Attackers attempted to hack and inject malicious code into CCleaner

The Czech company Avast reported a cyberattack: attackers tried to hack and inject malicious code into the popular CCleaner utility.

On September 23, 2018, Avast specialists noticed suspicious activities on the corporate network and began an immediate investigation. Employees of the company teamed up with the Czech intelligence agency, the Information Security Service (BIS), the local branch of the cyber security of the Czech police and an external group of experts on cybercrime.

Analyzing external IP addresses, experts found that an unknown attacker was trying to gain access to the network via VPN as early as May 14 of this year.

It turned out that access to the internal network was carried out using compromised credentials through a temporary VPN profile, which was mistakenly left on and did not require two-factor authentication.

Jaya Baloo

Jaya Baloo

“The user whose credentials were clearly compromised and associated with the IP address did not have administrator privileges. 하지만, thanks to the successful privilege escalation, the criminals managed to obtain domain administrator rights”, – said Avast Information Security Director Jaya Baloo.

Attention of specialists attracted escalation of priviledges. 그 다음에, Avast experts intentionally left the compromised VPN profile active in order to track the attacker and monitor his further actions.

On October 4, 2019, experts again noticed the same activity. Timestamps of suspicious activity tagged with MS ATA (GMT + 2 time zone):

  • 2:00 – 5월 14, 2019;
  • 4:36 – 5월 15, 2019;
  • 23:06 – 5월 15, 2019;
  • 3:35 – 칠월 24, 2019;
  • 3:45 – 칠월 24, 2019;
  • 15:20 – 구월 11, 2019;
  • 11:57 – 십월 4, 2019.

The company’s experts believe that the likely target of the attack was CCleaner, as in 2017.

On September 25 of this year, Avast employees stopped CCleaner and began to check previous versions of the utility. They made sure that no malicious changes were made to the code.

As a further preventive measure, the experts, firstly, created the CCleaner update and sent it to users using automatic updates on October 15, 2019, and secondly, they revoked the previous certificate for signing CCleaner updates. After all precautions, Avast declares with confidence that CCleaner users are protected and not affected by cybercriminals. 이후, 마지막으로, the compromised employee credentials were reset.

From the information gathered by experts, it is clear that this was an extremely sophisticated hacking attempt. Hackers did everything possible to leave no traces, no information about themselves and their goals. It is still impossible to determine whether these were the same people as before (recalling that the government hack group Axiom is responsible for the previous attack).

또한 읽기: Intel과 Nvidia는 두 가지 게이머 지향 제품의 심각한 취약점을 해결했습니다.

Avast experts continue to conduct detailed monitoring of networks and systems to minimize the time it takes to detect a threat and respond to it. 게다가, 연구원, together with third-party experts, plan to further study the logs to identify when and how hackers showed themselves. The IP addresses of attackers are already known. The investigation is ongoing.

Recall that in September 2017, a malicious code was detected in the popular CCleaner utility from Avast. The backdoor allowed attackers to download additional malware, such as ransomware or keyloggers. 전문가에 따르면, the Chinese cyber group Axiom was involved in the attack.

저자 소개

발디스 콕

보안 엔지니어, 리버스 엔지니어링 및 메모리 포렌식

코멘트를 남겨주세요