Jump to content

Hackers compromised free CCleaner software


Petrovic

Recommended Posts

Cisco   there silicon valley rippers that is why all those big tech companies  are located in the same city  so they can steal each others ideas  they were not even the ones who found the malware and they are acting like they did without even giving credits  too the group who found it. Cisco products were full of NSA backdoors  tell Snowden told on them and maybe still are for all i know.

https://www.infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html
Quote

Progress on CCleaner Investigation

 

From Avast Vince Steckler & Ondřej Vlček, 21 September 2017

 

Large technology and telecommunications companies were targeted

Following the take-down of the CnC server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack. To recap, the attack affected a total of 2.27M computers between August 15, 2017 and September 15, 2017 and used the popular PC cleaning software CCleaner version 5.33.6162 as a distribution vehicle. Today, we would like to report on the progress so far.

 

First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.

 

At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US. Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were. For privacy reasons, we’re not disclosing the list of targeted companies publicly; instead, we have been reaching out individually to those companies who we know have been impacted, and providing them with additional technical information to assist them.

 

The 2nd stage payload is a relatively complex piece of code that uses two components (DLLs). The first component contains the main business logic. As with the first payload, it is heavily obfuscated and uses a number of anti-debugging and anti-emulation tricks. Much of the logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on Wordpress, and 3) a DNS record of a domain get.adxxxxxx.net (name modified here). Subsequently, the address of the CnC server can also be arbitrarily modified in the future by sending a special command, recognized by the code as a signal to use the DNS protocol (udp/53) to get address of the new server. Together with law enforcement, we’re continuing the analysis by getting access to the data from these additional CnC servers and tracing further to the attacker.

 

 

The second part of the payload is responsible for persistence. Here, a different mechanism is used on Windows 7+ than on Windows XP. On Windows 7+, the binary is dumped to a file called “C:\Windows\system32\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT service “SessionEnv” (the RDP service). On XP, the binary is saved as "C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll” and the code uses the “Spooler” service to load.

 

 

Structurally, the DLLs are quite interesting because they piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs. The 32-bit code is activated through a patched version of VirtCDRDrv32.dll (part of Corel’s WinZip package), while the 64-bit uses EFACli64.dll – part of a Symantec product. Most of the malicious code is delivered from registry (the binary code is saved directly in registry in keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\00[1-4]”). Again, all of these techniques demonstrate the attacker’s high level of sophistication.

 

 

In parallel to the technical analysis, we have continued working with law enforcement units to trace back the source of the attack. We are committed to getting to the bottom of who is behind this attack. While providing routine periodic updates, our energies are focused on catching the perpetrators. Our approach is to do all of this in the background, to increase our chances of identifying the perpetrator.  We believe nothing is served by being too noisy, e.g. stating who was targeted and/or compromised and it is up to the target to choose when to disclose.

 

 

Finally, it is extremely important to us to resolve the issue on customer machines. For consumers, we stand by the recommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33) and use a quality antivirus product, such as Avast Antivirus. For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted.

 

 

We will provide additional updates as we progress.

 


Vince Steckler - CEO of Avast Software
 

 

Ondrej Vlcek, CTO and EVP Consumer Business  of Avast Software

 

 

https://preview.hs-sites.com/_hcms/preview/content/5348464878?portalId=486579&preview_key=YRWyAHMF

 

 

 

 

 

 

 

Link to comment
Share on other sites


  • Replies 57
  • Views 7.6k
  • Created
  • Last Reply

 

Quote

 

The CCleaner Malware Fiasco Specific at Minimum twenty Certain Tech Firms

Hundreds of thousands of computer systems obtaining penetrated by a corrupted variation of an extremely-prevalent piece of protection software program was never going to stop properly. But now it’s becoming crystal clear exactly how lousy the results of the modern CCleaner malware outbreak could be. Researchers now consider that the hackers behind it were bent not only on mass infections, but on specific espionage that tried out to get accessibility to the networks of at least twenty tech companies.

 

 

Previously this week, protection companies Morphisec and Cisco disclosed that CCleaner, a piece of protection software program distributed by Czech enterprise Avast, experienced been hijacked by hackers and loaded with a backdoor that evaded the firm’s protection checks. It wound up mounted on much more than 700,000 computer systems. On Wednesday, researchers at Cisco’s Talos protection division disclosed that they’ve now analyzed the hackers’ “command-and-regulate” server to which those destructive versions of CCleaner related.

 

 

On that server, they discovered proof that the hackers experienced attempted to filter their selection of backdoored target equipment to obtain computer systems inside of the networks of twenty tech companies, such as Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Connection and Cisco itself. In about 50 % of those cases, claims Talos investigate manager Craig Williams, the hackers effectively discovered a machine they’d compromised inside of the firm’s community, and utilised their backdoor to infect it with an additional piece of malware supposed to serve as a further foothold, just one that Cisco now believes was possible supposed for industrial espionage.

