CCleaner breach targeted major tech companies, according to Cisco

21 Sep 2017

Was there another level to the attack on the popular computer clean-up tool? Image: Sopha Changaroon/Shutterstock

It seems that there was something more sophisticated behind the recent CCleaner data breach.

On 18 September, Cisco’s security arm Talos publicised details of a data breach involving CCleaner, which had been active in a version of the popular computer clean-up tool for a number of weeks in August and September.

While this large supply-chain attack is, of course, noteworthy, new details have since emerged that paint a very different picture of the incident.

A dragnet to filter tech company machines?

According to Cisco’s Talos, the hackers had apparently planned to use the CCleaner backdoor as a dragnet to filter computers on the networks of major companies such as Google, Microsoft and Intel, in order to potentially hijack their own networks.

US law enforcement seized a control server that showed hackers had installed additional malware on a group of at least 20 machines to set up a second payload. Some companies had more than one computer compromised, while others escaped unscathed. As of yet, there’s very little evidence to attribute the attack to any particular organisation.

Initially, the number of machines affected was 2.2m, but Avast puts the figure at around 700,000, Wired reported.

Avast emphasising the sophistication of the attack

A statement from Avast – which recently acquired CCleaner’s parent company Piriform – was published yesterday (20 September) attempting to clarify its position, but it didn’t mention the targeting of firms including Samsung, Sony and Cisco. It discussed media and consumer sensitivity stemming from the Equifax breach, and how late that particular incident was disclosed to the public.

“As such, as soon as we became aware of this issue, we engaged and solved it. Within approximately 72 hours of discovery, the issue was resolved by Avast with no known harm to our Piriform customers.”

Avast emphasised the sophistication of the attack, and also mentioned that another security firm, Morphisec, notified it and also Cisco’s Talos about the threat discovered.

Avast added that restoring affected systems to a pre-breach state is not necessary, as it believes the second payload was never activated.

Overall, the statement keenly emphasised the swift reaction by all parties involved to solve the issue.

Supply-chain attacks on the up

These stealthy supply-chain attacks are increasing in frequency and, with even the largest tech companies at risk, vigilance is key.

Cisco’s Talos summed it up: “In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply-chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com