The group specializes in supply chain attacks and Operation Aurora is considered one of the most sophisticated incidents ever.Īccording to Intezer, an analysis of the stage 2 payload used in the CCleaner attack provided a clear link to the Chinese hackers after the first payload (the backdoor in the installer) revealed shared code with Axiom group. Now, Intezer researchers suggest that the attack was state-sponsored and that it can indeed be attributed to Chinese hackers that are part of the Axiom group.Īlso referred to as APT17 or DeputyDog, the group was previously associated with Operation Aurora, which started in 2009 and targeted companies such as Google, Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, and Dow Chemical. Soon after the investigation started, the security researchers looking into the incident discovered some connections to a known group of Chinese hackers, but no definite attribution was made. The stage 2 payload, however, was served to only 40 of them. Investigation into the attack revealed that the backdoored code was only the first stage of the intended user compromise, and that a second-stage payload had been delivered to a small number of selected targets.Īfter finding the backup of a deleted database containing information on the infected machines, investigators discovered that a total of 1,646,536 unique machines (based on MAC addresses) reported to the command and control (C&C) server. Between August 15 and September 12, over 2.27 million users downloaded the infected binaries. The attack started with the compromise of a CCleaner server in early July, which allowed hackers to inject backdoor code in two versions of the tool, namely 32-bit CCleaner v and CCleaner Cloud v. "The oldest malicious executable used in the Russian attack was built in 2014, which means the group behind it might have been spying for years."īased on their analysis of the ShadowPad executable from the Piriform network, Avast believes that the malicious attackers behind the malware have been active for a long time, spying on institutions and organizations so thoroughly.The sophisticated supply chain attack that resulted in millions of users downloading a backdoored version of the popular CCleaner PC software utility was the work of state-sponsored Chinese hackers, according to a new report. "Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded a computer, observing a money transfer." Avast said. However, the company has no proofs if the third stage payload with ShadowPad was distributed to any of these targets. Moreover, it was found that the attackers were then able to install a second-stage payload on 40 selected computers operated by major international technology companies, including Google, Microsoft, Cisco, Intel, Samsung, Sony, HTC, Linksys, D-Link, Akamai and VMware. The malicious version of CCleaner had a multi-stage malware payload designed to steal data from infected computers and send it back to an attacker-controlled command-and-control server.Īlthough Avast, with the help of the FBI, was able to shut down the attackers' command-and-control server within three days of being notified of the incident, the malicious CCleaner software had already been downloaded by 2.27 million users. September 13, 2017-Researchers at Cisco Talos detected the malicious version of the software, which was being distributed through the company's official website for more than a month, and notified Avast immediately. July 18, 2017-Security company Avast acquired Piriform, the UK-based software development company behind CCleaner with more than 2 billion downloads.Īugust 2, 2017-Attackers replaced the original version of CCleaner software from its official website with their backdoored version of CCleaner, which was distributed to millions of users. NET runtime library).īetween mid-April and July-During this period, the attackers prepared the malicious version of CCleaner, and tried to infiltrate other computers in the internal network by installing a keylogger on already compromised systems to steal credentials, and logging in with administrative privileges through RDP. April 12, 2017-A few days later, attackers installed the 3rd stage payload on four computers in the Piriform network (as a mscoree.dll library) and a build server (as a.
0 Comments
Leave a Reply. |