Earlier this week, we reported a malware attack that was using CCleaner and was being distributed by Avast's own servers. The "legitimate signed version" contained a multi-stage malware payload that rode on top of the installation of CCleaner. From the one billion users of this popular PC utility, researchers had estimated that at least over 2.2 million users have been infected by this modified version of the software utility between August 15, 2017 and September 15, 2017. But who was behind this carefully plotted take over of CCleaner?
A state sponsored hacking group...
The recent attack that affected millions installing the infected version of the popular system optimization tool could have been the work of an elite cyberespionage group. Since the revelation earlier this week, researchers have been going through the data to see what was happening behind the scenes. They were particularly curious about this attack because the malicious code was injected into CCleaner before it was compiled and then distributed, suggesting that the hackers were able to gain access to the development infrastructure of the antivirus firm.
Security researchers from at least four different firms have now reported to have established links between the malicious code added to CCleaner with malware that was previously used by a sophisticated group of Chinese hackers. The group had once reportedly broken into Google's corporate infrastructure.
— Costin Raiu (@craiu) September 19, 2017
New posts from Avast and Cisco’s Talos research group have revealed the findings. The researchers shared that when the server was seized, the attackers were targeting a string of internal domains with a second-stage payload that was designed to collect data.
"This was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were," Avast researchers wrote. But, who are these select targets?
According to Cisco's Talos security division and Avast itself, the malware had specific targets that included 20 tech giants (based on logs from only 3 days; actual number expected in hundreds). Some of these included, Google, Microsoft, Samsung, Sony, Intel, HTC, Linksys, D-Link, Cisco itself, and others.
It appears that those two million estimated victims weren't the targets of the CCleaner attackers. They simply wanted to infect computers inside the networks of the major tech companies and then probably reach out to billions of devices. Avast adds that this was an Advanced Persistent Threat (APT) programmed to deliver the 2nd stage payload to select users. Avast had previously said that the second payload was never delivered. [On a side note, Cisco Talos has passive aggressively reprimanded Avast for downplaying the severity].
The Chinese state sponsored group, known as APT 16 aka Group 72 aka Axiom aka Aurora, according to security researchers, has a history of software supply chain compromises. Along with Kaspersky and others, FireEye has also connected the attack with APT 17.
— Christopher Glyer (@cglyer) September 19, 2017
Most notoriously, APT 17 is the group behind the Operation Aurora which was an extremely high profile attack in 2009 targeting over 30 tech companies, including Google. As previously noted in several similar hacks, researchers can only look at the overlap of the code previously used by the group and cannot often prove the attribution.
"A fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks." - Cisco Talos
The security team further adds that following their attack, criminals went through their database of infected machines to specifically find PCs connected to the tech companies' networks. Researchers have said that 50% of attackers' attempts at installing the second payload that delivered data collection and keylogging malware was successful. It doesn't mean that 10 out of the reported 20 tech companies were infected, as some were infected twice, while others never did.
The AV firm is currently reaching out to the companies it knows have been impacted, "and providing them with additional technical information to assist them".
Don't just rely on uninstalling CCleaner
Earlier in the week, some security experts had suggested the victims to not just uninstall CCleaner for its cleaner version, but also go back to an earlier system stage. Talos has now reiterated this suggestion's importance. "Those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version," the security team writes, "but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system".
While they continue to sift through the available data, so far the security firms believe that the malware's intention was industrial espionage on the world's biggest tech companies and not to infect random people's computers. However, it's not to say criminals won't move their attention to other victims. As Talos writes, it's imperative to take these attacks seriously and not to downplay their severity.