CCleaner Supply Chain Attack Targeted Technology Companies

New evidence shows the hackers who infected the installers for the popular CCleaner system optimization tool were primarily targeting the program’s business users. There are also links between the malware code and a well-known Chinese cyber-espionage group.

The malware-infected installers for 32-bit versions of CCleaner and CCleaner Cloud released in August were installed on more than2.2 million computers. However, only a very small portion of those systems also received a second-stage malicious payload from attackers. Those systems belonged to at least eight technology companies.

Upon installation, CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 loaded a lightweight backdoor program directly in memory. This code’s purpose was to collect information about the systems it was running on—their names, domain names, IP addresses, process lists, etc.—and submit it to a command-and-control server. However, it also allocated memory for an additional payload that was supposed to be delivered from the server.

For the first couple of days after the hack was announced, it seemed that no security firm had seen this second payload. But yesterday, researchers from Cisco Systems’ Talos division revealed that they obtained a copy of the files hosted on the command-and-control server.

These files included the secondary malware program and also revealed a list of 18 companies on whose systems the attackers intended to install it. The targeted companies include Microsoft, Google, Samsung, Intel, Sony, VMware, HTC, Samsung, Sintel, Vodafone, O2, Epson, Akamai, D-Link and Cisco itself.

Avast confirmed Cisco’s findings on Thursday and said it found evidence that the second-stage payload was deployed on 20 systems belonging to eight of those companies. However, since the server logs only covered three days, the number of computers that received the second malware program was likely into the hundreds, the company said.

While there is no definitive attribution for the attack, researchers from Kaspersky Lab, Intezer and Cisco Talos independently confirmed that there is code and command-and-control infrastructure overlap between the first-stage backdoor and malware used in the past by Axiom, an umbrella group for cyberespionage operations linked to China’s intelligence agencies.

The hacking groups associated with Axiom have launched similar supply chain attacks in the past, including the recent ShadowPad attack revealed by Kaspersky Lab last month. In that incident, hackers inserted a backdoor into a legitimate update for an enterprise server administration tool developed by a company called NetSarang Computer.

All evidence found so far suggests that the CCleaner compromise was a sophisticated targeted attack whose goal was to ultimately gain access to the networks of high-profile companies.

“In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks,” the Cisco Talos researchers said.

Security researchers warn that the number of software supply chain attacks will increase because they’re a perfect attack vector to bypass traditional defenses, including application whitelisting. Many people in the security industry suspect that other similar compromises have already happened and haven’t been discovered yet.

Hackers Accessed Confidential Data at U.S. Securities and Exchange Commission

The U.S. Securities and Exchange Commission admitted that a breach of its systems in 2016 gave hackers access to nonpublic information that might have been used for insider trading.

Hackers broke in by exploiting a vulnerability in the filing component of the regulator’s EDGAR system. This system is used by corporations to file 1.7 million disclosures per year. The information contained in these filings can be used to obtain illegal profits through trading.

The vulnerability was patched quickly after being discovered in 2016, but it was not until last month that the SEC determined the accessed information might have been used for illegal trading.

“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” SEC Chairman Jay Clayton said in a statement released Wednesday. “Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”

In July, the U.S. Government Accountability Office criticized the SEC for not fully addressing all cybersecurity issues previously identified on its networks and systems in 2016.

“The SEC had not fully implemented 11 recommendations that included consistently protecting its network boundaries from possible intrusions, identifying and authenticating users, authorizing access to resources, auditing and monitoring actions taken on its systems and network, or encrypting sensitive information while in transmission,” GAO said in its report.

The commission did not consistently control logical access to its financial and general support systems and used unsupported software to process financial data. It also didn’t maintain up-to-date network diagrams and asset inventories for its general support system and its key financial system application and did not fully monitor those systems’ security configuration, GAO said.

The revelation that a web application vulnerability led to the compromise of confidential data at the SEC comes after U.S. credit monitoring bureau Equifax suffered a massive data breach because of an unpatched vulnerability in a web application framework.

Dangerous Vulnerability Patched in Joomla LDAP Authentication

Developers of the Joomla content management system fixed a serious flaw in the LDAP authentication plugin that could allow attackers to extract administrative credentials.

Joomla is the second most popular content management system after WordPress and powers 3.3 percent of all websites on the internet. More importantly, Joomla is widely used in enterprise environments to create internal and publicly facing websites.

The LDAP plug-in allows companies to integrate Joomla’s authentication system with their internal network’s directory services, so this vulnerability is more likely to affect corporate websites. The flaw was patched this week in Joomla 3.8.0.

“By exploiting a vulnerability in the login page, an unprivileged remote attacker can efficiently extract all authentication credentials of the LDAP server that is used by the Joomla! installation,” researchers from code analysis firm RIPS Technologies, who found this vulnerability, said in a report. “These include the username and password of the super user, the Joomla! administrator. An attacker can then use the hijacked information to login to the administrator control panel and to take over the Joomla! installation, as well as potentially the web server, by uploading custom Joomla! extensions for remote code execution.”

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 152 posts and counting.See all posts by lucian-constantin

One thought on “CCleaner Supply Chain Attack Targeted Technology Companies

Comments are closed.