Do you remember last year’s supply-chain malware attack on a popular cleanup software named CCleaner? No? Then allow us to remind you how intense the attack was!! Around 2.3 million users were infected by this malware attack after hackers compromised the company server for more than a month. They were also successful in replacing the original software with an infected one. Anyone who upgraded to or downloaded the backdoored version of CCleaner app software from the official website fell prey to this attack.
Recently, Mr.Ondrej Vlcek, EVP and GM of the consumer business unit at Avast Software revealed how hackers gained illegal access to the Piriform network via a remote desktop access program called TeamViewer. He also stated that hackers somehow managed to infiltrate into the server five months, prior to the original software being replaced by a malicious one.
Timeline
As mentioned before, the attack was not instantaneous but a pre-planned approach to destroy the existence of the company. The breach was performed on Piriform, company that invented CCleaner and was acquired by Avast in July 2017.
The first breach was witnessed on March 11, 2017, when hackers had the access to one of the CCleaner developer’s workplace, which generally remained unattended. The workstation was connected to Piriform network that used TeamViewer software. According to Vlcek, hackers reprocessed the credentials of developers, which was acquired from earlier data breaches. Those credentials were used to access the TeamViewer account and to install malware using VBScript.
Source: ciol.com
The following day i.e. March 12, 2017, hackers breached into other computers that were connected to the same server through the same computer, which was hacked a day earlier. Eventually, they opened a backdoor via Windows RDP (Remote Desktop Service) protocol and left a malicious binary payload.
Soon, a customized version of ShadowPad was compiled on April 4, 2017 that allowed hackers to enter into the server and steal information and download malicious files. Company consider this payload as the third stage of the attack. On April 12, 2017, the 3rd stage payload was installed on Piriform network and a build server via hacked computers.
The infected version of CCleaner software was developed in between mid-April and July. Meanwhile, hackers tried to breach into the internal network of the company by installing a keylogger. The installation was done on the computers that were previously compromised to steal authorizations and to log into administrative privileges via RDP.
On July 18, 2017, Avast acquired Piriform and on August 2, 2017, hackers switched the original version of CCleaner software with the fake one on the official website. The malicious version was circulated to millions of users. Finally, on September 13, 2017, researchers at Cisco Talos spotted the infected version and notified Avast instantly.
Also Read: How To Remove Malware and Viruses On Your Windows PC
How Deep Was The Breach?
Hackers planned a multi-stage malware payload attack with the infected version of CCleaner. They were designed to corrupt computers and rob data from the devices that downloaded or upgraded the fake CCleaner.
The command and control server of the hacker was shut down within three days of the notification but the malware had already infected more than 3 million users. As per the report, the hackers were successful in installing second-stage payload on more than 40 computers that were operated by international companies like Microsoft, Google, Samsung, Sony etc.
Source: mspoweruser.com
The Worst Was Yet To Come
Though there is no evidence whether third stage payload was distributed or not but any further attack would have destroyed the existence of company. The third stage attack was a customized version of the cybercriminal tool ShadowPad, if injected, it would have given hackers keylogging, remote control and password stealing capabilities.
Also Read: Some Common and Popular Types of Android Mobile Malware
Are We Safe?
The investigation exposed that the ShadowPad has been previously used in Russia and South Korea, where hackers infiltrated computers involved in money transfer. As per the report, this kind of attack was last witnessed in 2014 and was executed in Russia. This shows that group have been active for long and are spying for years before launching any attack.
Now the real question is how safe are we and our data? Do we have any alternatives to escape such malware attacks? Unfortunately, we do not have any answers and the only option available is to stay alert.