VB2017 Avast staffers spoke at the Virus Bulletin International Conference in Madrid, Spain, on Thursday to shed more light on their postmortem of the CCleaner fiasco – and urge developers to protect their software’s toolchain and distribution systems from hackers.
The widely used utility, which removes unwanted temporary files and registry keys on Windows machines, was backdoored with malicious code in August, as in, miscreants tampered with the software’s downloads to introduce a means to remotely control PCs running the code. Nearly 2.3 million computers ended up installing the dodgy version of the tool, and 40 – within companies such as Intel, VMware, Samsung, NEC and Sony – were instructed to download malicious code to commandeer the boxes. This was absolutely a highly targeted espionage caper, it appears.
The compromised CCleaner builds, such as v5.33, were distributed from August 2, and CCleaner Cloud from August 11, until August 25, and connected to a command-and-control server, used to orchestrate the malware, until September 15 when the box was taken down. The shutdown happened three days after Israeli security firm Morphisec alerted CCleaner owner Avast to the scandal. Of the millions of infected PCs, only a few received the truly nasty second-stage payload that handed the computer over to miscreants.
Downloaded CCleaner lately? Oo, awks… it was stuffed with malware
READ MORE
Piriform, the developers of CCleaner and an Avast acquisition in July, released a clean version of its code on September 13, five days before the breach was publicly disclosed on September 18. Security researchers at Cisco Talos had independently discovered backdoor code in the popular cleanup utility.
The discovery of the back passage came almost a month after the hackers behind the attack had fled the scene of their crime – specifically, Piriform’s infrastructure – it was revealed on Thursday at the Virus Bulletin conference. The miscreants “disappeared” on August 25, according to a post-breach forensic analysis by Avast. The reasons why they vanished at that point are unclear. Jakub Křoustek and Jiří Bracek, both Avast researchers, who provided the postmortem update were reluctant to speculate.
网络安全公益短片差旅无线网络安全
安全研究人员可以通过逆向工程研究蠕虫代码,然后通过黑吃黑的方式,四两拨千金,让僵尸主机去攻击僵尸老巢。
The malware injected into PCs had code similar to that found in cyber-espionage tools developed by APT17 aka Aurora, a Chinese state-sponsored hacking crew in 2014 and 2015. Forensic work by Avast has identified that operations were performed and builds created by the CCleaner hackers during the working day of the Beijing timezone.
Although many leads – some of which Avast is not ready to disclose to its peers – point to China, there is nothing conclusive about these findings. What Avast can now say is that the hacker gang infiltrated Piriform’s build server in April. This was the system used by a lead developer at the 30-person outfit to generate code before it was digitally signed. Anyone whitelisting the CCleaner will have been pwned because the signatures were legit, which explains why the initial detection of the compromised utility was so poor among security software firms.
Other vendors should be wary of similar supply chain attacks, Avast warned. ®
Sponsored:

The Joy and Pain of Buying IT – Have Your Say
统计报告显示我国互联网信息安全状况有所改善,但网络安全形势仍然严峻。

猜您喜欢

如何营销信息安全思想
社交网络的广泛应用引发强烈安全顾虑
网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
心碎!中国体坛又一男神公开择偶标准,示爱女星唐嫣
R2U MENSMAGDAILY
在全球化经营体系中,跨文化的风险管理、人才管理和安全管理: