Weissblick - Fotolia

Malware hidden in CCleaner targeted tech firms

Major tech firms were targeted by malware hidden in Avast’s Piriform CCleaner software, researchers have found, leading to speculation that it may have been state-sponsored espionage attack

Several major technology companies were targeted by malicious code injected into Avast-owned Piriform CCleaner software prior to release in a supply chain compromise.

Earlier this week, Piriform said only the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud had been affected.

The company said it had resolved the problem quickly and believed no harm was done to any of its users because the command and control (CC) server had been shut down and there was no indication the malicious code had been executed, but researchers have since found otherwise.

According to researchers at Avast and Cisco Talos, the malware was delivered successfully to 20 select targets among the 700,000 computers that appear to have been infected.

“Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” Avast researchers said.

However, they said that because the CC log data has been recovered for only 3 of the 31 days the CCleaner backdoor was active, the total number of infected computers is “likely at least in the order of hundreds”.

Cisco Talos CC server data shows that targeted organisations included Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

Another four domains belonging to “two more companies” were also targeted, according to the latest Avast blog post, but researchers said they did not want to disclose the names of these companies as they were potentially subjected to the attack.

All companies believed to have been exposed to the malware payload have been notified, the Avast researchers said.

Although the Avast researchers have not named the attackers, their investigations so far have identified similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese advanced persistent threat (APT) group in 2014 and 2015.

“Some of the functions are almost identical, while other functions have a partial match, but the structure is overall very similar,” the Avast researchers said.

They also noted that while the list of targeted companies included several Asian companies, there were none from China and the time in the PHP scripts feeding the database were set to the People’s Republic China (PRC).

Read more about supply chain security

  • Data breach at retailer again highlights the importance  data protection and ensuring cyber security standards across an organisation’s entire supply chain, say security commentators.
  • Business is increasingly recognising the importance information security, but security within supply chains is still widely overlooked.
  • A comprehensive security strategy must include the supply chain.
  • The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme.

However, even with all these clues, the researchers said: “It is impossible at this stage to claim which country the attack originated from, simply because all the data points could easily be forged to hide the true location the perpetrator.”

The investigation into the supply chain attack and hunt for the perpetrators continues, according to Avast researchers.

“In the meantime, we advise users who downloaded the affected version to upgrade to the latest version CCleaner and perform a scan their computer with a good security software, to ensure no other threats are lurking on their PC,” they said.

The Cisco Talos research team is advising all those who downloaded the compromised versions of CCleaner to wipe their computers.

“Because the malware remains present, even after users update the CCleaner software, affected users should remove and reinstall everything on the machine and restore files and data from a backup made before 15 August,” they said.

The Cisco Talos researchers believe it is critical to remove the compromised version of the CCleaner software and associated malware, because its structure means it has the ability to hide on the user’s system and call out to check for new malware updates for up to a year.

The CCleaner compromise has once again highlighted the security problem of supply chain compromise.

“Supply chain attacks are a very effective way to distribute malicious software into target organisations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer,” the Cisco Talos research team said in a blog post.

In June 2017, Microsoft confirmed that, in some cases, NotPetya hijacked the auto update facility of the M.E.Doc tax accounting software that is widely used in Ukraine, which is why the country was particularly hard hit.

Read more on Hackers and cybercrime prevention