My Opinions On What Happened In The Recent CCleaner Attack

[itman 1,659]

Today Avast made an updated blog posting on the incident:

Quote

 

The main findings from the complete database are as follows:

•The total number of connections to the CnC server was 5,686,677.
•The total number of unique PCs (unique MAC addresses) that communicated with the CnC server was 1,646,536.
•The total number of unique PCs that received the 2nd stage payload was 40.

 

Avast is sticking to its statements that the attack was a "waterhole" attack with the real intent being to target a few dozen high valued corporation targets. Is so, this most surely will go down as the largest waterhole attack in history. Sorry Avast, I not "buying in" to your assessment.

There is one glaring omission in the publically released statements to date on this attack. That is the role played by the compromised Piriform servers in this attack. Lets state this again - the Piriform servers were compromised and for an extended period of time.  Because the servers were compromised, anything is possible.

Noteworthy is in the recent Ukraine ME Doc incident, the Ukraine government hired Cisco to performed an independent third party forensic analysis of the ME Docs servers. I also believe Eset assisted in that incident. What Cisco discovered that the servers were breached on multiple occasions for the purposes of adding and deleting software used in the attack. Hence, the premise for what I believe transpired in this attack.

The initial attacker modified CCleaner updates were downloaded to millions of computer. This binary contained a backdoor for the purpose of mapping detailed software and hardware data about the device it was installed on. So far, I am in agreement with these statements.

The next assertion made by Avast is that no subsequent data was  downloaded from the attackers C&C servers; except it was later disclosed that a second backdoor was downloaded to high value corp. targets. Sorry, I don't "buy in" to that assertion. The best analogy I can think of is a bank robber that is "casing" banks to determine the best targets to rob. He notes such things as physical layout, security mechanisms, etc. etc.. After going through all this effort, he decides to abandon all those targets and instead only to rob the various U.S. Federal Reserve banks - the ones with the least likelihood of pulling off a successful robbery.

My attack scenarios proceeds as follows:

1. The corrupted CCleaner binary only contained a backdoor since it was what is referred to as "coded and sealed" commercial software. Such software goes though a number of QC and security checks before it is publically released. Adding extensive malware based code to the binary would greatly increase the likelihood that a discrepancy existed.

2. The initial backdoor allowed for mapping activities and uploaded that data to the attackers C&C servers as previously noted. In step with the implanting of the infected CCleaner binary code for distribution on the Piriform servers, the attacker also stored his main attack code on the Piriform servers. Also, the Malr sandbox analysis of the binary did indicate that all the major browsers had undergone modification activity.

3. Besides modifying the CCleaner.exe binary the attacker also modified the auto updating coding to upload the MAC address or equivalent ID data of the device .

4. The attacker then analyzed the mapping data being uploaded from infected targets to determine the best targets to download subsequent attack code to. The attacker's primary consideration would be the current security mechanisms in place on the targets. He did not want any malicious activities detected in the initial stages of the attack. Appears he was quite successfully in this regard since the attack wasn't detected for at least a month - "lightyears" in malware discovery terms.

5. The attacker on a periodic basis entered the Piriform servers to update a MAC address table or some approximate facsimile of identifying information of targets to download additional malware to.

6. At the next scheduled CCleaner update, I believe that is done daily at boot time, or at the time of attackers chosing, the targets selected ID data was uploaded to the compromised Piriform servers. Previously planted intercept code on the servers, compared the source computers ID data to that stored in the table on the server of targets to download addition malware code to. The selected target ID data was then remove from server table of targets. 

So far we have the perfect malware download method to use; the trusted app updater.

Now in regards to the second backdoor that was only installed on high value corp. targets. First, I don't buy into the "high valued" statement and believe many more corps. were infected. The second backdoor was used because major corps. at least, don't allow auto updating of software on their endpoints. As such, the auto update download of malware was unavailable. The attacker had to resort to delivery of the additional malware via external C&C server method which in doing so, lead to discovery of the attack.

It is strongly suspected that like in the ME Doc attack, the attacker when he realized he had been discovered entered the Piriform servers and erased all evidence of compromise.

In summary until a detailed independent third party analysis is performed on the compromised piriform servers, we will never know the full impact of this attack.

Edited September 25, 2017 by itman

[peteyt 393]

9 minutes ago, itman said:

Today Avast made an updated blog posting on the incident:

Avast is sticking to its statements that the attack was a "waterhole" attack with the real intent being to target a few dozen high valued corporation targets. Is so, this most surely will go down as the largest waterhole attack in history. Sorry Avast, I not "buying in" to your assessment.

There is one glaring omission in the publically released statements to date on this attack. That is the role played by the compromised Piriform servers in this attack. Lets state this again - the Piriform servers were compromised and for an extended period of time.  Because the servers were compromised, anything is possible.

Noteworthy is in the recent Ukraine ME Doc incident, the Ukraine government hired Cisco to performed an independent third party forensic analysis of the ME Docs servers. I also believe Eset assisted in that incident. What Cisco discovered that the servers were breached on multiple occasions for the purposes of adding and deleting software used in the attack. Hence, the premise for what I believe transpired in this attack.

The initial attacker modified CCleaner updates were downloaded to millions of computer. This binary contained a backdoor for the purpose of mapping detailed software and hardware data about the device it was installed on. So far, I am in agreement with these statements.

The next assertion made by Avast is that no subsequent data was  downloaded from the attackers C&C servers; except it was later disclosed that a second backdoor was downloaded to high value corp. targets. Sorry, I don't "buy in" to that assertion. The best analogy I can think of is a bank robber that is "casing" banks to determine the best targets to rob. He notes such things as physical layout, security mechanisms, etc. etc.. After going through all this effort, he decides to abandon all those targets and instead only to rob the various U.S. Federal Reserve banks - the ones with the least likelihood of pulling off a successful robbery.

My attack scenarios proceeds as follows:

1. The corrupted CCleaner binary only contained a backdoor since it was what is referred to as "coded and sealed" commercial software. Such software goes though a number of QC and security checks before it is publically released. Adding extensive malware based code to the binary would greatly increase the likelihood that a discrepancy existed.

2. The initial backdoor allowed for mapping activities and uploaded that data to the attackers C&C servers as previously noted. In step with the implanting of the infected CCleaner binary code for distribution on the Piriform servers, the attacker also stored his main attack code on the Piriform servers. Also, the Malr sandbox analysis of the binary did indicate that all the major browsers had undergone modification activity.

3. Besides modifying the CCleaner.exe binary the attacker also modified the auto updating coding to upload the MAC address of the device or equivalent ID data.

4. The attacker then analyzed the mapping data begin uploaded from infected targets to determine the best targets to download subsequent attack code to. The attacker's primary consideration would be the current security mechanisms in place on the targets. He did not want any malicious activities detected in the initial stages of the attack. Appears he was quite successfully in this regard since the attack wasn't detected for at least a month - "lightyears" in malware discovery terms.

5. The attacker on a periodic basis entered the Piriform servers to update a MAC address table or some approximate facsimile of target identifying information of targets to download additional malware to.

6. At the next scheduled CCleaner update, I believe that is done daily at boot time, or at the time of attackers chosing, the targets selected ID data was uploaded to the compromised Piriform servers. Previously planted intercept code on the servers, compared the source computers ID data to that stored in the table on the server of targets to download addition malware code to. The selected target ID data was then remove from server table of targets. 

So far we have the perfect malware download method to use; the trusted app updater.

Now in regards to the second backdoor that was only installed on high value corp. targets. First, I don't buy into the "high valued" statement and believe many more corps. were infected. The second backdoor was used because major corps. at least, don't allow auto updating of software on their endpoints. As such, the auto update download of malware was unavailable. The attacker had to resort to delivery of the additional malware via external C&C server method which in doing so, lead to discovery of the attack.

It is strongly suspected that like in the ME Doc attack, the attacker when he realized he had been discovered entered the Piriform servers and erased all evidence of compromise.

In summary until a detailed independent third party analysis is performed on the compromised piriform servers, we will never know the full impact of this attack.

Is someone running an independent third party analysis? A lot of people are noting the fact that this happened not long after Avast bought Piriform with many wondering if this was Avast e.g. trying to hide stuff on users computers or maybe a disgruntled employee not happy with the takeover.

[itman 1,659]

1 hour ago, peteyt said:

Is someone running an independent third party analysis?

I assume law enforcement agencies are currently doing so. As such, any such detail findings will be sealed for prosecution purposes. What public details Avast releases if actually revealed to them would be done at their discretion.

In the ME Docs incident, it hired Cicso to perform the analysis. Cisco subsequently publically published its findings without of course releasing any source attacker or sensitive attack information that could be used for prosecution purposes.

Edited September 25, 2017 by itman

[TomFace 539]

2 hours ago, itman said:

I assume law enforcement agencies are currently doing so. As such, any such detail findings will be sealed for prosecution purposes. What public details Avast releases if actually revealed to them would be done at their discretion.

In the ME Docs incident, it hired Cicso to perform the analysis. Cisco subsequently publically published its findings without of course releasing any source attacker or sensitive attack information that could be used for prosecution purposes.

What makes you think any law enforcement agency is even looking at this? I sincerely doubt that they (1)are aware (2) even care. Sorry if I sounded jaded, but in my life experiences I have learned a few things. One of them is cover your own butt as no one else will. Your thoughts have just re-enforced one thing with me...I am done with CCleaner. After this and the Equifax debacle, my faith and patience is somewhat reduced.  

Thanks for your thoughts itman. They are appreciated.

Edited September 26, 2017 by TomFace

[SCR 195]

30 minutes ago, TomFace said:

What makes you think any law enforcement agency is even looking at this? I sincerely doubt that they (1)are aware (2) even care. Sorry if I sounded jaded, but in my life experiences I have learned a few things. One of them is cover your own butt as no one else will. Your thoughts have just re-enforced one thing with me...I am done with CCleaner. I'm too busy dealing with and preparing for my (and my wife's) involvement with the Equifax debacle.  

Thanks for your thoughts itman. They are appreciated.

I don't know about law enforcement looking in to CCleaner but I stopped updating it back in January. I'm still on Win 7 and will stay here till who knows when. Most all programs updating today, except Eset, seem to be for Win 10 requirements.. 

In fact nothing is allowed to auto update, except Eset, or unnecessarily connect to the internet 

I'm not sure if I was involved in the Equifax mess or not. I don't trust them enough to find out on their website. I froze all my credit and changed all my passwords. In my US State freezing .your credit is free with a $5.00 charge to unfreeze it. I have no plans for requiring new credit for much of anything in the near future so it was the easiest thing for me to do. I'm sure my solution is not for everyone but  according to most sources it's the best one.

[itman 1,659]

11 hours ago, TomFace said:

What makes you think any law enforcement agency is even looking at this?

Avast stated so in their original blog postings on the incident. Since the initial backdoor C&C server was located in the U.S,. it was U.S. law enforcement that took that server off-line and confiscated it.

I don't know the law enforcement procedures in the Czech Republic, Eset would be more familiar with that. It is assumed they are involved since the attack originated from Piriform servers. Suspect those servers could be located in the U.K. where Piriform resided. So they would have to get U.K. law enforcement involved. Probably Interpol is the head law enforcement agency involved. 

[itman 1,659]

There are also indications that the Piriform servers were compromised earlier than what has been publically reported. At least as early as June as noted in this comment to the original Cisco blog posting on the incident. This comment also lends credence to my theory that it was not just high valued corps. which were targeted in this attack:
 

Quote

Paul Comtois September 21, 2017 at 4:48 PM

I manage the Antivirus systems for my Employer's business here at Triella in Canada and I have evidence from Webroot that this started much earlier than August. We have a client record of a blocked CCLeaner.exe detection on June 25th flagged as  W32.Hacktool.Rpdpatch

We were lucky that I did not whitelist the threat as safe becasue at the time Webroot had a problem with mis-categorizing legitimate software as malware. This threat was found on a server and since we regularly used CCleaner on desktops but not servers, I was suspicious of it and contacted Webroot support about it as well. I am going to be posting an article on our website about this shortly.

