VB2017 Avast staffers spoke at the Virus Bulletin International Conference in Madrid, Spain, on Thursday to shed more light on their postmortem of the CCleaner fiasco – and urge developers to protect their software's toolchain and distribution systems from hackers.
The widely used utility, which removes unwanted temporary files and registry keys on Windows machines, was backdoored with malicious code in August, as in, miscreants tampered with the software's downloads to introduce a means to remotely control PCs running the code. Nearly 2.3 million computers ended up installing the dodgy version of the tool, and 40 – within companies such as Intel, VMware, Samsung, NEC and Sony – were instructed to download malicious code to commandeer the boxes. This was absolutely a highly targeted espionage caper, it appears.
The compromised CCleaner builds, such as v5.33, were distributed from August 2, and CCleaner Cloud from August 11, until August 25, and connected to a command-and-control server, used to orchestrate the malware, until September 15 when the box was taken down. The shutdown happened three days after Israeli security firm Morphisec alerted CCleaner owner Avast to the scandal. Of the millions of infected PCs, only a few received the truly nasty second-stage payload that handed the computer over to miscreants.
Downloaded CCleaner lately? Oo, awks... it was stuffed with malwareREAD MORE
Piriform, the developers of CCleaner and an Avast acquisition in July, released a clean version of its code on September 13, five days before the breach was publicly disclosed on September 18. Security researchers at Cisco Talos had independently discovered backdoor code in the popular cleanup utility.
The discovery of the back passage came almost a month after the hackers behind the attack had fled the scene of their crime – specifically, Piriform’s infrastructure – it was revealed on Thursday at the Virus Bulletin conference. The miscreants “disappeared” on August 25, according to a post-breach forensic analysis by Avast. The reasons why they vanished at that point are unclear. Jakub Křoustek and Jiří Bracek, both Avast researchers, who provided the postmortem update were reluctant to speculate.
The malware injected into PCs had code similar to that found in cyber-espionage tools developed by APT17 aka Aurora, a Chinese state-sponsored hacking crew in 2014 and 2015. Forensic work by Avast has identified that operations were performed and builds created by the CCleaner hackers during the working day of the Beijing timezone.
Although many leads – some of which Avast is not ready to disclose to its peers – point to China, there is nothing conclusive about these findings. What Avast can now say is that the hacker gang infiltrated Piriform’s build server in April. This was the system used by a lead developer at the 30-person outfit to generate code before it was digitally signed. Anyone whitelisting the CCleaner will have been pwned because the signatures were legit, which explains why the initial detection of the compromised utility was so poor among security software firms.
Other vendors should be wary of similar supply chain attacks, Avast warned. ®