Several major technology companies were targeted by malicious code injected into Avast-owned Piriform CCleaner software prior to release in a supply chain compromise.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Earlier this week, Piriform said only the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud had been affected.
The company said it had resolved the problem quickly and believed no harm was done to any of its users because the command and control (CC) server had been shut down and there was no indication the malicious code had been executed, but researchers have since found otherwise.
According to researchers at Avast and Cisco Talos, the malware was delivered successfully to 20 select targets among the 700,000 computers that appear to have been infected.
“Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” Avast researchers said.
However, they said that because the CC log data has been recovered for only 3 of the 31 days the CCleaner backdoor was active, the total number of infected computers is “likely at least in the order of hundreds”.
Cisco Talos CC server data shows that targeted organisations included Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.
Another four domains belonging to “two more companies” were also targeted, according to the latest Avast blog post, but researchers said they did not want to disclose the names of these companies as they were potentially subjected to the attack.
All companies believed to have been exposed to the malware payload have been notified, the Avast researchers said.
Although the Avast researchers have not named the attackers, their investigations so far have identified similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese advanced persistent threat (APT) group in 2014 and 2015.
“Some of the functions are almost identical, while other functions have a partial match, but the structure is overall very similar,” the Avast researchers said.
They also noted that while the list of targeted companies included several Asian companies, there were none from China and the time zone in the PHP scripts feeding the database were set to the People’s Republic of China (PRC).
However, even with all of these clues, the researchers said: “It is impossible at this stage to claim which country the attack originated from, simply because all of the data points could easily be forged to hide the true location of the perpetrator.”
The investigation into the supply chain attack and hunt for the perpetrators continues, according to Avast researchers.
“In the meantime, we advise users who downloaded the affected version to upgrade to the latest version of CCleaner and perform a scan of their computer with a good security software, to ensure no other threats are lurking on their PC,” they said.
The Cisco Talos research team is advising all those who downloaded the compromised versions of CCleaner to wipe their computers.
“Because the malware remains present, even after users update the CCleaner software, affected users should remove and reinstall everything on the machine and restore files and data from a backup made before 15 August,” they said.
The Cisco Talos researchers believe it is critical to remove the compromised version of the CCleaner software and associated malware, because its structure means it has the ability to hide on the user’s system and call out to check for new malware updates for up to a year.
The CCleaner compromise has once again highlighted the security problem of supply chain compromise.
“Supply chain attacks are a very effective way to distribute malicious software into target organisations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer,” the Cisco Talos research team said in a blog post.
In June 2017, Microsoft confirmed that, in some cases, NotPetya hijacked the auto update facility of the M.E.Doc tax accounting software that is widely used in Ukraine, which is why the country was particularly hard hit.