The threat actors behind the use of malware embedded in CCleaner have targeted large tech firms for their intellectual property.
According to the security team at Cisco Systems, Cisco was only one of many companies that hackers attempted to compromise. Microsoft, Samsung, HTC, Sony, and Intel, among others, were potentially also at risk.
The CCleaner breach, disclosed earlier this week, involved cyberattackers modifying legitimate versions of the software to contain malware. It is estimated that the tainted version of the popular Android and Windows PC cleaner has been downloaded roughly 2.27 million times, or by up to three percent of overall users.
Piriform, the makers of CCleaner, was snapped up by Avast in July this year. Avast believes the platform was targeted before the buyout was complete.
The affected version is 5.33.6162, designed for 32-bit Windows machines, released on 15 August, as well as a version of CCleaner Cloud, released on 24 August.
“The compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks, underscoring the sophistication of the attack,” Avast said earlier this week. “In our view, it was a well-prepared operation and the fact that it didn’t cause harm to users is a very good outcome.”
The malware’s command-and-control (C&C) server was taken down once the threat was detected; however, Cisco said late on Wednesday that this is not the end of the story.
According to the Cisco Talos security team, the C&C record shows a payload deployment list which includes a list of organizations “specifically targeted through delivery of a second-stage loader.”
Based on a review of the C&C’s tracking database — which covers only four days in September — at least 20 victim machines from these companies were in line to be served secondary payloads.
“This would suggest a very focused actor after valuable intellectual property,” the team says. “These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor.”
The C&C server contained PHP files responsible for handling communication between infected PCs and threat actors. The server would implement a series of checks in order to avoid the efforts of security researchers as well as gather information from infected systems, such as OS version, architecture, and whether admin rights were in play. This information was then stored in an SQL database.
If a system met the malware’s requirements, the second payload would be deployed to create a backdoor and potentially pave the way for attackers to steal information and spy on the target companies.
“The web server also contains a second PHP file (init.php) that defines core variables and operations used,” Cisco says. “Interestingly, this configuration specifies “PRC” as the time zone, which corresponds with People’s Republic of China (PRC). It’s important to note that this cannot be relied on for attribution.”
No damage may have been detected as of yet, but the addition of these C&C instructions does suggest the breach is more serious than first believed. Targeting high-profile targets with a seemingly innocuous and innocent piece of software is a clever method, but seeking information from these groups suggests that the general public is not the true focus of the campaign.
While Avast has recommended that consumers update to a clean version of the software and remove the tainted version, Cisco has gone further in recommendations to companies which may have been involved.
“Those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” the company said.
Avast has published additional findings on the situation.
In a blog post, the security firm said 20 machines in a total of eight companies were targeted, “but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds.”
“This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered,” Avast added.
In addition, the security firm says that the attack was a “typical” watering hole attack, which deployed malicious DLLs designed to inject malicious functionality into legitimate DLL systems.