September 13, 2017-Researchers at Cisco Talos detected the malicious version of the software, which was being distributed through the company's official website for more than a month, and notified Avast immediately. July 18, 2017-Security company Avast acquired Piriform, the UK-based software development company behind CCleaner with more than 2 billion downloads.Īugust 2, 2017-Attackers replaced the original version of CCleaner software from its official website with their backdoored version of CCleaner, which was distributed to millions of users. NET runtime library).īetween mid-April and July-During this period, the attackers prepared the malicious version of CCleaner, and tried to infiltrate other computers in the internal network by installing a keylogger on already compromised systems to steal credentials, and logging in with administrative privileges through RDP.
Data from the initial command server has revealed several other servers used in the attack, which law enforcement is currently working to locate and seize.April 12, 2017-A few days later, attackers installed the 3rd stage payload on four computers in the Piriform network (as a mscoree.dll library) and a build server (as a. Still, researchers are likely to learn more about the campaign in the weeks to come. Previous research has tied the Axiom group to Chinese intelligence services with moderate to high confidence. Neither group has made an official attribution, but Kaspersky researchers have noted significant overlapping code between the CCleaner attack and previous attacks by the Axiom threat group, a finding that Talos confirmed. It’s also unclear what the attackers were looking for, although Talos notes that the domains targeted “would suggest a very focused actor after valuable intellectual property.” Talos registered at least 20 computers that were targeted by the payload, but researchers have not disclosed which companies were involved.
It’s still unclear which companies were successfully compromised. Researchers now estimate only 700,000 computers were exposed by the attack, down from earlier estimates of 2.2 million. “This was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” Avast researchers wrote. Still, the nature of the two-stage payload suggests the attack was targeted, aiming to break into specific companies rather than compromise millions of computers at once. The list only includes domains that were targeted during the four days before the server was seized, so it’s entirely possible other companies were targeted earlier in the campaign. The domains also include a German slot machine company and major telecoms in Singapore and the United Kingdom.
Other targets include Sony, Samsung, Intel, and Akamai. “” is an internal domain for Windows developers, while hq. appears to be the internal Gmail instance for Google employees. The list of domains, published by Talos, reveals a number of major tech companies. Domains targeted by the CCleaner malware.
0 kommentar(er)
