CCleaner supply chain malware targeted tech giants

{Adware and spyware|Spyware and adware|Viruses} that piggybacked on CCleaner, a popular free software tool for optimizing system performance on PCs, {shows up|looks} to have specifically targeted high profile technology companies and may have recently been an effort to {pick|collect|harvesting} IP — perhaps for commercial or state-level {watching|lookout|watch}.

In an update on its investigation into the malware, which was {exposed|uncovered|unveiled} to have {afflicted|damaged} 2. 27M users of CCleaner earlier this week, Avast the security company which owns the London-based {manufacturer|machine|developer} of the software, said the attack was an APT (advanced persistent threat) program that specifically targeted large technology and telecoms companies.

So while the malware infected an overall total of 2. 27M PCs between August 12-15, 2017 and September 12-15, 2017 — using CCleaner version 5. 33. 6162 as its distribution vehicle — the attackers {at the rear of|in back of|lurking behind} it appear to have been {enthusiastic about|considering} only a specific subset of {PERSONAL COMPUTER|COMPUTER|LAPTOP OR COMPUTER} users {doing work for|employed by|earning a living for} tech {companies|businesses|organizations}.

Avast hasn’t published the names of specific companies targeted by the {adware and spyware|spyware and adware|viruses} for, it says, “privacy reasons” — but says companies in Japan, Taiwan, UK, Germany and the US were targeted.

{Technology|Technical} {businesses|organizations} specifically targeted

{At the same time|In the mean time|In the meantime} security researchers at {Barullo|Gresca|Carbonilla} Talos, who are also analyzing the CCleaner {adware and spyware|spyware and adware|viruses} (using a digital {duplicate|backup} of the attackers’ {machine|storage space|hardware} passed to them by an unnamed source, and which it says it has verified to {the|their|it is} own satisfaction), and {posting|submitting|creating} rather more detail as they do so — have revealed the below {set of} company domains which were apparently been specifically targeted for delivery of the malware’s second-stage termes conseillés.

READ :  Now show time for Firefox

The list apparently includes mobile makers Samsung, {THE NEW HTC|THE ALL NEW HTC} and Sony, as well as telcos Singtel, Vodafone and O2, plus {technology|technical} {businesses|organizations} Cisco, Intel, VMware, Google and Microsoft. {Likewise|As well} listed are: Linksys, Epson, MSI, Dlink and Akamai.

There’s also, rather chillingly, a distributor of security solutions, such as {SECURITY CAMERA|CLOSED-CIRCUIT TELEVISION|LOW LUX}, alarm and door {gain access to|get} systems.

One domain within the list not {evidently|seemingly|obviously} targeting a technology business, per se, take into account gambling company Gauselmann.


Cisco Talos’ researchers take the view that the targeting of “high-profile technology companies” suggests “a very focused actor after valuable intellectual property”.

They {amount|total|quantity} up their analysis as follows: “[A] fairly {superior|complex} attacker developed a system which {shows up|looks} to specifically target technology companies by {by using a} source chain attack to {bargain|give up|endanger} a vast {quantity of|volume of|range of} {patients|subjects|affected individuals}, persistently, in hopes to land some payloads on computers at very specific target networks. ”

In the assessment of the second stage payload — i. e. the {little bit|little|tad} intended for the choose tech targets — Avast describes the malware as a “relatively complex {bit of|part of|item of} code”, noting it is “heavily obfuscated and {utilizes a|runs on the|works on the} number of anti-debugging and anti-emulation tricks”.

One part of the malicious code connects to an exterior server {handled|manipulated} by the attackers. While Avast {in accordance|relating|in respect} to the structure of another component {permits} it to piggyback on other vendors’ code by “injecting the malicious functionality into legitimate DLLs” — {explaining|talking about|conveying} such techniques as further evidence of the attacker’s “high level of sophistication”.

READ :  Apple Music is hugely popular with younger kids

According to Cisco Talos’ analysis, the malware {collected|accumulated} system information from {contaminated|afflicted|attacked} machines — including {OPERATING SYSTEM|OPERATING-SYSTEM} version information, architecture information, whether the user has administrative rights, as well as the hostname and {website name|domain} associated with the systems — and used this intel to {determine|conclude|uncover} how to handle those hosts.

{Additionally they|In addition they|Additionally, they} describe this system profiling as “rather aggressive”, noting {it|which it|that this} also included “specific information {like a|for instance a|for example a} set of software installed on {the equipment|the device|the appliance} and all current running processes on the machine”.

“During the compromise, the malware would periodically contact the C2 server and transmit {examen|investigation} information about infected systems. This information included IP addresses, online time, hostname, domain name, process {entries|results|goods}, {plus more|and even more}. It’s quite likely this information was {employed by} the attackers to {determine|conclude|uncover} which machines they should target during the last stages of the {marketing campaign|advertising campaign|plan}, ” they add, further noting compromised machines would share {some|a collection of|a couple of} installed programs, and a procedure list.

“When combined, {these details|this info} would be everything an {opponent|assailant} would need to {release|start|kick off} a later stage payload that the attacker could verify to be undetected and stable on a given system, ” they conclude.

{Additionally they|In addition they|Additionally, they} make a point of demonstrating that the hackers could have used the same source chain malware attack to target various other types of companies and organizations, noting that an {evaluation|research|examination} of the server {data source|repository|databases} shows 540 {afflicted|damaged} systems {attached with|mounted on|placed on} a domain {that contains|that contain|made up of} “. gov” while {fifty-one|fifty one} infected systems came from domains containing the {soil|ground} “bank”, and adding: “This demonstrates the level of access that was made available to the {assailants|opponents} through the use of this infrastructure and associated malware and further {shows|illustrates|features} the severity and probable impact of this {assault|strike|harm}. {inch|inches}

READ :  General knowledge of technology

Avast is still recommending that consumer users of CCleader upgrade to the {newest version|more recent version} (“now 5. 35, after we have revoked the signing {license|qualification|record} used to sign the impacted version 5. 33”) — and use a “quality antivirus product”.

{Yet|Nevertheless|Although} for corporate users it concedes “the decision may be different and will likely {rely upon} corporate {THIS|THAT} policies”.

“At this level, we cannot state that the corporate machines {could hardly|cannot|wasn’t able to} be compromised, even though the attack was highly targeted, ” it {gives|offers|comes with}.

However Cisco Talos says that, in the view, those impacted by the attack “should not simply {take away the|eliminate the} {afflicted|damaged} version of CCleaner or update to the latest version but should restore from {back up copies|copies|a back up} or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also some other malware that may be resident on the system”.

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak.