CCleaner Backdoor Attack: A State-sponsored Espionage Campaign

Infected CCleaner Software Attack that Affected 700,000 Customers is part of a Wide-scale State-sponsored Cyber-espionage Campaign.

Previously we informed you about hacking of anti-virus maker firm Avast’s CCleaner software and embedding of a malicious malware payload in two of the software’s versions namely CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (both are 32-bit versions).

An initial investigation carried out by security researchers at Cisco Talos revealed that with this attack, hackers managed to compromise Avast’s servers as well as embed a backdoor and a multi-stage malware payload, which got installed automatically whenever CCleaner was installed.

Reportedly, the infected CCleaner software was distributed to nearly 700,000 customers between 15th August and 12th September. Newest details related to this hack attack reveal that a state-sponsored hacker group might be involved in the attack while mainstream tech giants were the real targets of hackers.

Previously Avast maintained that the malware payload was never delivered to customers and therefore, there was no damage caused. However, latest revelations point out that the scope of the damage is far greater than what we have been told so far because it is indeed true that the payload was delivered effectively. Unarguably, the objective of distributing malware at such a massive scale was to gain access to the servers and networks of around high-profile tech firms including Google, Microsoft, Intel, Vodafone, SinTel, VMware, HTC, Sony, Samsung, D-Link, Akamai, Linksys, and Cisco.

It must be noted that CCleaner software removes unwanted data like temporary files and cookies and scan for malware and other data monitoring software on Windows-based systems. As per researchers, the malicious code was added to the software before its compilation, which means the hackers had access to Piriform, CCleaner’s development infrastructure providing firm. Avast acquired Piriform in July.

Cisco’s research team got hands on a copy of the C&C server of the hackers where they discovered detailed logs of over 700,000 computers. These computers had communicated with the hackers earlier in September. Further investigation revealed that the hackers weren’t at all interested in a majority of the infected customers, which led the researchers to believe that this was actually a well-designed, state-sponsored attack. The attack was targeted towards major tech firms, and the motive was to access and copy trade secrets and internal data of these organizations. Thus, Cisco’s researchers concluded that what they have been treating as a “run-of-the-mill mass cybercrime scheme” was a “state-sponsored spying operation” in reality.

Security experts are divided regarding which group could be involved. Cisco Talos highlighted that the presence of malware in CCleaner software has the same code that is linked with a notorious yet sophisticated hacking group called Group 72 or Axiom. As cited by Motherboard, the group was noted to be involved by security firm Novetta in a Chinese government operation back in 2015. Another security firm FireEye hasn’t named any particular hacker group as yet but believes that state actors are involved:

“FireEye found infrastructure overlap with a nation-state threat actor. CCleaner is used in lots of orgs (even if primarily consumer-focused). Supply chain compromise is a perfect vector for a nation-state to use,” says Christopher Glyer, FireEye’s chief security officer.

One of the configuration files present on the server, claims Cisco, was set in China’s time zone but this couldn’t be regarded as solid evidence against China. Nonetheless, after the emergence of new information, Avast finally conceded that what they have been claiming so far that the multi-stage payload was never delivered was a false claim, however, now the company states that the second stage payload was sent to nearly 8 companies, and affected machines are in “the order of hundreds.”

“The server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds.”

Cisco has warned targeted tech firms that the problem cannot be fixed by deleting CCleaner software because the payload might have installed the second payload on their networks and the C&C server might still be actively communicating with it.

Cisco’s blog post is available here while Avast’s blog post can be read here.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.