![]() ![]() Victims were targeted based on their domain name, with victims coming from Singtel, HTC, Samsung, Sony, Gauselmann, Intel, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Google, Microsoft, and ironically Cisco itself. In Cisco Talos’ latest published research it also listed who appeared to be the main targets of the attack. Researchers say that this second-stage backdoor would retrieve “an IP from data stegged into a or search” and would download further malware on the system. ![]() This was done by PHP files that ran on the C&C server would verify incoming users and identify suitable computers to download the second-stage malware, a lightweight backdoor. Later research revealed that on 20 PCs around the globe the threat actors installed other malware. Later developments revealed this to be false. While it was initially believed that Floxif despite the ability to be able to download and execute other types of malware this feature was never used. Cisco researchers were also able to verify the validity of this database by checking for data collected from their own test machines. Gathered info included computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Analysis of the server revealed that tainted versions of CCleaner were sending information collected from infected hosts. Researchers at Cisco Talos also were given a copy of a copy of the command and control server files, including its database via a third party. In Cisco Talos’ published report they confirmed that the code used was indeed similar but went on record to state “We are not definitively saying Group 72 was behind this, just that there was some shared code,” however, there is more evidence suggesting the group's involvement. Initially, it was Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab who discovered similarities in the code used in this instance and previous hack where Axiom is believed to be responsible. The group has also been called APT17, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group 72, or AuroraPanda depending on which security firm is writing about the group. Based on how the attack was conducted and the malware used thin links have been established between the CCleaner hack and the group Axiom. It also appears that the targets of the attack were all major companies within the tech sector. New evidence published by researchers at Cisco Talos published on Wednesday this week may link the attack to an infamous cyberespionage group believed to be operating out of China. Even if little is understood about the attack initially given that the attackers could be described advanced adversaries the seriousness should not be assumed at face value. While the hack itself did not cause much in the way of financial damage or massive reputational damage as we saw with the Equifax hack, researchers at Cisco Talos have warned that such supply chain hacks should be taken seriously. When initially discovered there was no evidence that Floxif downloaded additional second-stage payloads on infected hosts. Initial research revealed that Floxif could be used to download and run other binaries. In response to the discovery, Avast released a new version which no longer contained the malware. Version 5.33 was initially available for download from August 15 to September 12, it was revealed that the compromised version was downloaded onto over 2 million machines. ![]() Researcher’s also noted that the malware would only run on 32-bit systems and would also run on systems if the user who downloaded the update also had admin rights. Ultimately it was determined that Floxif, a malware downloader, was used in this instance to collect information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers later determined that the version was indeed legitimate and CCleaner’s supply chain was jeopardized. Initially, it was believed that users who downloaded the jeopardized version merely downloaded a fake version of CCleaner. The CCleaner hack was pulled off by modifying version 5.33 to include Floxif malware as reported by Cisco Talos and MorphiSec. Given time and dedicated research teams often these can be determined but determining who is responsible is harder. As is often the case with attacks conducted by knowledgeable and experienced attackers the targets and aim are exceptionally difficult to ascertain. On Tuesday news broke that the latest version of CCleaner, a popular application owned by Avast, had been hacked, little was known as to the attacker’s intention. ![]()
0 Comments
Leave a Reply. |