Talos began initial analysis to determine what was causing this technology to flag CCleaner. Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. On Septemwhile conducting customer beta testing of our new exploit detection technology, Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications. The following sections will discuss the specific details regarding this attack.ĬCleaner is an application that allows users to perform routine maintenance on their systems. On SeptemCisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. Supply chain attacks are a very effective way to distribute malicious software into target organizations. Update 9/18: CCleaner Cloud version is also reported to be affected This post was authored by: Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams Update, 8:30AM ET: Article updated with Avast statement.ĬCleanup: A Vast Number of Machines at Risk It’s a trend that many security researches will be monitoring closely, to catch the latest innovative ways that hackers are breaching multiple systems. Hackers appear to be targeting these types of distribution points to more easily spread malware, instead of the traditional way of attacking individual machines themselves. “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates,” says Talos.Įarlier this year, Ukrainian company MeDoc was breached and its update servers used to distribute the Petya ransomware. This is an unusual attack as software similar to CCleaner is trusted by consumers and meant to remove “crapware” from a system. "An unusual attack on software update mechanisms" “Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson. 2.27 million users have been affected by the attack, and Avast Piriform believes it was able to prevent the breach harming customers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.ĬCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |