40 Enterprise Computers Infected with Second-Stage CCleaner Malware

The cyberespionage group that managed to inject malware into CCleaner installers used them to deploy specialized malware to 40 computers from 12 technology and telecommunications companies.

The new information comes from researchers from antivirus maker Avast, the owner of CCleaner developer Piriform. The company’s team managed to gain access to a server used by the hackers and recovered logs and data revealing their activities.

Avast and Piriform announced last week that hackers managed to embed malicious code into CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 before the programs were compiled and released to users in August. The rogue installers for the Windows system optimization tool had malware attached to them that was designed to collect information from infected computers and install a secondary payload on systems chosen by the hackers.

Initially, it was believed that this was a large-scale attack whose goal was to infect as many users as possible, Avast estimating that the compromised installers were used on more than 2 million systems.

However, it later became clear that this attack was a targeted one and researchers found links between the code and command-and-control (C2) infrastructure used by the attackers and previous malware used by a known cyberespionage group of Chinese origin.

Researchers from Cisco Systems’ Talos group managed to obtain the logs and database from the command-and-control server and determined that the goal of the attackers was to install additional malware on computers belonging to high-profile companies including Microsoft, Google, Samsung, Intel, Sony, VMware, HTC, Samsung, Sintel, Vodafone, O2, Epson, Akamai, D-Link and Cisco itself.

Surprisingly, the C2 server only contained data for three days of activity in September that showed the second stage payload was deployed to 20 systems belonging to eight companies. Researchers from Avast later established that this lack of data was because the server had run out of space at some point and the attackers had to rebuild the database.

It turns out that before the database was reset, the hackers made a copy of the existing data and moved it to a secondary server. Avast also gained access to this second server with help from law enforcement agencies and recovered the information.

The total number of unique PCs (unique MAC addresses) that communicated with the CnC server was 1,646,536. This provides a more accurate estimation of the number of systems that were infected with the first-stage malware program through the CCleaner installer.

Out of those infected systems, attackers chose to deploy the second-stage malware on only 40. These select computers belonged to Chunghwa Telecom, the largest telecommunications company in Taiwan (13 systems); Japanese IT services provider NEC (10 systems); Samsung (five systems); AsusTek Computer, commonly known as Asus (two systems); Sony (two systems); Fujitsu (two systems); InfoView2u, a supplier of CCTV surveillance systems (one system); U.K. telecommunications provider O2 (one system); Gauselmann, a German gaming and gambling company (one system); Singtel, a telecommunications provider from Singapore (one system); Intel (one system) and VMware (one system).

“Clearly, the logs also indicate that the attackers were looking for additional high-profile companies to target, some of them potentially leading to additional supply-chain attacks (Carriers/ISPs, server hosting companies and domain registrars),” the Avast researchers said in a new blog post Tuesday.

The Avast researchers also analyzed the attackers’ connection patterns to the primary command-and-control server and the backup server. Assuming they had a normal workday that started at 8 a.m. or 9 a.m., the connection logs would place them in the UTC+4 or UTC+5 time zones, which match Russia, the eastern part of Middle East or Central Asia and India. There was very little traffic from the attackers on Saturday and almost none on Sunday.

The Massive Equifax Breach Cost the Company’s CEO His Job

Equifax’s CEO Richard F. Smith stepped down today following the massive compromise at the U.S. credit monitoring bureau announced three weeks ago. The breach affected 143 million people—almost half of the population in the United States—and was caused by attackers breaking into a web application through a known vulnerability in Apache Struts that Equifax left unpatched for around two months.

Smith’s exit comes after the company’s chief information and chief security officers already “retired” two weeks ago. This is the same wording the company used today, saying that Smith he will retire as chairman of the board, chief executive officer and any other position with Equifax or any of its affiliates.

“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Smith said in a public statement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”

The incident should serve as a wake-up call to CEOs, in the United States and elsewhere, that security and data breaches need to be taken more seriously. Companies in the European Union are preparing for the stricter data security requirements and harsher sanctions for data breaches introduced by the General Data Protection Regulation (GDPR).

“It is sad that it has required a breach of this magnitude and the subsequent gross incompetence of handling it after the fact to have the Board start paying attention to security,” said Mike Kail, CTO of security-as-a-service provider Cybric. “I hope this shot across the bow wakes up other CEOs and Board members to start providing security assurance to their customers.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin