Security Market Segment LS
Thursday, 19 April 2018 08:07

CCleaner hack: attackers gained entry through TeamViewer


The attackers who compromised CCleaner, a popular application that allows Windows users to perform routine maintenance on their systems, did so by using TeamViewer on a developer workstation.

The Czech security company Avast said, in its latest update about the hack, that the attackers had first accessed the network of Piriform, the maker of CCleaner and a company that Avast acquired last year, on 11 March 2017, four months before the acquisition. The update was presented at the RSA Conference which is taking place in San Francisco this week.

TeamViewer is proprietary software that can be used for remote control, desktop sharing, online meetings, Web conferencing and file transfer.

News that CCleaner had been compromised broke on 17 September 2017 through a detailed report from Cisco's Talos Intelligence Group. A second analysis from Talos said a number of companies were targeted by the malware within CCleaner: Cisco, Intel, Microsoft, HTC, Samsung, VMware,Akamai, Sony, Singtel, D-Link, O2, Vodafone, German gaming and gambling company Gauselmann, Linksys, Gmail, MSI, Dynamic Network Services and Epson.

In the latest Avast update, chief technology officer Ondřej Vlček said the attackers had used a single sign-in which meant they were in possession of the credentials.

"While we don’t know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilised for another service, which may have been leaked, to access the TeamViewer account," Vlček said.

Up to 2.27 million CCleaner consumers and businesses downloaded the compromised product. The attackers then installed the malicious second stage on just 40 PCs operated by high-tech and telecommunications companies. "We don’t have proof that a possible third stage with ShadowPad was distributed via CCleaner to any of the 40 PCs," he said.

As per the logs, TeamViewer was accessed at 5am local time when the workstation in question was running, but unattended.

"The attackers tried to install two malicious dlls, (dynamic link libraries). However, the attempts were unsuccessful due to lack of admin rights to the system. On the third try, the attackers succeeded in dropping the payload, using VBScript, the scripting language developed by Microsoft," Vlček added.

The following day, 12 March, the attackers had made a lateral move to another PC, again making the attempt outside working hours, this time at 4am.

"The attackers opened a backdoor through Microsoft’s Remote Desktop Service, delivering a binary and payload to the computer’s registry. The payload delivered was an older version of the second stage malware, which was delivered to 40 CCleaner users," he said.

A couple of days later, the attackers infected the first computer with the older version of the second stage malware. It took several weeks for the next stage of the payload to be delivered.

Vlček claimed the attackers had been inside the Piriform network for five months before they managed to compromise the CCleaner build.

Vlček pointed out that Avast had acquired Piriform on 18 July 2017 and the first CCleaner build with the malicious payload appeared on 2 August 2017, adding that the delay before the attack was "interesting".

Avast said in its previous update last month that it had found evidence of ShadowPad, a specialised tool used by a specific group of cyber criminals, installed on four computers at Piriform.

"As we looked for similarities with other attacks, we also analysed older versions of ShadowPad... Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded a computer, observing a money transfer," Vlček said.

"For Avast, there are two key takeaways from the CCleaner attack. First, M&A due diligence has to go beyond just legal and financial matters. Companies need to strongly focus on cyber security, and for us this has now become one of the key areas that require attention during an acquisition process.

"Second, the supply chain hasn’t been a key priority for businesses, but this needs to change. Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments