaincranky TechSpot Addict Posts: 13,646   +3,107

    Well it also says that, "this was more than likely an inside job. Given the highly charged, sensitive, and public environment of business hiring practices in this day and age, you're liable to pickup a 'discrimination' lawsuit for turning someone of obvious Asian descent away. What's a poor multi-billion dollar company to do? :oops:
    Last edited: Sep 22, 2017
  12. roberthi

    roberthi TS Addict Posts: 291   +70

    Coming on the heals of an embargo and other restrictions upon North Korea. What are the chances they might be stealing something?
  13. gcarter

    gcarter TS Enthusiast Posts: 89   +25

    Meh! It gives the jobsworth ITSEC teams something to justify their petty existence!

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...