Avast's Threat Intelligence Team published new details today about the CCleaner malware incident that came to light on Monday.
According to Avast, the database where the CCleaner hackers were collecting data from infected hosts ran out of space and was deleted on September 12, meaning information on previous victims is now lost to investigators and the number of computers infected with the second-stage backdoor payloads may be larger than initially believed.
This means there could still be — and there certainly are — more large technology firms that currently have a backdoor on their network.
Short summary of the CCleaner incident
The CCleaner incident came to light on Monday, when it was discovered that two versions of the CCleaner application offered for download between August 15 and September 12 were laced with malware.
This (first-stage) malware would execute on 32-bit platforms only, collect data about the infected PC, and send the gathered details to a remote C&C server.
The server would store this information into a MariaDB (MySQL fork), and would run a series of filters on each infected host to determine if to send a second-stage payload, a very stealthy backdoor trojan.
Based on analysis from Cisco Talos published yesterday, the C&C server looked for computers on the networks of large tech corporations.
Based on a list recovered by researchers, targeted companies included Google, Microsoft, HTC, Samsung, Intel, Sony, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Gauselmann, and Singtel.
The attacker's database recorded information on all computers infected with the first and second-stage malware. There were 700,000 entries for computers infected with the first-stage malware, and only 20 for the second-stage malware.
Authorities seized C&C server, recovered data, logs
When security firms detected the tainted CCleaner executables, they contacted Avast, which with the help of law enforcement, seized the server where user data was being collected.
Cisco Talos published an initial analysis on the data stored in this database yesterday, while Avast published its own today. Compared with the Cisco report, Avast found some new details.
The new information was extracted from the server's logs and shows that the server was set up just days before attackers embedded their malware to the CCleaner binaries.
Despite the server being up for more than a month, Cisco noted that the database contained information on infections that were active between September 12 and September 16, and nothing more.
Avast says that after a deeper analysis of the logs, they find evidence that the server's disk storage had been filled, and attackers had to delete the collected data they recorded up to that point (they most likely downloaded it before deleting it).
To better understand what happened, below is a timeline based on Avast's log analysis.
August 11, 07:36 ⮞ Attackers initiate data gathering procedures in preparation for August 15 when they poison the CCleaner binary, and later the CCleaner Cloud binary.
September 10 20:59 ⮞ Server runs out of space and stops data collection.
September 12 07:56 ⮞ Attacker wipes database.
September 12 08:02 ⮞ Attacker reinstalls database.
September 16 ⮞ Authorities seize C&C server and adjacent database.
28 days of data lost
What this means is that data for 28 days of infections is now lost. Investigators are now unable to determine if other tech companies have now backdoors on their networks.
This means that any company that has ever deployed CCleaner on its network must now wipe systems clear, just to be sure the second-stage malware is not hidden somewhere on its network.
"It is unfortunate that the server was a low-end machine with limited disk capacity, because if weren’t for this (just 5 days before we took the server down), we would likely have a much clearer picture of exactly who was affected by the attack as the entire database would have been intact from the initial launch date," Avast said today.
Although a list of 20 tech targets is circulating, that list was being dynamically changed. Definitely, they were logging into server.
— Kevin Beaumont (@GossiTheDog) September 22, 2017
Comments
Occasional - 6 years ago
"...contains over 50 government domains..." 50 domains - wow! Especially as so many likely contain 32 bit systems, and other characteristics which make them easy targets - and sensitive data rich, too.
pcpunk - 6 years ago
How or why were they running 32bit systems? Or, was a lot of this Cloudbased 64bit?
"It is unfortunate that the server was a low-end machine with limited disk capacity, because if weren’t for this (just 5 days before we took the server down), we would likely have a much clearer picture of exactly who was affected by the attack as the entire database would have been intact from the initial launch date," Avast said today.
And what is "the server", was this an Avast Server or the Attackers? Did the attackers infect the avast server software, or did they redirect the downloads to their server, this is not clear to me?
campuscodi - 6 years ago
They were obviously referring to the C&C server where the malware was sending data collected from infected devices. It was not an Avast server. Don't be ridiculous. It was a server stored on some random web host somewhere, like all C&C server.
Occasional - 6 years ago
Whenever you get a community sharing news and views on one subject matter, they develop a sort of shorthand - where the hearer/reader can flesh out what is taken by the author (and in this case, one author quoting another), as safe to assume. Sadly, we need people working full time on cybersecurity; happily, I not one of them.
A "server" has come to mean different things, in different contexts, over the past few decades. It could be a box, or just one board on a rack, or software that functions as a server, or the temporary assignment of processing and data storage resources at some virtualized infrastructure facility anywhere in the world.
Easy to lose track of "the server" when there are so many of them about.
bobsage - 6 years ago
So if I had the affected version installed on a 64bit machine I have nothing to worry about?
NetDom - 6 years ago
Do you really think that they care about you? This one is a serious hacker attack with specific global targets...however, all this is terrifying.
Clairvaux - 6 years ago
"This (first-stage) malware would execute on 32-bit platforms only."
Sorry if the answer is obvious, but does that mean someone running 64-bit Windows 7 could not have been infected even if he tried ? My situation :
- 64-bit Windows 7.
- Using C-Cleaner, portable, normally 64-bit (barring a mistake).
- Used the infected version number, but normally 64-bit (unless mistaken), so not the infected bitness.
- Checked the various published signs for infection, and found none.
The portable version comes with both the 32-bit and 64-bit executable, and normally my launch icon for the software links to the 64-bit executable.
I scanned the infected v.5.33 with Virus Total before discarding it and upgrading, and indeed the 32-bit executable was flagged as infected, while the 64-bit executable came out clean.
So unless I made a mistake and linked to the 32-bit executable, I should be clean. Now my question is : does the fact I run 64-bit Windows protected me against an infection, even if I had linked by mistake to the 32-bit executable ?
campuscodi - 6 years ago
The malware was embedded in the CCleaner binaries, both 32 and 64-bit, but would "execute" only on 32-bit platforms. So, the malware is on your system, but it didn't actually run and collect any data.
Clairvaux - 6 years ago
Wow. Weird. Very weird. Thanks. Now does this mean I must reinstall Windows from scratch ? Avast says no (home user). However, I'm doing home banking with this rig. Some people even say you should change all your passwords (dozens of them, in my case...).
kardmania - 6 years ago
If CCsetup533 was downloaded and never installed can the issue be resolved by simply deleting the non-executed download?
Occasional - 6 years ago
From BC articles:
"First to spot a connection between the malware embedded in the tainted CCleaner app and Axiom was Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab."
"The CCleaner database - which has been recovered - contains over 50 government domains."
"In a Binding Operational Directive published today by the Department of Homeland Security (DHS), the US government has banned the use of Kaspersky Lab security software on government computers."
Anyone else see some irony here?