The Czech security company Avast said, in its latest update about the hack, that the attackers had first accessed the network of Piriform, the maker of CCleaner and a company that Avast acquired last year, on 11 March 2017, four months before the acquisition. The update was presented at the RSA Conference which is taking place in San Francisco this week.
TeamViewer is proprietary software that can be used for remote control, desktop sharing, online meetings, Web conferencing and file transfer.
News that CCleaner had been compromised broke on 17 September 2017 through a detailed report from Cisco's Talos Intelligence Group. A second analysis from Talos said a number of companies were targeted by the malware within CCleaner: Cisco, Intel, Microsoft, HTC, Samsung, VMware,Akamai, Sony, Singtel, D-Link, O2, Vodafone, German gaming and gambling company Gauselmann, Linksys, Gmail, MSI, Dynamic Network Services and Epson.
"While we don’t know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilised for another service, which may have been leaked, to access the TeamViewer account," Vlček said.
Up to 2.27 million CCleaner consumers and businesses downloaded the compromised product. The attackers then installed the malicious second stage on just 40 PCs operated by high-tech and telecommunications companies. "We don’t have proof that a possible third stage with ShadowPad was distributed via CCleaner to any of the 40 PCs," he said.
As per the logs, TeamViewer was accessed at 5am local time when the workstation in question was running, but unattended.
"The attackers tried to install two malicious dlls, (dynamic link libraries). However, the attempts were unsuccessful due to lack of admin rights to the system. On the third try, the attackers succeeded in dropping the payload, using VBScript, the scripting language developed by Microsoft," Vlček added.
The following day, 12 March, the attackers had made a lateral move to another PC, again making the attempt outside working hours, this time at 4am.
"The attackers opened a backdoor through Microsoft’s Remote Desktop Service, delivering a binary and payload to the computer’s registry. The payload delivered was an older version of the second stage malware, which was delivered to 40 CCleaner users," he said.
A couple of days later, the attackers infected the first computer with the older version of the second stage malware. It took several weeks for the next stage of the payload to be delivered.
Vlček claimed the attackers had been inside the Piriform network for five months before they managed to compromise the CCleaner build.
Vlček pointed out that Avast had acquired Piriform on 18 July 2017 and the first CCleaner build with the malicious payload appeared on 2 August 2017, adding that the delay before the attack was "interesting".
"As we looked for similarities with other attacks, we also analysed older versions of ShadowPad... Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded a computer, observing a money transfer," Vlček said.
"For Avast, there are two key takeaways from the CCleaner attack. First, M&A due diligence has to go beyond just legal and financial matters. Companies need to strongly focus on cyber security, and for us this has now become one of the key areas that require attention during an acquisition process.
"Second, the supply chain hasn’t been a key priority for businesses, but this needs to change. Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure."