News Categories

Samsung, Intel, and Sony among several other tech firms infected by CCleaner backdoor

By John Law & Liu Hongzuo - on 27 Sep 2017, 12:45pm

Samsung, Intel, and Sony among several other tech firms infected by CCleaner backdoor

More information has surfaced since we last heard about CCleaner’s multi-stage malware payload. The outbreak specifically targets high-profile tech companies and telcos, infecting 40 PCs out of a potential 1.6 million devices.

Avast – the cybersecurity firm that owns Piriform, creators of CCleaner – detailed the second wave of attacks via a blog post on Monday. In its key findings, Avast learned that 1,646,536 unique MAC addresses (unique PCs) communicated with the hacker’s servers via the infected CCleaner backdoor, but only 40 pre-determined PCs received the second malware payload. The malicious actors also have another list of potential targets.

The list of infected companies (below) contains mainly major tech firms, telcos and carriers, ISPs, and military domains. The malware payload has yet to act, according to Avast.

Image credit: Avast (blog).

This other list (below) collated by Avast contains other firms that did not get infected but are seen in the attacker’s database.

Avast first deduced that the attack’s origins might be from China, given the lack of targeted Chinese firms, along with multiple clues strewn about the PHP code discovered on the attacker’s server, log notes, and resemblance to a previous China-attributed APT (advanced persistent threat) attack. However, this could be a deliberate maneuver to hide the true origins of the attacker.

Avast then narrowed down the attacker based on their activity. Based on the operations made throughout the outbreak, the antivirus maker learned that the server operators are manually maintaining the connections, and they have a typical IT worker’s employment shift – the attackers were inert on weekends as well.

The investigation resulted in Avast deciding that the attackers are state-sponsored (professionals, with office hours), and located somewhere in UTC+5 or UTC+8 time zones, which leads to the eastern part of Middle East, Central Asia, and India.

Besides China, the hackers also did not target firms from India or Russia. Avast has reached out to assist the infected businesses.

Source: Avast (blog).