The exact dimensions of the CCleaner attack will likely continue to be redrawn, as analysis continues. "If you didn’t restore your system from backup, you’re at high risk of not having cleaned this up," Williams says. Instead, the researchers recommend that anyone affected fully restore their machines from backup versions prior to the installation of Avast's tainted security program. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected.įor any company that may have had computers running the corrupted version of CCleaner on their network, Cisco warns that its findings mean merely deleting that application is no guarantee the CCleaner backdoor wasn't used to plant a secondary piece of malware on their network, one with its own, still-active command and control server. It wound up installed on more than 700,000 computers. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 18 tech firms.Įarlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. Operation Aurora started in 2009 and to see the same threat actor still active in 2017 could possibly mean there are many other supply chain attacks by the same group that we are not aware of," Rosenberg added.Update: On September 25, Avast confirmed that of the 18 companies targeted, a total of 40 computers were successfully infected with a secondary malware installation at the following companies: Samsung, Sony, Asus, Intel, VMWare, O2, Singtel, Gauselmann, Dyn, Chunghwa and Fujitsu. In this case, they probably were able to hack CCleaner's build server in order to plant this malware. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted and they specialize in supply chain attacks. "The code in question is a unique implementation of base64 only previously seen in APT17 and not in any public repository, which makes a strong case about attribution to the same threat actor," Intezer senior security researcherJay Rosenberg wrote in a report. Researchers at Intezer, who also analysed the CCleaner malware code, said that the code overlap noted indicates a clear connection to Axiom. "This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severity and potential impact of this attack," Cisco researchers said.Īlthough the link between the CCleaner hack and Axiom may currently not be definite, the hacker group is known to have targeted technology firms in the past as well. Researchers were also able to determine that around 540 computers of government across the world and 51 systems belonging to international banks were among those compromised by the attack. "It is important to understand that the target list can be and was changed over the period the server was active to target different organizations," the researchers said. However, the C&C server database revealed that 20 systems were infected by a second-stage malware. Previously, researchers were unaware of any of the victims having been infected by a second-stage malware. The database contained two lists, one listing 700,000 systems infected by the backdoor malware and another that tracked all the computers infected with a second-stage malware. Researchers found this evidence after analysing the attackers' C&C (command and control) server database. "A fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks," Cisco Talos researchers said in a report. The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'.- Costin Raiu September 19, 2017
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |