Security

CCleaner targeted top tech companies in attempt to lift IP

Infected Avast tool's payload went after the likes of Microsoft, Intel and Cisco, hit 20 targets


Cisco's security limb Talos has probed the malware-laden CCleaner utility that Avast so kindly gave to the world and has concluded its purpose was to create secondary attacks that attempted to penetrate top technology companies. Talos also thinks the malware may have succeeded in delivering a payload to some of those firms targeted.

The malware that made its way into CCleaner gathers information about its host and sends it to what Talos calls the "C2 server". Whoever is behind the malware then reviews the hosts its code has compromised. It then tries to infect some of those hosts with what Talos characterises as "specialized secondary payloads".

Those payloads sometimes seek out top tech companies: Talos said this week its examination of code on the C2 server lists targets including Cisco, Microsoft, Sony, Intel, VMware, Samsung, D-Link, Epson, MSI, Linksys, Singtel and the dvrdns.org domain, which resolves to dyn.com.

The malware aimed at those companies creates a backdoor into machines it infects, suggesting to Talos "a very focused actor after valuable intellectual property". The researchers also propose that China could be the source of the attack, noting that the malware specifies use of Peoples Republic's timezone and that it shares code with tools associated with hackers believed to be Chinese known as "Group 72", which was thought to be involved in previous attacks attempting IP theft.

Talos said it can "confirm that at least 20 victim machines were served specialized secondary payloads". The firm doesn't name the victims or specify that they are any of the tech companies named above, as its researchers say the list of target companies changes. Cisco informed those it believes have been infected.

Kill it with fire. Twice, if possible

"These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor," Talos said. "These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system."

What are you waiting for, people? Get to those backups now! ®

PS: Avast has now narrowed the CCleaner infection down to 40 PCs within Samsung, Asus, Fujitsu, Sony, O2, Intel, VMware, Singtel and others.

Send us news
49 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

US senator calls cyber attack 'inexcusable,' calls for mandatory security rules

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say

Don't be like these 900+ websites and expose millions of passwords via Firebase

Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials

Vans claims cyber crooks didn't run off with its customers' financial info

Just 35.5M names, addresses, emails, phone numbers … no biggie

Fujitsu: Miscreants infected our systems with malware, may have stolen customer info

Sneaky software slips past shields, spurring scramble