CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

from the good-luck-out-there dept

At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

Cisco's researchers say they obtained a copy of the hackers' command-and-control server from an unnamed source. That server contained detailed logs of the 700,000 or so computers that had "phoned home" to the hackers earlier this month. Subsequent investigation has concluded that the hackers didn't really care about most of the infected customers, and that this may have been a sophisticated state-sponsored attack specifically designed access and copy internal information and trade secrets from major tech firms:

"That target list presents a new wrinkle in the unfolding analysis of the CCleaner attack, one that shifts it from what might have otherwise been a run-of-the-mill mass cybercrime scheme to a potentially state-sponsored spying operation that cast a wide net, and then filtered it for specific tech-industry victims. Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015."

One configuration file on the attackers' server was also set for China's time zone, though of course neither of these are enough solid evidence to definitively conclude state-sponsored involvement... yet. In an updated post to its website, Avast has been forced to concede that their initial claim that the second, multi-staged payload was never delivered was false, and that the total number of compromised machines at these targeted companies is "at least in the order of hundreds":

"First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered."

Cisco also warned impacted tech companies that deleting the software itself off of infected PCs is no guarantee that the threat has been mitigated, since the payload may have installed a second payload on their networks with its own, still-active command and control server. Like previous attacks of this type, the reported scope of the sophisticated attack is likely to only grow as researchers dig deeper.

As several outlets were quick to correctly note the attack on CCleaner highlights a supply-side security problem at a growing number of software companies like Ukrainian accounting software MeDoc and South Korea-based firm Netsarang, which both passed on malware to trusting clients in the last few months. Traditionally we've comforted ourselves by insisting we're safe if we just avoid untrusted app stores, dubious attachments, or questionable links -- but this attack further up the software supply chain erodes public trust, which could deter users from using or updating essential protection.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ccleaner, corporate espionage, espionage, hacks, malware, piggybacking
Companies: avast, cisco

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Rob, 22 Sep 2017 @ 9:20am

    Re: Re: Re: Re:

    The server that was compromised was the build server, not the update server.

    The only thing your proposal would've changed is that the bad update would've been presented by several sources.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.