A few days ago, I wrote about the malware that piggybacked on the latest version of CCleaner, a free software that helps optimize performance on personal computers. At the time, not much was known about the targets, or about what the hackers intended to do with the information they were trying to collect. While we still don’t have much information about who was behind the attack, or where they hail from, some information has surfaced that allows us to know that the malware was specifically aimed at several tech companies, including Samsung, HTC and Sony, telecommunication companies Singtel, Vodafone and O2, and tech firms Cisco, Intel, VMware, Google and Microsoft. Avast also confirmed that companies were targeted in various parts of the world, including Japan, Taiwan, the United Kingdom, Germany and the United States.
According to Cisco Talos, whose team is investigating the hack, “During the compromise, the malware would periodically contact the C2 server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more. It’s quite likely this information was used by the attackers to determine which machines they should target during the final stages of the campaign”.
Because yes, there was a second wave, the one that would do the real damage.
While Avast is being optimistic, it also allows that “At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted” and is still recommending that all users who were running the compromised version of the software upgrade to the latest version (currently version 5.35), paired with a “quality anti-virus product”. Cisco Talos is more guarded, stated that users with a compromised computer “should not simply remove the affected version of CCleaner or update to the latest version but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system”.
The investigation is still underway as law enforcement is actively trying to find out and arrest whoever was behind the attack. Avast is also actively investigating the hack and fully cooperating with law enforcement efforts. I will be monitoring the investigation and write further posts as more information is made available.