Jump to content

Ccleaner infection more virulent than thought


sman
 Share

Recommended Posts

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

Quote

Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware.

 

Link to post
Share on other sites

Oh. Reuters gives a more detailed picture in https://www.reuters.com/article/us-security-avast/hackers-used-avasts-ccleaner-breach-to-attack-technology-companies-idUSKCN1BW04K

Quote

But researchers at Cisco, one of the companies that had warned Avast of the attack, said Wednesday that a control server seized by U.S. law enforcement showed that the hackers had installed additional malicious software on a selected group of at least 20 machines.

Quote

More troubling, they could have been looking to get malicious code inside those companies’ products, which are used by high-value targets in government and business around the world.

Quote

Vlcek said consumer CCleaner users still did not need to restore their computers from backups.

 

Link to post
Share on other sites

Hmm.. Avast latest update says the 2nd stage infection could be in the order of hundreds and consumers to upgrade to v 5.35.., as per https://blog.avast.com/progress-on-ccleaner-investigation

Quote

First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.

Quote

Finally, it is extremely important to us to resolve the issue on customer machines. For consumers, we stand by the recommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33) and use a quality antivirus product, such as Avast Antivirus. For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted.

 

Link to post
Share on other sites

In fact, there r 2 school of thoughts on the action required while Cisco recommends that impacted users should restore their systems from backups or reinstall the operating system completely. , Avast calls for upgrade to v.5.35..

source - http://www.securityweek.com/attack-software-firm-was-sophisticated-highly-targeted

Quote

Thorough cleanup necessary

Cisco points out that, while updating to the latest versions of CCleaner would ensure that the backdoor code in the installer is removed, further action might be required to remove additional malware that could be present on the system. Thus, they reinforce their previous recommendation that impacted users should restore their systems from backups or reinstall the operating system completely.

Avast, on the other hand, recommends updating to CCleaner version 5.35, as the digital certificate used to sign the infected version 5.33 has been revoked. The company also recommends that consumers use an anti-malware application.

“For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted,” the security firm notes.

 

Link to post
Share on other sites

  • 2 weeks later...
  • Staff
On 9/21/2017 at 9:28 AM, sman said:

In fact, there r 2 school of thoughts on the action required while Cisco recommends that impacted users should restore their systems from backups or reinstall the operating system completely. , Avast calls for upgrade to v.5.35..

source - http://www.securityweek.com/attack-software-firm-was-sophisticated-highly-targeted

 

Right, it's a backdoor so theoretically the bad guys could have done anything to the system while the infection was active, including installing other threats, breaking/disabling security features, opening other backdoors into the system and basically anything else they might want to do.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.