The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms

An anonymous reader shares a report: Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 20 tech firms. Earlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. It wound up installed on more than 700,000 computers. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected. On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself. In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

Reflections On trusting trust

[goombah99]

If you never read this essay here it is
https://www.ece.cmu.edu/~gange...

Malware is slowly moving up the software chain to where this is becoming increasingly plausible.

Why would those companies use CCleaner?

[wardrich86]

Seems weird that major tech firms would even bother with the likes of CCleaner... I'd assume they'd just re-image the PC's once they start getting fucky. In fact, I"m not even sure that most people use CCleaner.

Re:Why would those companies use CCleaner?

[TWX]

If it's simply a hop-off point, all you need is one engineer who operates outside of his IT department whose specific software needs mandate he has local admin rights on his computer. He runs the tool he uses at home instead of calling IT, and suddenly his box is now the initial penetration point to access the company network.

Re:Problem between keyboard and chair...

[TWX]

You clearly overestimate the intelligence of management, supervisors, and service technicians.

We had a lead technician still trying to use Regclean a few years ago. On Windows 7 and Windows 8.1 computers. Same technician kept setting ethernet interfaces to 10Mbit Half Duplex because he somehow interpreted the time that 10/half was needed to push far beyond the 100m channel-length for a waaaaay overlength data drop as the Setting That We Should All Set.

My point is that a lot of myth and misunderstanding goes into IT, and often we get good results despite the stupidity, rather than because of it. I have no doubt that some technicians swore by CCleaner and used it in the corporate setting, and some IT departments even routinely used it in lieu of reimaging infected computers.

Re:Don't trust foreign sources for apps

[Vlad_the_Inhaler]

All I have learned from Kaspersky is that some politician alleged Kaspersky may possibly be spying. No evidence, nothing. Nothing to indicate the politician knows anything above the Internet consisting of virtual tubes either. Everything else followed on from there.
I actually trust Kaspersky to do the job more than I trust a lot of the competition, they have discovered some serious state-sponsored malware in the past. I don't know if Symantec still make virus scanners but when Google, Mozilla et al start initiating the process to "untrust" their certificates, I wouldn't run one of their scanners in a sandbox.