CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

from the good-luck-out-there dept

At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

Cisco's researchers say they obtained a copy of the hackers' command-and-control server from an unnamed source. That server contained detailed logs of the 700,000 or so computers that had "phoned home" to the hackers earlier this month. Subsequent investigation has concluded that the hackers didn't really care about most of the infected customers, and that this may have been a sophisticated state-sponsored attack specifically designed access and copy internal information and trade secrets from major tech firms:

"That target list presents a new wrinkle in the unfolding analysis of the CCleaner attack, one that shifts it from what might have otherwise been a run-of-the-mill mass cybercrime scheme to a potentially state-sponsored spying operation that cast a wide net, and then filtered it for specific tech-industry victims. Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015."

One configuration file on the attackers' server was also set for China's time zone, though of course neither of these are enough solid evidence to definitively conclude state-sponsored involvement... yet. In an updated post to its website, Avast has been forced to concede that their initial claim that the second, multi-staged payload was never delivered was false, and that the total number of compromised machines at these targeted companies is "at least in the order of hundreds":

"First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered."

Cisco also warned impacted tech companies that deleting the software itself off of infected PCs is no guarantee that the threat has been mitigated, since the payload may have installed a second payload on their networks with its own, still-active command and control server. Like previous attacks of this type, the reported scope of the sophisticated attack is likely to only grow as researchers dig deeper.

As several outlets were quick to correctly note the attack on CCleaner highlights a supply-side security problem at a growing number of software companies like Ukrainian accounting software MeDoc and South Korea-based firm Netsarang, which both passed on malware to trusting clients in the last few months. Traditionally we've comforted ourselves by insisting we're safe if we just avoid untrusted app stores, dubious attachments, or questionable links -- but this attack further up the software supply chain erodes public trust, which could deter users from using or updating essential protection.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    PlagueSD (profile), 21 Sep 2017 @ 3:51pm

    This is why ad blockers are important. Just another layer of protection from compromised sites.

    reply to this | link to this | view in chronology ]

  • icon
    MyNameHere (profile), 21 Sep 2017 @ 5:38pm

    Yup, because we know there is no such thing as cyber warfare, right?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2017 @ 9:18pm

      Re:

      And your solution is to trust the NSA?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2017 @ 6:19am

      Re:

      You can have cyber espionage and cyber sabotage as components of full-spectrum warfare, but you cannot fight a war between nations strictly online. At a certain point, war includes physical contact, which is not possible in cyberspace. You can pwn a server, but whoever has physical access to that still wins that battle.

      The role of espionage and sabotage as aspects of non-combat, non-diplomatic conflict are mostly understood in international law; just because it happened online doesn't mean it is something completely new.

      While both detection and attribution become more difficult online, this situation is not far removed from the US placing cameras in the copy machines sold to the Soviet government.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2017 @ 5:47pm

    I feel somewhat comforted that this attack was focused on high profile targets and that most of us were probably totally off the hackers radar.

    However, I still got rid of CCleaner and did what I was told on r/techsupport to properly remove most malware. Even though I'm 99% I had the 64-bit version installed and possibly not even the infected version number (I forgot to check I uninstalled it so fast), I'm still feeling particularly paranoid. Is there anything to do short of reformatting the hard drive that would make me close to as safe as just buying a new computer?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2017 @ 5:50pm

      Re:

      Install Gentoo.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2017 @ 6:13pm

      Re:

      Save any data files you've recently created or edited, and then roll back to a saved version of your system prior to August 15, 2017

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Sep 2017 @ 10:29am

        Re: Re:

        "Roll back" meaning what? Any built-in rollback facility could be compromised, which would require a full reinstall at minimum; if we're talking about important computers at Cisco, they'll want to verify the BIOS chip too. And make sure those "data files you've recently created or edited" aren't going to re-infect the new system when you put them back.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2017 @ 9:24pm

    State sponsored or not, it looks very poorly targetted. Looking at the first three companies mentioned: Intel, Google, Microsoft. Intel have their own security software. Google don't use Windows and do security research. Microsoft have their own security software and should understand their OS better than any other.

    While I can see some of these companies using Avast for benchmarking or comparision, I can't see a valid reason for any of them using CCleaner for general use. Looks more like a spray and pray approach, hoping that someone would download and use CCleaner so as to gain a foothold.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 22 Sep 2017 @ 6:11am

      Re:

      And it worked. I don't know what would be the value of having access to the inner works of Google. I mean, they have no data on billions of people at all!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2017 @ 10:33am

      Re:

      Google don't use Windows

      They do. They release software that's meant to run on Windows, which means they have Windows (somewhere) to test it on.

      Microsoft have their own security software and should understand their OS better than any other.

      "should", yes, but the history of software security flaws shows otherwise. (If a software author fully understood their software, it would be bug-free.)

      And keep in mind these C&C logs showed the computers that were compromised, not those they wished to compromise.

      reply to this | link to this | view in chronology ]

  • icon
    Eldakka (profile), 21 Sep 2017 @ 10:50pm

    Traditionally we've comforted ourselves by insisting we're safe if we just avoid untrusted app stores, dubious attachments, or questionable links -- but this attack further up the software supply chain erodes public trust, which could deter users from using or updating essential protection.

    I've never believed this, but then again I work in IT so perhaps am more skeptical of the claims made by the industry.

    I've always believed the greatest risk to security are the auto-update mechanisms in applications - browsers, the operating system itself (e.g. Windows) and so on. An attacker just needs to compromise one system, as in this case, and millions can be infected using a program they've used for years, if not decades.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 22 Sep 2017 @ 6:10am

      Re:

      While I do agree with you it's easier to keep these update systems in good security shape with all the latest security patches than leaving millions of not so savvy users to update by themselves. Pro-tip: they won't update. Auto-update is still the best approach.

      I would argue that a decentralized system in some sort of blockchain configuration to distribute updates that could be used by smaller players for instance. The update would only be delivered after the developer authenticated the new hashes, files, certificates with each part of the network. Of course I'm speculating here so there might be safer, better ways but we do need better solutions.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2017 @ 5:32am

    Proprietary software...

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 22 Sep 2017 @ 6:05am

      Re:

      It has happened on open source before. To the best of my knowledge, the only full auditing conducted on any software out there was on Truecrypt once the original team shut things down. Sure it's easier to find these stuff but there aren't many comprehensive auditing going on out there that I'm aware of.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Sep 2017 @ 10:36am

        Re: Re:

        To the best of my knowledge, the only full auditing conducted on any software out there was on Truecrypt once the original team shut things down.

        That was a good audit but hardly "full". Similar audits, and better audits, have been done on other open-source software. SeL4 was formally proven correct for example (under certain assumptions, if the model was correctly specified).

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2017 @ 7:06am

    linksys

    linksys was one of the domains they went after.

    IIRC, linksys is the default domain you get when you are connected to a linksys router.

    I'm thinking they were going after everything they thought was valuable or knew they could compromise. I think it's stretch to say those companies were specifically targeted. More like the hackers were hoping to get lucky.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2017 @ 7:27am

    Funny how Apple is not on the list of targets?

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 22 Sep 2017 @ 2:56pm

    In other news, I had no idea that Avast had bought Piriform just a few months ago. Interesting.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.