 

“When we discovered this in the beginning, we understood it experienced contaminated a good deal of businesses,” claims Williams. “Now we know this was becoming utilised as a dragnet to concentrate on these twenty businesses around the world…to get footholds in businesses that have precious matters to steal, such as Cisco regretably.”

A Vast Internet

Cisco claims it obtained a electronic duplicate of the hackers’ command-and-regulate server from an unnamed supply concerned in the CCleaner investigation. The server contained a databases of each and every backdoored laptop or computer that experienced “phoned house” to the hackers’ machine concerning September 12 and sixteen. That included over 700,000 PCs, just as Avast has mentioned in the days considering the fact that it initially disclosed its CCleaner debacle. (Originally the enterprise place the amount significantly bigger, at 2.27 million.) But the databases also confirmed a record of unique domains onto which the hackers sought to install their secondary malware payload, as properly as which ones gained that 2nd an infection.

 

The secondary payload specific twenty businesses in all, but Williams notes that some businesses experienced much more than just one laptop or computer compromised, and some experienced none. He declined to say which of the targets experienced in simple fact been breached, but Cisco claims it’s alerted all the affected businesses to the attack.

 

Williams also notes the concentrate on record Cisco discovered possible isn’t comprehensive it seems to have been “trimmed,” he claims. It could have included proof of other targets, effectively breached or not, that the hackers experienced sought to infect with their secondary payload before in the month-prolonged interval when the corrupted variation of CCleaner was becoming distributed. “It is pretty possible they modified this through the monthlong campaign, and it is pretty much sure that they improved the record about as they progressed and almost certainly specific even much more businesses,” claims Williams.

 

That concentrate on record provides a new wrinkle in the unfolding analysis of the CCleaner attack, just one that shifts it from what may well have otherwise been a operate-of-the-mill mass cybercrime plan to a perhaps point out-sponsored spying procedure that cast a wide net, and then filtered it for unique tech-business victims. Cisco and protection company Kaspersky have both pointed out that the malware component in the tainted variation of CCleaner shares some code with a subtle hacking team acknowledged as Group seventy two, or Axiom, which protection company Novetta named a Chinese government procedure in 2015.

 

Cisco concedes that code reuse alone will not characterize a definitive url concerning the CCleaner attack and Axiom, not to point out China. But it also notes that just one configuration file on the attackers’ server was established for China’s time zone—while nevertheless acknowledging that’s not adequate for attribution.

Offer Chain Woes

For any enterprise that could have experienced computer systems running the corrupted variation of CCleaner on their community, Cisco warns that its findings indicate just deleting that software is no guarantee the CCleaner backdoor wasn’t utilised to plant a secondary piece of malware on their community, just one with its own, nevertheless-lively command and regulate server. As a substitute, the researchers suggest that any one affected thoroughly restore their equipment from backup versions prior to the set up of Avast’s tainted protection program. “If you didn’t restore your process from backup, you are at significant possibility of not getting cleaned this up,” Williams claims.

 

The exact proportions of the CCleaner attack will possible continue on to be redrawn, as analysis proceeds. But it already signifies an additional serious illustration in the string of software program source-chain attacks that have not long ago rocked the world-wide-web. Two months before, hackers hijacked the update mechanism of the Ukrainian accounting software program MeDoc to supply a destructive piece of software program acknowledged as NotPetya, leading to substantial problems to businesses in Ukraine as properly as in Europe and the United States. In that circumstance, as in the CCleaner attack, victims mounted seemingly respectable software program from a modest but trustworthy enterprise, only to obtain that it experienced been silently corrupted, deeply infecting their IT systems.

 

In the days adhering to the NotPetya attack, quite a few in the protection investigate neighborhood shifted their assessment of the attack from a prison ransomware outbreak to a little something much more insidious, specific, and designed by country-point out hackers. Now, it seems that the thriller encompassing the CCleaner attack could be shifting in that same, disturbing direction.

 

 

https://techhotnews.com/2017/09/21/the-ccleaner-malware-fiasco-specific-at-minimum-twenty-certain-tech-firms/

 

Link to comment
Share on other sites


http://www.in.techspot.com/news/security/ccleaner-attack-targeted-large-technology-and-communication-companies/articleshow/60785618.cms

 

Quote

According to Cisco Talos and Avast , this wasn’t your run-of-the-mill hack but rather, a seemingly sophisticated attack that targeted nearly two dozen large technology and telecommunication companies in the US, Germany, Japan, Taiwan and the UK. ...

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...