Maintenance app CCleaner was recently hacked and used to deliver malware to unsuspecting computers and Android devices. But as it turns out, the attackers also targeted large tech companies, according to a blog post from Cisco Talos, published Wednesday.
The breach appears to be more serious than CCleaner's parent companies Piriform and Avast initially described. Some 2.27 million users had downloaded the compromised version of CCleaner, while 5,000 users had installed the compromised version of CCleaner Cloud, Vince Steckler, CEO of Avast, told TechRepublic when the incident was first discovered. Steckler also said that Avast believed that the company disarmed the threat before it was able to do any harm.
But Cisco Talos found that at least 20 victim machines were served specialized secondary payloads. These machines belonged to large technology companies, including Samsung, Sony, VMware, Intel, Microsoft, Akamai, and Cisco itself.
"In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks," the post stated.
SEE: Information security incident reporting policy (Tech Pro Research)
Avast responded with a blog post update on Thursday from Steckler and Ondrej Vlcek, the CTO and executive vice president of the firm's consumer business division. The server logs may have indicated that 20 machines across eight organizations received the 2nd stage payload, "but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds," the post stated.
Previously, Avast said that to the best of their knowledge, the 2nd stage payload was never delivered.
"At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US," the post stated. "Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were."
The attackers may have been using the CCleaner installations to gain a foothold into the companies to steal their tech secrets or, more troublingly, they may have been trying to inject malicious code into the companies' products, Cisco Talos researcher Craig Williams told Reuters.
Avast executives said that the company will continue working with law enforcement to trace the source of the attack. "We are committed to getting to the bottom of who is behind this attack. While providing routine periodic updates, our energies are focused on catching the perpetrators," the post stated.
While users of the cloud version of CCleaner have received an automated update, other users should update their CCleaner software to version 5.35 immediately. The latest version is available for download here.
For corporate users, resolving the issue may be different, and will likely depend on corporate IT policies, Avast said. "At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted," the post stated.
Supply chain attacks like this appear to be increasing in velocity and complexity, according to Cisco Talos. Security events such as this that are not completely understood are often downplayed in severity, their post noted, which can work against the victim's best interests. "It's imperative that as security companies we take these attacks seriously," the post added.
To keep your machines safe from malware, always make sure your software is up to date, Steckler told TechRepublic. For users who find it challenging to maintain regular updates of various software, there are tools available to help identify when updates are available and support with installation. To learn more about how to manage security when working with third-party partners, click here.
The 3 big takeaways for TechRepublic readers
1. Maintenance app CCleaner was recently hacked, and the attackers appear to have targeted several large tech companies, including Microsoft, Intel, and Cisco.
2. The incident was more serious than parent companies Piriform and Avast previously let on.
3. Users of CCleaner Cloud have received an automated update, but other users should update their CCleaner software to version 5.35 immediately.
- Princess ransomware targets hacked websites via RIG exploit kit (TechRepublic)
- Equifax: 400,000 UK consumers could be affected by data breach (ZDNet)
- Cloud security market to reach $12B by 2024, driven by rise of cyber attacks (TechRepublic)
- Android malware in Google Play racked up 4.2M downloads: Are you a victim? (ZDNet)
- 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
- Information Security Management Fundamentals (TechRepublic Academy)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.