The attackers that compromised CCleaner and infected 2.27 million consumers, were actually aiming at bigger fish, including Microsoft, Intel and Samsung.
Avast, which owns Piriform, the maker of the CCleaner utility, initially reported they’d stopped the attack before any real harm was done, in part because one of two pieces of malware it delivered was never executed. The first piece of malware delivered merely profiled a victim’s computer, while the second stage of the attack is responsible for persistence, Avast said on Thursday.
Cisco’s Talos security researchers have also analyzed the malware and found a handful of the world’s biggest tech companies were served “specialized secondary payloads”. HTC, Samsung, Sony, VMware, Microsoft, Cisco, Lynksys, Epson, as well as telcos Singtel and O2, were all targeted.
Cisco and Avast researchers said that at least 20 machines were served the secondary payloads based on a list of company domains that appear in logs of the command and control server that was taken down following the discovery of CCleaner’s compromise.
Avast CEO Vince Steckler noted the number of machines that received the second piece of malware was likely “in the order of hundreds”, given that they only had access to server logs covering three days.
Cisco’s researchers said the targets suggest a “very focussed actor after valuable intellectual property”.
“These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor,” wrote the Talos team.
Cisco also challenged Avast’s suggestion on Wednesday — prior to its knowledge this might be a more sophisticated attacker — that it was unnecessary for victims to restore there systems to a state prior to August 15, the date that the compromised version of CCleaner was first distributed.
“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” wrote the Talos team.
However Avast's Steckler said he stood by the advice that for consumers it was enough to simply update to a clean version of CCleaner.
Cisco's researchers also note that profile information malware gathered was “rather aggressive” since it collected a list of all software installed on a machine, which would be enough to launch subsequent attacks. The details were stored in a command and control server’s MySQL database. The profile information was gathered to determine of an infected machine met the requirements be delivered the second stage malware.
As Avast explained on Wednesday, of the 2.27 million machines infected, around 730,000 were still running the compromised version of CCleaner. Cisco notes that all these systems were reporting to the command and control server, of which just 20 machines were known to have been served the second malware.
The malware delivered to the 20 machines used filenames that are the same as legitimate software to install a backdoor to retrieve more malware.
Cisco’s researchers also confirmed a claim from researchers at Kaspersky Lab that there were similarities between malware used by hackers known as Group 72, also known as Deep Panda and Axiom, which were linked to the Anthem breach of 80 million social security numbers. Crowdstrike reckoned the group are Chinese nation-state hackers.