Where did the CCleaner Hackers attackers came from? Subsequently, the address of the CnC server can also be arbitrarily modified in the future by sending a special command, recognized by the code as a signal to use the DNS protocol (udp/53) to get the address of the new server. Much of the logic is related to the finding of, and connecting to, yet another CnC server, whose address can be determined using three different mechanisms:ģ) a DNS record of a domain (name modified here). As with the first payload, it is heavily obfuscated and uses a number of anti-debugging and anti-emulation tricks. The first component contains the main business logic. The 2nd stage payload is a relatively complex piece of code that uses two components (DLLs). Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds.Īt the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US. To recap, the attack affected a total of 2.27M computers between Augand Septemand used the popular PC cleaning software CCleaner version as a distribution vehicle.įirst of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.įollowing the take-down of the CnC server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack. Next Avast released a fixed version, identical to but with the backdoor removed, and pushed this version as a lightweight automatic update to CCleaner users where it was possible, further reducing the number of impacted customers.Īvast notified the remaining users to upgrade to the latest version of the product as soon as possible free version doesn’t contain the auto-update functionalityĪvast said that restoring the affected machines to the pre-August 15 state unnecessary. With these two actions, the server was taken down and the threat was effectively eliminated as the attacker lost the ability to deliver the payload. The compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks, underscoring the sophistication of the attack.Īs only two smaller distribution products (the 32 bit and cloud versions, Windows only) were compromised, the actual number of users affected by this incident was 2.27M.Īvast first learned about the possible malware on September 12, 8:35 AM PT from a company called Morphisec which notified Avast about their initial findings.įollowing the receipt of this notification, Avast launched an investigation immediately, and by the time the Cisco message was received (September 14, 7:25AM PT), Avast had already thoroughly analyzed the threat, assessed its risk level and in parallel worked with law enforcement in the US to properly investigate the root cause of the issue.įollowing that, the offending CnC server was taken down on September 15, 9:50 AM PT, following Avast collaboration with law enforcement.ĭuring that time, the Cisco Talos team, who has been working on this issue in parallel, registered the secondary DGA domains before Avast had the chance to. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017.Īvast suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition. The compromise may have started on July 3rd. Hackers compromised the CCleaner infrastructure in July, and between August 15 and September 12, the official CCleaner website offered a version of the app that was infected with malware.Īvast acquired Piriform, the maker of CCleaner, on July 18, 2017 In Depth Investigation Avast Publishes Full List of Companies Affected by CCleaner Second-Stage Malware
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |