Firm that discovered CCleaner Compromise: there may be Others

The firm that discovered the CCleaner attack thinks there may be other common applications that, like CCleaner, have been secretly compromised and used to gain access to corporate networks.

Engineers at the firm Morphisec are reviewing historical reports that were considered “false positives” to determine if any of those reports may have been evidence of compromises of other common applications, Chief Technology Officer Michael Gorelik told The Security Ledger.

“It’s something we’re doing right now. We’re revalidating stuff that we caught within the last several months,” he said.

Supply Channel Coordination

While Gorelik declined to say whether they had found evidence that other, similar attacks had taken place, he said the initial findings of the investigation were “very interesting.”

“They’re very interesting events and when you go deeper they become more interesting,” he said.  He said he believed there were other so-called supply chain attacks like CCleaner, but declined to say whether his firm had uncovered evidence of other such attacks targeting its customers.

Morphisec makes an endpoint protection technology that prevents in-memory attacks, which puts it at a disadvantage for identifying new malicious software, as its technology doesn’t rely on malicious code “signatures” to work.

He said his firm became aware of the CCleaner attack only after a manufacturing firm located in Singapore that was a customer of Morphisec received a number of alerts that the firm’s software was blocking CCleaner from running. The customer asked Morphisec to explain why its software was blocking a legitimate application, leading to the discovery that the application had been compromised prior to distribution to hundreds of thousands of individuals and companies globally.

Detail from CCleaner attack
Detail from the second stage of the CCleaner attack. Image courtesy of Cisco Talos.

Still, Morphisec’s investigation did not begin until three weeks after the infect, but quickly led to the discovery that CCleaner’s maker, Piriform (now owned by the security firm Avast), had been hacked. He said the Morphisec customers hit with the CCleaner attack were in industries like manufacturing, services and technology.

The attackers who were behind the CCleaner attack compromised and modified the computers used to “build” the CCleaner application. Malicious software was inserted into an important Visual Studio runtime file that is bundled with the CCleaner application and that loads and runs on victim systems before the execution of the CCleaner software. The change went unnoticed and Piriform signed the compiled software, putting the company’s stamp of approval on the compromised code.

As many as 2 million copies of that update were shipped and 700,000 computers may have been hit with the first stage of the attack. A tiny handful of firms, many of them technology firms, were hit with a “second stage” attack that was much more sophisticated and that was aimed at stealing Intellectual property, according to Cisco Systems. Those included Cisco itself as well as Intel, Samsung, Sony and HTC.

Craig Williams, a Cisco Talos Senior Threat Researcher and Global Outreach Manager said that the company is continuing to analyze the attack but that the CCleaner compromise was “very similar” to the MEDoc attack involved in the Nyetya campaign.

“It appears attacks like this are on the rise,” Williams wrote in an e-mail.

Now the hunt is on to determine if other reports of “false positives” were actually real attacks that were being blocked. Gorelik said the work is a priority, but that his firm – a start up with 40 employees – has only so much time to do independent research while it works to stay on top of product development and customer support.  “It’s not very easy,” he said. “We’re a small company. ”

CCleaner is just the latest effort to manipulate software “supply chains” to place malicious software on protected computer networks. In June, the NotPetya wiper malware was distributed to scores of companies around the world disguised as an update for the MEDocs financial software.

A report released last week from CCC and MForesight, a manufacturing industry think tank, warned that supply chain attacks were becoming more common, that “manufacturers need trusted third-party partners, and there’s space for the creation of a new public-private partnership focused on manufacturing supply chain cybersecurity.”

Security Ledger wants to hear your thoughts! Leave a reply.