Last year, the pop scheme cleanup software CCleaner suffered a massive supply-chain malware attack of all times, wherein hackers compromised the company's servers for to a greater extent than than a calendar month too replaced the master copy version of the software amongst the malicious one.
The malware assault infected over 2.3 1 grand one thousand users who downloaded or updated their CCleaner app betwixt August too September terminal twelvemonth from the official website amongst the backdoored version of the software.
Now, it turns out that the hackers managed to infiltrate the company's network close v months earlier they start replaced the official CCleaner make amongst the backdoored version, revealed Avast executive VP too CTO Ondrej Vlcek at the RSA safety conference inward San Francisco on Tuesday.
March 11, 2017 (5 AM local time)—Attackers start accessed an unattended workstation of 1 of the CCleaner developers, which was connected to Piriform network, using remote back upwards software TeamViewer.
The fellowship believes attackers reused the developer's credentials obtained from previous information breaches to access the TeamViewer employment concern human relationship too managed to install malware using VBScript on the 3rd attempt.
March 12, 2017 (4 AM local time)—Using the start machine, attackers penetrated into the instant unattended reckoner connected to the same network too opened a backdoor through Windows RDP (Remote Desktop Service) protocol.
Using RDP access, the attackers dropped a binary too a malicious payload—a instant phase malware (older version) that was afterwards delivered to forty CCleaner users—on the target computer's registry.
March 14, 2017—Attackers infected the start reckoner amongst the older version of the instant phase malware equally well.
April 4, 2017—Attackers compiled a customised version of ShadowPad, an infamous backdoor that allows attackers to download farther malicious modules or bag data, too this payload the fellowship believes was the 3rd phase of the CCleaner attack.
April 12, 2017—A few days later, attackers installed the 3rd phase payload on iv computers inward the Piriform network (as a mscoree.dll library) too a make server (as a .NET runtime library).
Between mid-April too July—During this period, the attackers prepared the malicious version of CCleaner, too tried to infiltrate other computers inward the internal network yesteryear installing a keylogger on already compromised systems to bag credentials, too logging inward amongst administrative privileges through RDP.
July 18, 2017—Security fellowship Avast acquired Piriform, the UK-based software evolution fellowship behind CCleaner amongst to a greater extent than than 2 billion downloads.
August 2, 2017—Attackers replaced the master copy version of CCleaner software from its official website amongst their backdoored version of CCleaner, which was distributed to millions of users.
September 13, 2017—Researchers at Cisco Talos detected the malicious version of the software, which was beingness distributed through the company's official website for to a greater extent than than a month, too notified Avast immediately.
The malicious version of CCleaner had a multi-stage malware payload designed to bag information from infected computers too mail it dorsum to an attacker-controlled command-and-control server.
Although Avast, amongst the assist of the FBI, was able to close downwards the attackers' command-and-control server inside 3 days of beingness notified of the incident, the malicious CCleaner software had already been downloaded yesteryear 2.27 1 grand one thousand users.
Moreover, it was institute that the attackers were too thus able to install a second-stage payload on forty selected computers operated yesteryear major international technology scientific discipline companies, including Google, Microsoft, Cisco, Intel, Samsung, Sony, HTC, Linksys, D-Link, Akamai too VMware.
However, the fellowship has no proofs if the 3rd phase payload amongst ShadowPad was distributed to whatever of these targets.
The malware assault infected over 2.3 1 grand one thousand users who downloaded or updated their CCleaner app betwixt August too September terminal twelvemonth from the official website amongst the backdoored version of the software.
Now, it turns out that the hackers managed to infiltrate the company's network close v months earlier they start replaced the official CCleaner make amongst the backdoored version, revealed Avast executive VP too CTO Ondrej Vlcek at the RSA safety conference inward San Francisco on Tuesday.
6-Months Timeline of CCleaner Supply Chain Attack
Vlcek shared a brief timeline of the terminal year's incident that came out to endure the worst nightmare for the company, detailing how too when unknown hackers breached Piriform, the fellowship that created CCleaner too was acquired yesteryear Avast inward July 2017.March 11, 2017 (5 AM local time)—Attackers start accessed an unattended workstation of 1 of the CCleaner developers, which was connected to Piriform network, using remote back upwards software TeamViewer.
The fellowship believes attackers reused the developer's credentials obtained from previous information breaches to access the TeamViewer employment concern human relationship too managed to install malware using VBScript on the 3rd attempt.
March 12, 2017 (4 AM local time)—Using the start machine, attackers penetrated into the instant unattended reckoner connected to the same network too opened a backdoor through Windows RDP (Remote Desktop Service) protocol.
Using RDP access, the attackers dropped a binary too a malicious payload—a instant phase malware (older version) that was afterwards delivered to forty CCleaner users—on the target computer's registry.
March 14, 2017—Attackers infected the start reckoner amongst the older version of the instant phase malware equally well.
April 4, 2017—Attackers compiled a customised version of ShadowPad, an infamous backdoor that allows attackers to download farther malicious modules or bag data, too this payload the fellowship believes was the 3rd phase of the CCleaner attack.
April 12, 2017—A few days later, attackers installed the 3rd phase payload on iv computers inward the Piriform network (as a mscoree.dll library) too a make server (as a .NET runtime library).
Between mid-April too July—During this period, the attackers prepared the malicious version of CCleaner, too tried to infiltrate other computers inward the internal network yesteryear installing a keylogger on already compromised systems to bag credentials, too logging inward amongst administrative privileges through RDP.
July 18, 2017—Security fellowship Avast acquired Piriform, the UK-based software evolution fellowship behind CCleaner amongst to a greater extent than than 2 billion downloads.
August 2, 2017—Attackers replaced the master copy version of CCleaner software from its official website amongst their backdoored version of CCleaner, which was distributed to millions of users.
September 13, 2017—Researchers at Cisco Talos detected the malicious version of the software, which was beingness distributed through the company's official website for to a greater extent than than a month, too notified Avast immediately.
The malicious version of CCleaner had a multi-stage malware payload designed to bag information from infected computers too mail it dorsum to an attacker-controlled command-and-control server.
Although Avast, amongst the assist of the FBI, was able to close downwards the attackers' command-and-control server inside 3 days of beingness notified of the incident, the malicious CCleaner software had already been downloaded yesteryear 2.27 1 grand one thousand users.
Moreover, it was institute that the attackers were too thus able to install a second-stage payload on forty selected computers operated yesteryear major international technology scientific discipline companies, including Google, Microsoft, Cisco, Intel, Samsung, Sony, HTC, Linksys, D-Link, Akamai too VMware.
However, the fellowship has no proofs if the 3rd phase payload amongst ShadowPad was distributed to whatever of these targets.
"Our investigation revealed that ShadowPad had been previously used inward South Korea, too inward Russia, where attackers intruded a computer, observing a coin transfer." Avast said.
"The oldest malicious executable used inward the Russian assault was built inward 2014, which agency the grouping behind it mightiness convey been spying for years."Based on their analysis of the ShadowPad executable from the Piriform network, Avast believes that the malicious attackers behind the malware convey been active for a long time, spying on institutions too organizations thus thoroughly.