I think the virus which infected CCleaner attacked them.
You don't claim "Intel targeted" for every single virus running on x86
Cisco's security limb Talos has probed the malware-laden CCleaner utility that Avast so kindly gave to the world and has concluded its purpose was to create secondary attacks that attempted to penetrate top technology companies. Talos also thinks the malware may have succeeded in delivering a payload to some of those firms …
CCleaner didnt get infected. its a program . Machines get infected.
I'm not sure what you mean with your Intel analogy ,
What appears to have happened here is that some ner-do-well has hacked into AVGs house , and planted their virus inside the downloadable update for CCleaner.
So AVG and their cleaner program were "targetted" but not by the malware.
I'd still like to know exactly how the malware got in there
Agreed. The article title implies the CCleaner app/maker is responsible whereas the real interest here should be who and why. The article does go in to that and raises several interesting points which no doubt are being investigated by several groups so it seems strange not to make that obvious in the title.
'CCleaner hack targeted top tech companies to lift IP' would have been a far more accurate reflection of content (or some variation if there's some limit on title lengths).
Either way, this story has some way to run yet, and there are also the initial Avast assurances that 'no-one got damaged' which were quick to come out and possibly will be as quick to fall apart.
We still don't really know much about it dude. Sure we know WHAT happened, but not the HOW, or how Avast let their guard down especially after NotPetya which used a similar attack vector etc...
"Avast cryptographically signs installations and updates for CCleaner, so that no imposter can spoof its downloads without possessing an unforgeable cryptographic key. But the hackers had apparently infiltrated Avast's development or distribution process before that signature occurred, so that the firm was putting its stamp of approval on malware, and pushing it out to consumers."
Washington among the top states for company registration transparency, but still far from good, let alone perfect, see:
For a comparison of how far such measures have to go, one of the top three countries, New Zealand (yeah, from there) only recently passed legislation ending the worst abuses of its foreign trust laws.
All too often, these ranking surveys such as reported in the above article, and similar, such as Transparency International "least corrupt" fail to point out how utterly hopeless existing corporate law is in establishing ultimate beneficiaries.
tl;dr - registration in Seattle may not prove anything?
.. was to nuke it all and reimage it from scratch, the downvoting commentards were out in force.
The ONLY way to be sure malware and the subsequent backdoor are removed it to rebuild the machine from scratch. You will also have to reflash the firmware and use disk formatting tools beforehand to be really sure.
yeah but thats a bit of a faff isnt it. Easier to use a reputable AV and be 99% sure.
I mean , as soon as you plug that shiny new re-flashed rebuilt reinstalled PC into the internet you are instantly "not sure" again , so you just wasted 3 or 4 hours.
Especially if you are running Windows 10 !
Seriously, it would be great if a security bod could carry out a forensic search on a PC subjected to this Ccleaner hack, both before and after removing it, then report back whether they've found any remnants anywhere. It's not a 3-4 hour job for most users to re-install Win and everything else, it's a couple of days, a weekend behind the desk. Yeah I know, images, but in my style of computing those images are never stable for long, better to go for a clean start all over again, and that takes times.
The ONLY way to be sure malware and the subsequent backdoor are removed it to rebuild the machine from scratch.
That did used to be the case. Unfortunately, these days malware which can persist in the "Mgmt Engine" and/or other attached peripherals seems like it's starting to be a thing.
For reference, if that kind of thing is of interest:
I also wondered that.
The only thing I can imagine is that someone pwned the webserver enough that they could swap the compiled msi for thier own.
I dont know how hard it would be to fool the client ccleaner that it got its update but it could certainly unload the malware.
Think about it - every malware writers wet dream is a surefire "infection vector" ( is that the buzzword?) that dosent rely on some idiot clicking on an attachment - as is the route 99% of the time. As such anyone whose hacked into the servers of a massively popular program that updates regularly is in an enviable position. (bonus points if its an AV company!)
I bet that ccleaner access was sold on the' black hat market' rather than perpetrated by the same people who made the payload.
Good grief... where are the InfoSec professionals?
Stop being so lazy. You should at least be able to understand how to work a search engine to find out the details of what happened; without going, "Duh... I don't get it".
This was an attack on the supply chain. You may want to learn a lot more about these types of attacks. They aren't new. In fact, supply chain attacks on computers have been going on since the late 60s, and really took off during the 80s.
Image what you can do if you, as a hacker, can gain control of a third party download server which provides new applications as well as updates/upgrades. For instance, you can add your own malicious packages to the applications and libraries being downloaded. Very stealthy, and the consumer presses the "OKAY" button to let it run with system (or similar) permissions. The attack becomes even more deadly, because it's a well known and trusted application.
...get it yet?
There are many third party download server services available (for hire) which aren't owned or controlled by the actual software vendor. If you've downloaded an application from the Internet, it's very likely you've used one.
I'm sorry, but this recommendation is simply not acceptable.
With the update to CCleaner, software should be included that totally removes all malware that could have been introduced by the infected versions in a transparent manner that does not risk losing data, or require the user to re-install any programs on the system. It should be possible to clean the affected systems in a 100% safe manner that also imposes no inconvenience or effort.
Of course, admittedly, that may not be technically possible. Eventually, when the regime in China falls, if indeed the people behind this crime are there, they should face a severe penalty so that no one ever again will think to tamper with computers belonging to innocent other people.
"With the update to CCleaner, software should be included that totally removes all malware that could have been introduced by the infected versions"
Easier said than done. CCleaner phoned home to a server and that server would have supplied the real payload. It's not possible to determine what that was simply by looking at the rogue CCleaner. It's not even possible to be certain by looking at the server; even if the server is sufficiently accessible to determine what it's hosting now that might not be what it had before Talos investigated.
Or was the infection vector unsuitable for the payload? As I understand the infection it provided the details of the host machine and only if it was part of a particular corporation would the infected machine be used. Is cCleaner used at any of the corporations targeted as I would assume only small companies and individuals were customers/users?
The vector (supply chain attack on popular but relatively small software packages) is proving suitable several ways. The CCleaner attack appears to have successfully loaded secondary content on to some of the select companies targeted (http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) and there have been other successful attacks in recent months (MeDoc in Ukraine and Netsarang in South Korea).
Seems likely that more of this is going to occur - anywhere there is an implicit trust relationship between a vendor and a user, where there is a decent chance that user is going to have elevated access in relevant targets, that supply chain is going to be probed.
I would assume only small companies and individuals were customers/users?
Once you are inside the corporate network security is generally much weaker.
So only only need one developer / CxO / salesperson with either root access on their work machine or permission to connect a personal machine to the network and ....
"...should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system."
Only true if the backups are clean. Seen restores of backed up malware before.
Since the attack on CCleaner happened only a few weeks after Avast finalized the sale, I think that click-bait titles I've seen, are just a bit unfair. From what I read, it looks like CCleaner was the only one signing Certs for their own products, which is still a stand-alone company "owned by Avast" and likely one of their own employees was hacked to make this attack happen.
Biting the hand that feeds IT © 1998–2019