Back in September last year, it was reported that popular system-cleaning tool CCleaner had been compromised by attackers for over a month. Some details of the incident were unclear at the time, but Avast, which acquired maker Piriform last July, has now revealed more information about what happened.
The attack saw hackers modify an updated version of CCleaner to include a malware backdoor. We knew there were 2.27 million downloads of the corrupted installation file worldwide, but how the attackers achieved this feat wasn't specified at the time.
The security firm’s chief technology officer, Ondrej Vlcek, writes that the threat actors accessed Piriform’s network on March 11, 2017, four months before the company was taken over by Avast. The person or persons responsible somehow managed to get hold of stolen credentials to log into a TeamViewer remote desktop account on a developer PC.
"While we don't know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilized for another service, which may have been leaked, to access the TeamViewer account," he said.
The attackers installed the ShadowPad malware on two of the company's compromised machines, before using its keylogger abilities to gain further access to Piriform’s systems. It wasn’t until August 2 that the first contaminated download of CCleaner appeared.
"Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded [on] a computer, observing a money transfer," explained Vlcek.
Of the 2.27 million downloads of the affected program, a second stage attack—installing ShadowPad—took place on just 40 PCs, all of which belonged to tech and telecommunications companies. “We don’t have proof that a possible third stage with ShadowPad was distributed via CCleaner to any of the 40 PCs.”
Vlcek said that for Avast, there are two key takeaways from the attack. "First, M&A due diligence has to go beyond just legal and financial matters. Companies need to strongly focus on cybersecurity, and for us this has now become one of the key areas that require attention during an acquisition process."
“Second, the supply chain hasn’t been a key priority for businesses, but this needs to change. Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure.”