![]() It was also recently revealed that another trusted software vendor, Hewlett-Packard Enterprises (HPE), allowed a Russian company associated with Russian Defense Services and at least one Russian Intelligence Service access to the source code for ArcSight 3. While Piriform claims that law enforcement helped mitigate any infections proactively, the fact remains that a trusted organization had their supply chain disrupted by a capable cyber adversary. According to Reuters, more than 2 million users downloaded a malicious version of CCleaner (CCleaner v or CCleaner Cloud v) and may have exposed their computers and attached networks to a wide variety of threats, including ransomware 2. So what’s the problem? It was compromised by hackers in August who redirected users to malicious servers hosting their own code rather than Piriform’s servers. The first is CCleaner, a computer utility used to clean malicious and potentially unwanted files, such as temporary Internet files, which is, according to developer Piriform, “trusted by millions” for its “award-winning PC optimization 1 .” “The second part of the payload is responsible for persistence… Structurally, the DLLs are quite interesting because they piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs.”Īffected users were urged not merely to remove the CCleaner or update to the latest version, but to restore from backups or re-image systems to ensure that they completely remove both the backdoored CCleaner version and any other malware that may be on the system.A multitude of news stories within the last several months have revealed numerous businesses and products that are not as trustworthy as we, collectively, had previously thought. “Much of the logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on Wordpress, and 3) a DNS record of a domain (name modified here),” explained Steckler and Vlcek. The complex second-stage payload comes in two parts: the first contains the main business logic and is heavily obfuscated, using anti-debugging and anti-emulation techniques to stay hidden from security tools. However, a screenshot provided by Cisco Talos showed a number of domains that the attackers were looking to compromise, including ones linked to Sony, Microsoft, VMware, Vodafone, O2, Singtel, Linksys, Gmail, D-Link, Intel, Samsung, HTC and Cisco itself.Ĭisco suggested this evidence reveals “a very focused actor after valuable intellectual property.” ![]() “Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” said the duo.Īvast refused to name the targets publicly. The initial attack affected 2.27 million CCleaner customers, meaning the collateral damage was huge. Server logs indicate eight tech and telecoms firms received the payload, with potentially hundreds of machines infected – although only 20 were spotted during the three days logs were collected for, according to an update from Avast CEO, Vince Steckler and CTO Ondrej Vlcek. Updates from both Cisco Talos and Avast – the company which now owns CCleaner developer Periform – explained that, contrary to initial impressions, a second stage payload was delivered from the C&C server. ![]() A cyber-attack revealed this week which spread via popular performance optimization tool CCleaner was designed to target several major technology firms, it has emerged.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |