There is a new twist in the CCleaner hack saga: the attackers apparently didn’t set out to compromise as many machines as possible, but were after some very specific targets.
A stealthy, targeted attack
According to Cisco, their actual targets were computers at a number of huge tech companies like Intel, Microsoft, Linksys, Dlink, Google, Samsung and Cisco, telecoms such as O2 and Vodafone, and (the odd man out) Gauselmann, a manufacturer of gaming machines.
Cisco researchers came to this conclusion after analyzing an archive containing files that were stored on the attackers’ C&C server, and finding the list of domains the attackers were attempting to target:
According to their findings, some 700,000 hosts were saddled with the backdoored CCleaner. Of these some 540 are government systems around the world, and 51 belong to domains containing the word “bank” in their name.
They also identified 20 unique hosts at eight (unnamed) companies that received the second stage payload that followed the CCleaner backdoor compromise. But, as they noted, the number of compromised hosts and companies is likely higher, as the list was probably changed over the month or so the server was active.
Avast also arrived to the same conclusion. They posit that the actual number of computers that received the second stage payload “was likely at least in the order of hundreds.”
The second stage payload uses two components (DLLs): the first component contains the main business logic, and the second part of the payload is responsible for persistence.
“Much of the [first component’s] logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on WordPress, and 3) a DNS record of a domain get.adxxxxxx.net (name modified here). Subsequently, the address of the CnC server can also be arbitrarily modified in the future by sending a special command, recognized by the code as a signal to use the DNS protocol (udp/53) to get address of the new server,” Avast’s CEO and CTO explained.
“The second part of the payload is responsible for persistence. Here, a different mechanism is used on Windows 7+ than on Windows XP.”
Another thing that points to the attackers’ high level of sophistication is that the DLLs piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs (one is part of Corel’s WinZip package, and the other a part of a Symantec product).
What are the attackers after?
Cisco researchers posit that the attackers are after valuable intellectual property.
An overlap of code used in these malware samples and malware previously used by Group 72 (aka Axiom), a long standing threat actor that has been known to target high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sectors in the US, Japan, Taiwan, and Korea. It is believed that Group 72 is a state sponsored actor backed by the Chinese government.
The researchers found another thing that points towards China: the C&C server’s configuration specifies “PRC” (People’s Republic of China) as the time zone. But, they pointed out, this information cannot be relied on for attribution.
Advice for affected users
While Avast still advises consumers to simply to upgrade CCleaner to the latest version (v5.35, released on Wednesday and signed with a new digital signature), they say that “for corporate users, the decision may be different and will likely depend on corporate IT policies.”
Cisco researchers have reiterated their initial recommendation: “Those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”
Both Cisco and Avast have notified the companies whose computers are known to have been saddled with the second stage payload. As the investigation continues, it’s possible that the list of affected firms will grow.
In the meantime, Cisco has provided indicators of compromise that the companies on the list of targets can use to check whether they have a compromised host on their network. Tech companies not on the list should also consider doing the same.
“Supply chain attacks seem to be increasing in velocity and complexity. It’s imperative that as security companies we take these attacks seriously,” they concluded.
Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time. When advanced adversaries are in play, this is especially true. They have been known to craft attacks that avoid detection by specific companies through successful reconnaissance techniques.”