Ref.: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html#more

Edited September 26, 2017 by itman

[TomFace 539]

7 hours ago, itman said:

Avast stated so in their original blog postings on the incident. Since the initial backdoor C&C server was located in the U.S,. it was U.S. law enforcement that took that server off-line and confiscated it.

I don't know the law enforcement procedures in the Czech Republic, Eset would be more familiar with that. It is assumed they are involved since the attack originated from Piriform servers. Suspect those servers could be located in the U.K. where Piriform resided. So they would have to get U.K. law enforcement involved. Probably Interpol is the head law enforcement agency involved. 

I don't believe anything Avast has to say. The people that I can truly trust I can count on one hand.

SCR I'm with you...Win 7 and nothing (except ESET) updates without my permission.

[itman 1,659]

Adding support to my theory that the actual malware payloads were delivered by scheduled update check via the compromised Pirform servers is Carbon Black's own analysis of recent like incidents where this exactly happened:

Quote

Carbon Black’s research team identified similar attacks early in 2017, and Red Canary reported events just prior, when an investigation showed an adversary within the Ask Partner Network (APN) signing malware with an authentic digital signature and pushing it to customers as software updates. That event was very similar. A long-allowed browser plug-in obtained a regular update that immediately downloaded malware for remote attacks. Adversaries were then able to quickly act and try and take control of the system and steal information before they were eventually blocked by automated endpoint defenses.

Earlier this year as well, RSA Research identified a supply chain attack using very similar activity. Named KingSlayer, an adversary leveraged the update channel of a legitimate application used by network administrators to troubleshoot servers. Upon downloading malware signed by the company, these servers immediately began infecting themselves and giving control to the adversary.

Ref.: https://www.carbonblack.com/2017/09...tracks-ccleaner-ongoing-supply-chain-attacks/

The most notable thing Carbon Black said in the article was:

Quote

The near-constant gap in this analysis, as seen by Carbon Black’s Threat Analysis Unit (TAU), is the lack of focus on Potentially Unwanted Programs (PUPs). There are numerous applications that are found within environments that have no business use and are not beneficial to the organization, but are still allowed as they are deemed benign and useful to a few.

Eset has always classified CCleaner as a PUA.

Edited September 26, 2017 by itman

[TomFace 539]

1 hour ago, itman said:

Eset has always classified CCleaner as a PUA.

Only if you download anything other than the slim version.

[jadinolf 131]

The only PUA ESET warns me about is Ccleaner trying to get you to install Chrome.

 

If I wanted it I would have already installed it.

Edited September 27, 2017 by jadinolf

[SCR 195]

1 hour ago, jadinolf said:

The only PUA ESET warns me about is Ccleaner trying to get you to install Chrome.

 

If I wanted it I would have already installed it.

I believe that CCleaner, at some point in the past, was trying to pass some sort of tool bar in the install before Chrome. But maybe not. My personal memory isn't what it used to be. I always installed the Slim version and never updated through CCleaner.

It sure is getting dangerous and freaky on the Internet. I wonder about all this cloud stuff going on and how long it will be before someone, a corporate entity or government finds away to take it all down. Probably they already can .

Edited September 27, 2017 by SCR
Correction.

[TomFace 539]

2 hours ago, SCR said:

It sure is getting dangerous and freaky on the Internet. I wonder about all this cloud stuff going on and how long it will be before someone, a corporate entity or government finds away to take it all down. Probably they already can .

Kim Jong Un already has a rocket to do that.....or is it a "White Cloud" toilet paper tube rocket he has??

Edited September 27, 2017 by TomFace