![]()
Operation Aurora started in 2009 and to see the same threat actor still active in 2017 could possibly mean there are many other supply chain attacks by the same group that we are not aware of," Rosenberg added. In this case, they probably were able to hack CCleaner's build server in order to plant this malware. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted and they specialize in supply chain attacks. CCLEANER MALWARE THE HACKER NEWS CODE"The code in question is a unique implementation of base64 only previously seen in APT17 and not in any public repository, which makes a strong case about attribution to the same threat actor," Intezer senior security researcherJay Rosenberg wrote in a report. Researchers at Intezer, who also analysed the CCleaner malware code, said that the code overlap noted indicates a clear connection to Axiom. "This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severity and potential impact of this attack," Cisco researchers said.Īlthough the link between the CCleaner hack and Axiom may currently not be definite, the hacker group is known to have targeted technology firms in the past as well. CCLEANER MALWARE THE HACKER NEWS UPDATEResearchers were also able to determine that around 540 computers of government across the world and 51 systems belonging to international banks were among those compromised by the attack. Around 2.27 million users of Piriform's popular CCleaner security app have been advised to update the applicationa result of sophisticated hacker-hidden malware. "It is important to understand that the target list can be and was changed over the period the server was active to target different organizations," the researchers said. However, the C&C server database revealed that 20 systems were infected by a second-stage malware. Previously, researchers were unaware of any of the victims having been infected by a second-stage malware. The database contained two lists, one listing 700,000 systems infected by the backdoor malware and another that tracked all the computers infected with a second-stage malware. Researchers found this evidence after analysing the attackers' C&C (command and control) server database. "A fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks," Cisco Talos researchers said in a report. CCLEANER MALWARE THE HACKER NEWS SOFTWARE"These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the researchers say.įor those who are unaware, the Windows 32-bit version of CCleaner v and CCleaner Cloud v were affected by the malware, and affected users should update the software to version 5.34 or higher.The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'.- Costin Raiu September 19, 2017 So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program. ![]() Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server. Removing Malicious CCleaner Version would Not Help However, this evidence alone is not enough for attribution.Ĭisco Talos researchers also said that they have already notified the affected tech companies about a possible breach. "The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'," tweeted director of Global Research and Analysis Team at Kaspersky Lab.Ĭisco researchers also note that one configuration file on the attacker's server was set for China's time zone, which suggests China could be the source of the CCleaner attack. ![]() The researchers believe the secondary malware was likely intended for industrial espionage.ĬCleaner Malware Links to Chinese Hacking GroupĪccording to the researchers from Kaspersky, the CCleaner malware shares some code with the hacking tools used by a sophisticated Chinese hacking group called Axiom, also known as APT17, Group 72, DeputyDog, Tailgater Team, Hidden Lynx or AuroraPanda. The CCleaner hackers specifically chose these 20 machines based upon their Domain name, IP address, and Hostname. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |