Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] Malware-infected CCleaner was distributed via official servers for a month

    A backdoored installer was put onto the company's official servers, and millions of people likely downloaded it between Aug. 15 and Sept. 12

    Lucian Constantin
    Sep 18 2017

    Hackers have managed to embed malware into the installer of CCleaner, a popular Windows system optimization tool with over 2 billion downloads to date. The rogue package was distributed through official channels for almost a month.

    CCleaner is a utilities program that is used to delete temporary internet files such as cookies, empty the Recycling Bin, correct problems with the Windows Registry, among other tasks. First released in 2003, it has become hugely popular; up to 20 million people download it per month.

    Users who downloaded and installed CCleaner or CCleaner Cloud between Aug. 15 and Sept. 12 should scan their computers for malware and update their apps. The 32-bit versions of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected.

    The compromise was detected by researchers from Cisco Systems' Talos group after one of the company's products triggered a malware detection on a CCleaner installer. A subsequent investigation revealed that it was not a false positive and that the executable program was indeed carrying a sophisticated backdoor program.

    What's worse is that this is not a case where hackers took the CCleaner installer, modified it, and then distributed a malicious version through alternative means. Instead the backdoored program was distributed from the developer's official servers, as well as third-party download sites.

    The rogue installer was digitally signed with the developer's legitimate certificate, which means the malicious code was added to it before it was signed. There is also a compilation artifact inside the executable suggesting it was compromised before compilation.

    "Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization," the Cisco Talos researchers said in a blog post. "It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code."

    CCleaner was created by a company called Piriform that was acquired by antivirus maker Avast in July. The company issued a press release and a more detailed blog post in response to the incident.

    According to the company, up to 3 percent of CCleaner users might have been impacted by this incident. CCleaner is downloaded at a rate of over 20 million times per month.

    "At this stage, we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it," said Paul Yung, Piriform's vice-president of products, in a blog post. "The investigation is still ongoing."

    Yung confirmed that a "two-stage backdoor" was added to the application's initialization code that's "normally inserted during compilation by the compiler."

    The backdoor program is capable of downloading and executing additional malicious code and, according to the analysis by Cisco Talos, it uses a domain name generation algorithm (DGA) to find its command-and-control servers. With knowledge of the algorithm, attackers can predict which domain name the malware will try to contact on a specific date and can register it in advance so they can send commands.

    "In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains," the Cisco Talos researchers said. "As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware."

    Piriform pushed out an in-program notification to advise CCleaner users to upgrade to version 5.34 as soon as possible. CCleaner Cloud users received an automatic update from v1.07.3191 to 1.07.3214 and users of Avast Antivirus also received an automatic update.

    Users who downloaded the affected CCleaner versions should scan their systems for malware and should restore them to a clean state before Aug. 15. If that's not possible, the Cisco researchers advise reinstalling the OS on the affected systems.

    The number of supply chain attacks has been on the rise this year highlighting that software developers and systems engineers have become an attractive target for hackers. With access to a company's development or update infrastructure attackers can push malware to users in a way that is very hard to detect because it abuses a trusted software distribution channel.

    For years, security researchers have advised users to only download software from the developer's website or to make sure the software updates they install are legitimate and weren't obtained from suspicious sources. That advice goes out the window with supply chain attacks.

    Last month, researchers from antivirus vendor Kaspersky Lab found a backdoor program inside a popular enterprise connectivity software suite developed by a company called NetSarang Computer. The NotPetya ransomware attack that hit major companies in June started out in Ukraine with a rogue update for an accounting program called M.E.Doc and in May, Microsoft researchers detected a malware attack against financial organizations that was executed through the compromised update mechanism for a third-party editing tool.

    Users of other operating systems are not safe from such attacks either. Earlier this year, hackers compromised a download server for HandBrake, a popular open-source video converter, and distributed a malware-infected version to macOS users. The popular Transmission BitTorrent client suffered not one, but two supply chain attacks last year.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Watering hole attack targeted tech companies

    Talos security researchers found a list of 23 tech companies on the C&C server, including Cisco, Microsoft, Samsung, Intel, VMware, Sony, Linksys, Vodafone and Singtel.

    Juha Saarinen
    Sep 22 2017

    Further analysis of the hacked version of system utility CCleaner shows that it was targeting well-known tech companies, deepening the scandal of security vendor Avast missing malware in its midst.

    Earlier this week, it transpired that Avast had unwittingly distributed the trojanised CCleaner utility to an estimated 2.27 million users, a number that was later revised down to 700,000.

    At the time, Avast believed the second-stage loader in the malware was inactive and would not attempt to fetch an additional payload, but this turned out to be incorrect.

    Analysis of the control and command server used by the malware showed that hundreds of computers selectively received the second-stage payload, Avast now says.

    Cisco's Talos security researchers found a list of 23 tech companies on the C&C server, including itself, Microsoft, Samsung, Intel, VMware, Sony, Linksys, Vodafone, Singtel.

    The list of high-profile tech companies "would suggest a very focused actor after valuable intellectual property," Talos said.

    Avast now considers the malware an advanced persistent threat and the incident a so-called watering hole attack, in which large numbers of users are infected to reach a select few victims.

    The second-stage payload contains sophisticated espionage malware for 32 and 64-bit versions of Microsoft's Windows operating system, Talos and Avast said.

    While Avast still advises users to remove the infected version of CCleaner and replace it with a fresh variant, Talos disagreed and said the malware was made by a sophisticated actor and required additional precautions.

    "These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," Talos said.

    Security vendor Kaspersky also weighed in on the Avast CCleaner debacle, and discovered there is significant code overlap in the malware, and tools used by threat actors known as APT17, Axiom and Group 72.

    APT17 targeted journalists as well as environmental and pro-democracy groups, as well as Fortune 500 companies in a cyber espionage campaign two years ago, a joint security industry effort led by vendor Novetta found.

    Novetta said it had "moderate to high confidence that the organisation-tasking Axium is part of the Chinese intelligence apparatus."

    The United States Federal Investigation Bureau also believed APT17/Axiom was affilated with the Chinese government, Novetta said.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens