CCleaner targeted top tech companies in attempt to lift IP
Cisco’s Talos security limb Talos has probed the malware-laden CCleaner utility that Avast so kindly gave to the world and has concluded it’s purpose was to create secondary attacks that attempted to penetrate top technology companies. Talos also thinks the malware may have succeeded in delivering a payload to targeted companies.
The malware that made its way into CCleaner gathers information about its host and sends it to what Talos calls the “C2 server”. Whoever is behind the malware then reviews the hosts its code has compromised. It then tries to infect some of those hosts with what Talos characterises as “specialized secondary payloads”.
Those payloads sometimes seek out top tech companies: Talos says its examination of code on the C2 server lists targets including itself, Microsoft, Sony, Intel, VMware, Samsung, D-Link, Epson, MSI, Linksys, Singtel and the dvrdns.org domain, which resolves to dyn.org.
The malware aimed at those companies creates a backdoor into machines it infects, leading Talos to suggest “This would suggest a very focused actor after valuable intellectual property.” The firm’s researchers also suggest China could be the source of the attack, noting that the malware specifies use of Peoples Republic’s timezone and that it shares code with tools associated with thought-to-have-Chinese-origins hackers known as “Group 72” that is felt to be involved in previous attacks attempting IP theft.
Talos says it can “… confirm that at least 20 victim machines were served specialized secondary payloads.” The firm doesn’t name the victims or specify that they are any of the tech companies named above, as its researchers say the list of target companies changes. Cisco informed those it believes have been infected.
Kill it with fire. Twice, if possible
“These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor,” Talos’ post says. “These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”
What are you waiting for, people? Get to those backups now! ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/21/ccleaner_secondary_payload_targeted_top_tech_companies/