Earlier in the week, we told you about a CCleaner breach that infected somewhere in the area of 2.27 million users with malware. Though Avast, the company that distributes CCleaner, initially said it was able to “disarm the threat before it was able to do any harm,” it turns out that may not actually be the case. According to new findings, this could have been a more sophisticated attack with some very specific targets.
In a new post to its Talos blog, Cisco presents the idea that this malware attack was casting a wide net in the hopes of infecting some high profile targets. Specifically, those targets include major tech companies like Samsung, Microsoft, HTC, Sony, Intel, and even Cisco itself. That initial malware was designed to seek out machines used by these select groups, and once found, a second-stage payload was deployed to those systems.
In some ways, that is fairly good news for consumers who downloaded the infected CCleaner build, as these findings suggest that the attacker wasn’t after their information. Instead, Cisco thinks that whoever carried out this attack was after intellectual property from these tech giant targets. That, on the other hand, could potentially be bad news for everyone.
Though it initially stated the belief that this second-stage payload was never delivered, Avast backtracked on that claim today. Now the company is saying that by looking at server logs, at least 20 machines used by eight of those targeted companies were infected by the second-stage attack.
Those server logs only span four days – September 12 to September 16 – and considering the fact that the malware was out in the open for a number of weeks, Avast points out that the machines which received the second-stage payload could number in the hundreds.
That’s a very small portion of the total number of machines that were infected, but it’s a worrying development nonetheless. Neither Avast nor Cisco can name the attacker, though Cisco does note a code overlap with malware samples from Group 72. Even though that code seemingly links the Chinese group with the attack, Cisco is not ready to attribute this specific breach to them just yet.
So, that’s where things stand with the CCleaner breach for the moment. It’s clear now that this attack is more severe than Avast initially thought, and though it’s recommending that consumer users of CCleaner simply update to the newest version and run antivirus software, it’s recommending that its corporate customers restore machines to a previous system image to make sure the malware is completely gone. We’ll see how things develop from here, so stay tuned for more.