“Supply chain attacks seem to be increasing in velocity and complexity. Tech companies not on the list should also consider doing the same. In the meantime, Cisco has provided indicators of compromise that the companies on the list of targets can use to check whether they have a compromised host on their network. As the investigation continues, it’s possible that the list of affected firms will grow. While Avast still advises consumers to simply to upgrade CCleaner to the latest version (v5.35, released on Wednesday and signed with a new digital signature), they say that “for corporate users, the decision may be different and will likely depend on corporate IT policies.”Ĭisco researchers have reiterated their initial recommendation: “Those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”īoth Cisco and Avast have notified the companies whose computers are known to have been saddled with the second stage payload. But, they pointed out, this information cannot be relied on for attribution. The researchers found another thing that points towards China: the C&C server’s configuration specifies “PRC” (People’s Republic of China) as the time zone. It is believed that Group 72 is a state sponsored actor backed by the Chinese government. What are the attackers after?Ĭisco researchers posit that the attackers are after valuable intellectual property.Īn overlap of code used in these malware samples and malware previously used by Group 72 (aka Axiom), a long standing threat actor that has been known to target high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sectors in the US, Japan, Taiwan, and Korea. Here, a different mechanism is used on Windows 7+ than on Windows XP.”Īnother thing that points to the attackers’ high level of sophistication is that the DLLs piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs (one is part of Corel’s WinZip package, and the other a part of a Symantec product). “The second part of the payload is responsible for persistence. Subsequently, the address of the CnC server can also be arbitrarily modified in the future by sending a special command, recognized by the code as a signal to use the DNS protocol (udp/53) to get address of the new server,” Avast’s CEO and CTO explained. “Much of the logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on WordPress, and 3) a DNS record of a domain (name modified here). The second stage payload uses two components (DLLs): the first component contains the main business logic, and the second part of the payload is responsible for persistence. They posit that the actual number of computers that received the second stage payload “was likely at least in the order of hundreds.” But, as they noted, the number of compromised hosts and companies is likely higher, as the list was probably changed over the month or so the server was active.Īvast also arrived to the same conclusion. They also identified 20 unique hosts at eight (unnamed) companies that received the second stage payload that followed the CCleaner backdoor compromise. Of these some 540 are government systems around the world, and 51 belong to domains containing the word “bank” in their name. A stealthy, targeted attackĪccording to Cisco, their actual targets were computers at a number of huge tech companies like Intel, Microsoft, Linksys, Dlink, Google, Samsung and Cisco, telecoms such as O2 and Vodafone, and (the odd man out) Gauselmann, a manufacturer of gaming machines.Ĭisco researchers came to this conclusion after analyzing an archive containing files that were stored on the attackers’ C&C server, and finding the list of domains the attackers were attempting to target:Īccording to their findings, some 700,000 hosts were saddled with the backdoored CCleaner. There is a new twist in the CCleaner hack saga: the attackers apparently didn’t set out to compromise as many machines as possible, but were after some very specific targets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |