Cybersecurity experts believe that the recent CCleaner hack was by a group of government Chinese hackers, known as Axiom.
Earlier this month it became known that cyber criminals compromised the popular application CCleaner, which used to optimize and clean the OS of the Windows family. According to the developers, during the attack, more than 2 million users were affected, as the compromise happens on August 15, but until September 12, the hacking remained unnoticed, and along with CCleaner was downloaded Floxif malware. The infection was subjected to 32-bit versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.
Now, security specialists say that the attack was probably not so simple and was carried out by a professional group of government hackers known as Axiom (also called APT17, deputyDog, Tailgater Team, Hidden Lynx, Voho, Group 72 and AuroraPanda.)
Costin Raiu, the head of the international research team of Kaspersky Lab, who first started talking about the possible connection the Axiom group to CCleaner hack. In his tweet post, the expert drew attention to the fact that the malware code used during the attack on CCleaner is very similar to the source code of the backdoor Missl, which was previously detected during Axiom campaigns.
— Costin Raiu (@craiu) September 19, 2017
With the theory of the expert, his colleagues from Cisco Talos also agree. Researchers published a detailed report, according to which Axiom aka Group 72 could have been behind the CCleaner hack. The screenshot below clearly demonstrates the similarities of the source code, which aroused suspicion among experts.
Additionally, Cisco Talos analysts say that an unnamed third party provided files from the attacker’s management server, including the database, to their disposal. This server received data collected by compromised versions of CCleaner (information about the system, running processes, MAC addresses of network devices and unique ID of components). Experts write that they checked the authenticity of the information, comparing it with the data collected from their test machines. It should be noted that at the disposal of experts were data only for September 12-16, 2017 (and the data for September 12, apparently, were damaged).
An analysis of this information showed that the information about Floxif malware, which was distributed with CCleaner, turned out to be inaccurate. Remind that the official messages said that the malware is capable of downloading and launching additional binaries, but no infected host has undergone the second phase of the attack. As it turned out, the attackers downloaded additional payloads at least 20 different hosts. Between September 12 and 16, more than 700,000 computers contacted the management server, and more than 20 of them were subjected to the second stage of infection.
More News: Banking trojans favorite tool for hackers
At the second stage, the attackers identified the systems suitable for the continuation of the attack, which was eventually delivered to a simple backdoor. He received IP addresses through search queries to github.com and wordpress.com and then downloaded an additional malware to the device.
Interestingly, the attackers sought the appropriate victims by the domain names of their computers. A long list was found on the management server, in which Cisco specialists found their company. In addition to Cisco, criminals were interested in: Singtel, HTC, Sony, Samsung, Gauselmann, Intel, VMWare, Vodafone, Linksys, MSI, Epson, Akamai, DLink, Oracle (Dyn), and Microsoft and Google (Gmail). Researchers have already contacted all potentially affected organizations and warned them about possible problems.
Analysts warn that in theory criminals could get to other large companies and institutions. The fact is that a simple SQL-query showed that 540 compromised CCleaner computers are on government networks, and 51 devices belong to the banks.
“This demonstrates the level of access that the attackers received through this infrastructure and the malware associated with it, and it highlights the danger and potential impact of such attacks,” According to Cisco Talos specialists.
At this moment experts strongly recommend that all victims from CCleaner hack not just update software to secure versions of CCleaner 5.34 and 1.07.3214 for CCleaner Cloud. Given that the second phase of the attack still worked in some cases, researchers advise a complete restoration of the system from a backup made before August 15, 2017 (that is, before the compromise of the utility).