Big Brands, D-Link, Linksys, Microsoft, Samsung & HTC Scramble To Check Networks After CCleaner Attack
Some of the biggest tech Companies in the world are today scrambling to identify whether their networks have been compromised by the recent CCleaner security software attack which is believed to have been initiated by Chinese hackers.
ChannelNews understands that the Companies that include the likes of the Optus owned Sing Tel, D Link, Linksys, Cisco, Microsoft, VMware, Intel, Sony, Samsung and HTC are all facing the real possibility that were hit with a secondary dump of infected software following a hack attack on the Avast owned CCleaner software.
Avast the owners of CCleaner initially thought that only 2.27 million of their customers including thousands in Australia had been affected.
Now the Company believes that their initial analysis was wrong and it is highly likely the hackers dropped more sophisticated malware inside technology and telecoms companies resulting in potentially tens of millions of people now not knowing whether their PC’s are being spied on or whether a second “major” attack is set to be launched by Chinese hackers.
That analysis came after Cisco’s Talos security division released research naming a handful of technology companies that were targeted with “secondary payloads” over just four days in September, saying 20 victim machines were infected as a result.
At this stage, it’s unclear which were amongst the overall eight that Avast said had PCs infected. “This would suggest a very focused actor after valuable intellectual property,” Cisco’s researchers added.
Avast concurred with Cisco’s research, but said it was likely more were infected.
“Given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds,” wrote CEO Vince Steckler and chief technology officer Ondrej Vlcek. Researchers were only able to look across those days as the hacker server they had access to had its logs wiped on September 12 when it ran out of memory, Vlcek told US Forbes Magazine.
What was clear to both Avast and Cisco was that this was a sophisticated targeted attack on the tech industry.
Showing just how the attackers were carefully selecting their targets, more than 700,000 computers of the 2.3 million infected reported back to the hackers’ server over few days the researchers could gather data, Cisco found.
But just over 20 machines were hit with the second-stage attack, in which “reconnaissance information” about infected computers, such as IP address and software active on the machine, were sent to the attackers.
“When combined, this information would be everything an attacker would need to launch a later stage payload that the attacker could verify to be undetectable and stable on a given system.,” Cisco added.
“At the time, the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US,” Avast added. The company has contacted firms targeted, but isn’t disclosing names.
Vlcek told Forbes that the eight affected companies had been contacted, indicating some victims had more than one PC infected. He said the second payload was “a stage of a multi—stage attack.” “It doesn’t do anything malicious… all it’s doing is basically waiting for a command to update it for a third-stage,” he added. The investigation now moves on to determine whether that third-stage was activated.
Cisco is recommending any organization affected to not just remove the affected version of CCleaner 5.33 or update, but should restore from backups or reimage systems entirely to get rid of malware.
As for who was behind the attack, Cisco said it was worth looking into claims from Russian security firm Kaspersky that a known, sophisticated group of hackers variously known as Axiom and Group 72, previously linked to Chinese hackers. There appeared to be code overlap between the CCleaner backdoor and Group 72’s malware. Vlcek said he didn’t know if a nation state was behind the attack and it’d be unlikely for anyone to find out. “This looks … like an espionage-type attack,” he added.
Avast continues to cooperate with police to chase them down. “We have continued working with law enforcement units to trace back the source of the attack. We are committed to getting to the bottom of who is behind this attack,” the CEO and CTO added.