Top Tech Vendors Targeted by CCleaner Malware

[Exterminator]

A cyber-attack revealed this week which spread via popular performance optimization tool CCleaner was designed to target several major technology firms, it has emerged.

Updates from both Cisco Talos and Avast – the company which now owns CCleaner developer Periform – explained that, contrary to initial impressions, a second stage payload was delivered from the C&C server.

Server logs indicate eight tech and telecoms firms received the payload, with potentially hundreds of machines infected – although only 20 were spotted during the three days logs were collected for, according to an update from Avast CEO, Vince Steckler and CTO Ondrej Vlcek.

The initial attack affected 2.27 million CCleaner customers, meaning the collateral damage was huge.

“Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” said the duo.

Avast refused to name the targets publicly. However, a screenshot provided by Cisco Talos showed a number of domains that the attackers were looking to compromise, including ones linked to Sony, Microsoft, VMware, Vodafone, O2, Singtel, Linksys, Gmail, D-Link, Intel, Samsung, HTC and Cisco itself.

Cisco suggested this evidence reveals “a very focused actor after valuable intellectual property.”

The complex second-stage payload comes in two parts: the first contains the main business logic and is heavily obfuscated, using anti-debugging and anti-emulation techniques to stay hidden from security tools.

“Much of the logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on Wordpress, and 3) a DNS record of a domain get.adxxxxxx.net (name modified here),” explained Steckler and Vlcek.

“The second part of the payload is responsible for persistence… Structurally, the DLLs are quite interesting because they piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs.”

Affected users were urged not merely to remove the CCleaner or update to the latest version, but to restore from backups or re-image systems to ensure that they completely remove both the backdoored CCleaner version and any other malware that may be on the system.

 

[ForgottenSeer 58943]

I called it, right here;

Q&A - Ccleaner Infected - How to make sure PC is clean?

I knew this wasn't some simple drive-by crap leveraged against consumers. Call it a hunch. ;-)

 

[Peter2150]

Where in that did you see consumers. It was targeted against specific enterprises.

 

[ForgottenSeer 58943]

Where in that did you see consumers. It was targeted against specific enterprises.

Maybe re-read what I said and you will understand. Basically, early on, most people seemed to think it was a consumer issue. I pointed out, explicitly, that it was most likely an enterprise/corporate issue more than anything. Although consumers would be collateral damage. I work in IT Security, I see APT's pretty regularly. There is no way someone went to this trouble so they could find out more about Aunt Sue's network. Although Aunt Sue might be collateral damage.

Get this crap off your systems IMO. Avast would be wise to discontinue CCleaner after this IMO. Maybe rebrand it later or integrate it into their suite.

$100 bet the time frame involved here is much greater than stated as well.

 

[Peter2150]

I see what you mean, but disagree with your advice. I think you are still running Microsoft, and based on stuff they've done should take the same advice. But not realistic.

 

[ForgottenSeer 58943]

I see what you mean, but disagree with your advice. I think you are still running Microsoft, and based on stuff they've done should take the same advice. But not realistic.

IMO this is a classic example of threat surface reduction being of huge importance.

The less processes, applications and services running on a system the more secure it is. The less network activity traversing the WAN, the more secure your network is. Generally speaking. As @Umbra noted he runs CCleaner portable, with precautions. His threat surface is much lower than someone using an installed CCleaner and FAR FAR lower than someone running the cloud version of CCleaner.

My server engineers here at work go insane if they find third party tools and other installs on servers. 'You installed WHAT on my server!'.. LOL. The reason is threat surface and risk reduction. I suggest folks should focus on keeping what they don't absolutely need off of their systems and reducing the telemetry/activity of what they do need installed. This is often ignored by security neophytes that install endless programs, tools and applications on systems not realizing their exposure and risk increases with each one.

Sure, I run Windows. I've been increasingly moving to more obscure OS and File Systems as time permits. But for Windows, I Pi-Hole all of the tracking/telemetry IP/Domains so I am not overly exposed. I have cameras at home, those cameras have UPnP disabled and are blocked from WAN traversal, they can only talk to my security server, which can only reach the internet via my VPN (Appliance, not consumer grade vpn service).

Seriously, do you REALLY need a cleaning program installed, running and updating itself 24/7? Do you really need Java installed? How about .NET? Does Steam need to really launch with Windows or only when you play a game? Does your AV really need to be cloud based and sending insane telemetry out?

 

[Peter2150]

IMO this is a classic example of threat surface reduction being of huge importance.

The less processes, applications and services running on a system the more secure it is. The less network activity traversing the WAN, the more secure your network is. Generally speaking. As @Umbra noted he runs CCleaner portable, with precautions. His threat surface is much lower than someone using an installed CCleaner and FAR FAR lower than someone running the cloud version of CCleaner.

My server engineers here at work go insane if they find third party tools and other installs on servers. 'You installed WHAT on my server!'.. LOL. The reason is threat surface and risk reduction. I suggest folks should focus on keeping what they don't absolutely need off of their systems and reducing the telemetry/activity of what they do need installed. This is often ignored by security neophytes that install endless programs, tools and applications on systems not realizing their exposure and risk increases with each one.

Sure, I run Windows. I've been increasingly moving to more obscure OS and File Systems as time permits. But for Windows, I Pi-Hole all of the tracking/telemetry IP/Domains so I am not overly exposed. I have cameras at home, those cameras have UPnP disabled and are blocked from WAN traversal, they can only talk to my security server, which can only reach the internet via my VPN (Appliance, not consumer grade vpn service).

Seriously, do you REALLY need a cleaning program installed, running and updating itself 24/7? Do you really need Java installed? How about .NET? Does Steam need to really launch with Windows or only when you play a game? Does your AV really need to be cloud based and sending insane telemetry out?

Don't disagree on a lot of this. CCleaner runs on demand only, and only updates when I want it to. Don't have Java. Unfortunately can't escape .net, although I have some of it neutered. I have Steam but only on demand, and my AV is EAM. Not could based.

 

[TheMalwareMaster]

Can you share this sample in the malware hub?

 

[ForgottenSeer 58943]

The MSP I am an engineer at has 33K endpoints/servers.

I've just ordered a blacklist of Piriform/CCleaner products. I had the blacklist command issued and a script for global quiet uninstall of their products. We don't support or authorize Piriform products and never have, however people still have the capability to install stuff. So this is a precaution as we've seen systems with it installed.

 

[Venustus]

Can you share this sample in the malware hub?

I will PM you with the files

 

[Exterminator]

The CCleaner malware targeted tech firms like Microsoft and Google