Supply Chain Attack May Have Backdoored Hundreds of High-Profile Targets
An attack campaign involving a trojanized version of the CCleaner Windows utility, built and distributed by British developer Piriform, was much more extensive than it first appeared (see Avast Distributed Trojanized CCleaner Windows Utility).
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Czech company Avast, one of the world’s largest security vendors, bought Piriform earlier this year. It says hackers broke into a download server and substituted a malicious version of the CCleaner installer. The security firm says it first learned of the attack on Sept. 12, via cybersecurity software firm Morphisec.
“The attack affected a total of 2.27 million computers between August 15, 2017, and September 15, 2017, and used the popular PC cleaning software CCleaner version 5.33.6162 as a distribution vehicle,” Avast CEO Vince Steckler and Ondřej Vlček, executive vice president and general manager of Avast’s consumer business, write in a Thursday update on the CCleaner investigation.
Cisco’s Talos security wing says that 700,000 systems were infected with a trojanized version of CCleaner, which relayed details of compromised machines to attackers.
While that stage of the attack was opportunistic, Talos says the attackers proceeded in a very targeted fashion, pushing malware only to select systems in specific organizations, as part of what looks like an intellectual property attack campaign.
In a Friday blog post, Avast says it immediately reached out to law enforcement agencies to help it seize the command-and-control – aka CnC or C2 – server being used by attackers to control infected endpoints, as well as seize a copy of its contents.
“At the time the server was taken down, the attack was targeting select, large technology and telecommunication companies in Japan, Taiwan, U.K., Germany and the U.S.,” the Avast executives write. “Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were.”
Avast says that it only has log data relating to the last three days of the attack campaign, which ran for one month. The lack of more extensive log data for the attack was due to the attackers using “a low-end machine with limited disk capacity,” and the MariaDB database – related to MySQL – they used running out of disk space, resulting in a loss of log data.
During the three days for which log data is available, 18 firms were targeted via the second-stage attack, and about half appear to have been successfully infected with the additional malware, Avast says. But the executives write that the total number of systems infected via the second-stage attack, over the one-month attack period, “was likely at least in the order of hundreds.”
Watering Hole Attacks
Security experts say the attack mirrors the NotPetya attack earlier this year, in which hackers accessed a download server maintained by Ukrainian accountancy software vendor M.E. Doc, and substituted a backdoored version of the software, which was pushed to the company’s users.
A watering hole attack typically refers to an attack that attempts to infect a website that targets are known to visit, although in the case of M.E. Doc and CCleaner, software used by targeted individuals and organizations was instead infected.
“Backdooring a binary is the original watering hole attack,” says information security researcher Chris Rohlf via Twitter, who points to similar attacks dating from at least 2002.
https://t.co/SzmdeLhtnQ Some techniques never die, only evolve and scale.
— Chris Rohlf (@chrisrohlf) September 21, 2017
Avast says it has updated all affected versions of its software. “The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version,” Paul Yung, vice president of products for Piriform, wrote in a Monday blog post.
The latest, safe version of CCleaner is version 3.5 for users with the desktop client. In addition, “users of CCleaner Cloud version 1.07.3191” – which was also trojanized – “have received an automatic update,” Yung adds.
The seized copy of the C2 server, obtained by Avast, was shared with Talos, which says that the infected endpoints “phoned home” to the server, sending information such as their IP address, host and domain names, lists of processes running on the system, and so on, which attackers would have used to decide which machines to target via the second stage of their attack.
“In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations … that were specifically targeted through delivery of a second-stage loader,” the researchers say.
Avast says it has directly notified all companies that it believes were targeted in the second stage of the attack, but declined to publicly share a list of targets.
But Talos says that second-stage targets included systems inside Akamai, D-Link Google, HTC, Intel, Linksys, Microsoft, Samsung, Sony, VMware and Cisco itself. In about half of cases, attackers were able to successfully push a second-stage attack onto an infected systems, the Talos researchers believe.
“This would suggest a very focused actor after valuable intellectual property,” they say.
Potential Clues – or False Flags
Avast reviewed how the attack group had connected to the C2 server, and found that most connections came via Japanese networks, which it suspects were infected endpoints and servers being used as proxies to disguise the attackers’ location.
The attackers appear to have known their way around Asian networks. In addition, “the list of targeted companies contained quite a few Asian companies, but none from China,” Avast says.
Costin Raiu, a security researcher with Moscow anti-virus firm Kaspersky Lab, says that part of the second-stage malware – a backdoor – used in the attacks shares code with malware that’s been previously attributed to a cyberespionage group known as Axiom. Configuration scripts for the database used in the attack were also set to PRC -People’s Republic of China – time.
In 2015, cyber analytics firm Novetta linked Axiom – aka APT17, Aurora Panda, DeputyDog, Group 72, Hidden Lynx, Tailgater Team, Voho – to the Chinese government.
“There are some striking similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese APT group in 2014/2015,” Avast notes.
The reused code and time settings do not prove that the Aurora group was behind the Avast attack. But Raiu says via Twitter that it’s very notable that the Avast attack involved “custom, rare malware, [previously] used in supply chain attacks.”
Shared code between the #CCleaner Cbkrdr loader and an #Aurora/#APT17 Missl backdoor. Found only in a few Axiom-related samples. pic.twitter.com/3rQdmtaPQD
— Costin Raiu (@craiu) September 19, 2017
Of course, that could be a false flag. “Even with all of these clues, it is impossible at this stage to claim which country the attack originated from, simply because all of the data points could easily be forged to hide the true location of the perpetrator,” Avast notes.
Victims: At Least Update and Scan
Security experts’ advice to anyone who used an infected version of CCleaner has ranged from installing an updated version and running an anti-virus scanner, to completely wiping the device and restoring from a backup that predates the infection.
“For consumers, we stand by the recommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33) and use a quality anti-virus product,” Avast says.
“For corporate users, the decision may be different and will likely depend on corporate IT policies,” it adds. “At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted.”
Or Wipe and Restart
But Warren Mercer, a technical leader at Cisco Talos, recommends wiping or reimaging all infected systems to ensure that any malware that may have been installed by the trojanized CCleaner is completely eradicated.
It really was a needle within a 700K strong haystack. If you had CCleaner 5.33 we strongly recommend you wipe the machine and start again.
— Warren Mercer (@SecurityBeard) September 20, 2017