Ccleaner malware trojan7/4/2023 ![]() ![]() ![]() And, I should probably also say that it wasn't Cisco who first notified us about the problem. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).īTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. ![]() We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines. (By that time, the secondary CnC servers (the DGA domains) were already sinkholed as well, so that technically cut the attackers off their ability to control the backdoor).Īt the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. ![]() Given how difficult these things tend to be, we consider this a very good result and I don't see how we could have done it any better. The CnC server was taken down on September 15, three days after we first learned about the incident. For that reason, we first focused on fully understanding the malicious code and disconnecting the bad actors from their ability to control the backdoor, i.e. The #1 priority for us was to protect the CCleaner customers and minimize the actual customer impact of the incident. 6 days ago) we started working on it and have been working on it around the clock since then. Immediately after we first learned about something wrong with the CCleaner product (which was on September 12, i.e. We have good evidence that the attack started at least several weeks before the acquisition. Avast acquired a company (Piriform) which was in the process of being hacked. This is a statement based on a pretty thorough analysis, partially shared below and partially still embargoed because of the ongoing investigation. This is really not about downplaying the issue. The similarities in the code were also spotted by the threat intelligence group inside Cisco.I just had a chance to read this thread and I'm a bit horrified as I think that there's quite some misconception about what actually went on.įirst of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate. The Missl backdoor trojan was used by a hacking group known as Axiom.Īxiom hacker group is assumed to be based out of China and the hacker group was also known by many other names like Group 72, APT17, DeputyDog and more. Recently, Kaspersky Lab’s Costin Raul made a tweet in which he claimed that the malware stuffed inside CCleaner v5.33 shared the code with the Missl backdoor trojan. Hackers have applied a malicious code in CCleaner version and the version was downloaded by more than 2.27 million users. CCleaner Malware Targeted 20 Tech Giants Including Intel, Microsoft, Samsung And MoreĪ few days ago we have seen, the popular cleaning application, CCleaner was infected by a malware. Hackers wanted to exploit around 20 tech firms through the malware. ![]()
0 Comments
Leave a Reply. |