Talos, Cisco’s cybersecurity research team, recently uncovered such a case, where the download servers used by software vendor Piriform (acquired by Avast in July) to distribute its CCleaner software was compromised and leveraged to deliver malware to unsuspecting victims.
For approximately one month, the infected software, which was downloaded by more than 2 million users, also contained a multistage malware payload that rode on top of the installation of CCleaner. Once the malware was installed, attackers could potentially gain access to a user’s computer and other connected systems to steal sensitive personal data, including credentials that could be used for online banking or other online activities.
3 takeaways from the CCleaner breach
The dust is still settling from the CCleaner breach, but there are three key takeaways every IT channel professional should keep top of mind:
- This was a B2B attack. Despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data, Avast researchers noted following their investigation. “Instead, CCleaner consumer users were used to gain access to corporate networks of select large companies.” The first stage of the attack gave the cybercriminals intel about the victims, including whether they had administrative rights and the hostname and domain name associated with their systems. The attackers then attempted to send a second-stage infection via 40 of the originally infected computers to target 25 tech companies. While they were successful at infecting computers belonging to 12 companies (e.g., Asus, Fujitsu, Intel, Samsung and Sony), they were shut out from 13 additional targets (e.g., Cisco, DLink, Epson, GoDaddy and Microsoft.)
- Any PC running CCleaner should be reimaged. Despite the fact that subsequent releases of CCleaner have been disinfected, Talos advises all CCleaner users to wipe their entire computer and restore files and data from a pre-Aug. 15, 2017 backup, before CCleaner version 5.33 was released. Due to the structure of the malware, it has the ability to hide in a user’s system and call out to check for updates for up to a year.
- It’s a good time to AMP up your customers’ security. On September 13, while conducting customer beta testing of Cisco’s latest exploit-detection technology, Cisco Talos identified a specific executable that was triggering its Cisco Advanced Malware Protection (AMP) systems. Upon closer inspection, the executable in question was identified as the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. Talos began initial analysis to determine what was causing this technology to flag CCleaner. The research team identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a domain-generation algorithm as well as hardcoded command and control (C2) functionality. Talos confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as Sept. 11, and it notified Avast right away of its findings.
Ingram Micro partners that use tools like Cisco AMP and FirePOWER next-generation firewall appliances, give themselves the same security protection and insights that the Talos team utilizes and partners can better pinpoint and stop malicious threats like the one that infected Avast’s CCleaner servers and software. For more information on Cisco’s threat defense solutions, join Ingram Micro for a free, one-hour webinar on Wednesday, Oct. 25 at 10:30 a.m. PDT, titled “Cisco’s Firewall/Threat Protection Solution—FirePOWER Threat Defense.”