Hackers Hid Malware in CCleaner for Nearly a Month?

Discussion in 'Windows OS and Software' started by LaptopNut, Sep 18, 2017.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,469
    Messages:
    13,059
    Likes Received:
    15,130
    Trophy Points:
    931
    I've checked my systems, even though I didn't have the 5.33 version 32 bit installer that was infected, and didn't find any registry traces.

    CCleaner Command and Control Causes Concern
    http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

    Below are indicators of compromise associated with this attack.
    Installer on the CC: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (GeeSetup_x86.dll)

    64-bit trojanized binary: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (EFACli64.dll)

    32-bit trojanized binary: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (TSMSISrv.dll)

    DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

    Registry Keys:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

    Stage 2 Payload (SHA256):

    dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

    CCleaner Malware Infects Big Tech Companies With Second Backdoor
    Wednesday, September 20, 2017 Mohit Kumar
    http://thehackernews.com/2017/09/ccleaner-malware-hacking.html
    Removing Malicious CCleaner Version would Not Help
    "Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server.

    So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program.
    "These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the researchers say.

    For those who are unaware, the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware, and affected users should update the software to version 5.34 or higher."
    Piriform Notifications

    Thursday, September 21, 2017
    Update to the CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 Security Notification
    http://www.piriform.com/news/blog/2...ccleaner-cloud-v1073191-security-notification

    Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
    https://forum.piriform.com/index.php?showtopic=48868

    Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
    http://www.piriform.com/news/blog/2...eaner-cloud-v1073191-for-32-bit-windows-users

    CCleaner v5.35
    http://www.piriform.com/news/release-announcements/2017/9/20/ccleaner-v535

    Avast Notifications

    Progress on CCleaner Investigation
    https://blog.avast.com/progress-on-ccleaner-investigation

    Update to the CCleaner 5.33.6162 Security Incident
    https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident
     
    Last edited: Sep 22, 2017
    Vistar Shook and Papusan like this.
  2. Papusan

    Papusan BGA Filthy = That sucks!! STAHP! Dont buy FILTH...

    Reputations:
    6,029
    Messages:
    14,368
    Likes Received:
    19,022
    Trophy Points:
    931
    Friday, September 22, 2017
    CCleaner Malware Attack Was Aimed At Critical Internet Infrastructure Vendors Like Google And Microsoft-Hothardware.com

    "The real target of this attack is now thought to have been major tech firms like Microsoft, Google, Samsung, Sony, Intel and others according to the Talos threat intelligence team form Cisco. Ironically, Cisco was on that list of major tech firms that the hackers now appear to have been actually aiming for. The big take away here is that many of the companies that are believed to be targets are companies that help make the internet work. Let that sink in for a bit, the CCleaner hack could be much more serious than originally thought."
     
    Phoenix and hmscott like this.
  3. StormJumper

    StormJumper Notebook Virtuoso

    Reputations:
    491
    Messages:
    2,975
    Likes Received:
    326
    Trophy Points:
    101
    This make is more reason to not use CCleaner anymore since once hacked they most likely got the "sources code" and now can infect more CCleaner.
     
    hmscott likes this.
  4. Papusan

    Papusan BGA Filthy = That sucks!! STAHP! Dont buy FILTH...

    Reputations:
    6,029
    Messages:
    14,368
    Likes Received:
    19,022
    Trophy Points:
    931
    But, but CCleaner’s mother is Avast now:DJ/K
    I’m sure they will take the right steps if needed. Loosing money will force changes.
     
    hmscott likes this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,469
    Messages:
    13,059
    Likes Received:
    15,130
    Trophy Points:
    931
    Where did you read that the ccleaner source code was accessed / compromised?

    As far as I have read this hack is injection into the installer on the distribution server, not requiring access to the development "source code" server.

    The server compromised was the one provided by Avast to newly acquired Piriform on their "merged" network that was outward facing (visible on the internet) for product distribution.

    Installer build software is easily available and can be used to pull apart a distribution and put it back together with the malware payload, but that process doesn't require the product source code, in fact this method is used when they don't have access to the product source code.

    In this kind of hack the outward facing distribution server(s) are the ones compromised and a payload injected installer is used to replace the company developed installer.

    Usually this happens at some 3rd party distribution site(s), not an official company distribution server, but in this case the Avast hosted server serving as the official Piriform distribution server was the one hacked.

    Product source code access isn't necessary in most malware payload hacks.
     
    Last edited: Sep 23, 2017
  6. StormJumper

    StormJumper Notebook Virtuoso

    Reputations:
    491
    Messages:
    2,975
    Likes Received:
    326
    Trophy Points:
    101
    Easy since it arrived as part of the program itself that was why.

    And you think they will really tell you how. I doubt they will tell the real deal and how it happened. To inject a code means there was more or less reverse engineering of the software to find the weak point regardless of where it was stored. To think otherwise is very narrow view point. As they where forced to announce the breach because someone posted it shows they were trying to hide it as long as they could - if only they came upfront I think most would accept that as being proactive but they were reactive after it made news. That to me signals very bad mindset thinking not known nothing harmed. With all the breaches we heard so far most if many don't admitted til the news makes the Web and only then do they say yes 13 month ago we where breached but your safe? How you waited this long hopping know one hear about it is what they wanted. Just like Equaifax they admitted only when news came out about 140+millions American lost their private data or more but we will never know will we. They sat on this information know full well what would happen but instead of fixed blame another website for it-yea I believe that like BS hits the fan.
     
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,469
    Messages:
    13,059
    Likes Received:
    15,130
    Trophy Points:
    931
    So the answer to my question is "No, I never saw anything that suggested that the hacker used the ccleaner source code." :)

    Narrow views, limited to the factual information at hand, with decades of experience tracking such problems, is exactly what you want in these situations. Uninformed musings will get you into trouble, panicking people needlessly.

    These hacks are usually the installer injection at the distribution point. The server hacked was a new distribution server given to Piriform by Avast on Avast's external internet, that "narrow view" is what we call "fact based".

    When more facts come to light we can expand that view, but until then unwarranted speculation isn't a wider view, it's an unsubstantiated view.

    CCleaner: 2m users install computer cleaning program … that contains malware
    Tool now owned by security firm Avast was hacked via a supply chain attack, an increasingly common method of infection
    https://www.theguardian.com/technol...ogram-security-avast-supply-chain-attack-hack

    "Piriform, the developer of CCleaner now owned by security firm Avast, says that its download servers were compromised at some point between 15 August, when it released version v5.33.6162 of the software, and 12 September, when it updated the servers with a new version.

    In that period, a trojan was loaded into the download package which sent “non-sensitive data” from infected users’ computers back to a server located in the US. "
     
    Last edited: Oct 6, 2017
    alexhawker likes this.
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,469
    Messages:
    13,059
    Likes Received:
    15,130
    Trophy Points:
    931
    Additional information regarding the recent CCleaner APT security incident
    https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

    "New analysis from the Avast Threat Labs

    We would like to update our customers and the general public on the latest findings regarding the investigation of the recent CCleaner security incident. As published in our previous blog posts (here and here), analysis of the CnC server showed that the incident was in fact an Advanced Persistent Threat (APT) attack, targeting specific high-tech and telecommunications companies. That is, despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data; instead, the CCleaner customers were used to gain access to corporate networks of select large enterprises.

    Today, we are going to disclose new facts about the incident that we received since the last public update."
     
    Papusan likes this.
Loading...

Share This Page