Before the Czech security firm Avast acquired Piriform, the company which developed and maintained the popular registry cleaner CCleaner, the popular product had been compromised. The compromise occurred in 2017 before Avast acquired the popular product, with later analysis revealing that the infamous APT group sometimes called Deputy Dog but often referred to simply as APT 17 was behind the attack, deploying their Floxif malware via CCleaner downloads. Avast’s handling of the incident was seen by many as what should be the textbook response to such incidents.
Now, Avast gets a second chance to show that their response wasn’t a fluke and being open and honest regarding business compromises is the best approach despite the PR nightmare that inevitably ensues. In a blog post published it was revealed that the security firm was forced to counter another attack targeting the registry cleaner. According to the security firm suspicious activity was detected on September 23. Working in collaboration with the Czech intelligence agency, Security Information Service (BIS), it was discovered that the attackers gained access to the company via a compromised internal VPN owned by the company. Again, the attackers looked to target CCleaner and spread malware through compromised downloads of the registry cleaner.
While the intrusion was discovered in September, Avast discovered that the attackers had initially gained access to corporate networks in May of this year. The attackers initially used the stolen credentials of an employee, however, the credentials did not have domain admin privileges an essential requirement to a successful supply chain attack. The attackers then began a campaign to escalate the privileges of the compromised account. It was this sudden granting of privileges that were flagged by researchers and an investigation was begun.
It was believed initially that, like in 2017, CCleaner was the attacker’s target. On September 25, Avast put a halt to the release of CCleaner versions as well as checking if earlier releases had been compromised, and verified that indeed this was the case. Researchers further noted,
“As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.”
Researchers further concluded that,
“Moreover, we continued to harden and further secure our environments for Avast's business operations and product builds, including the resetting of all employee credentials, with further steps planned to improve overall business security at Avast…From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt 'Abiss'.”
Cyber Espionage and Supply-Chain Attacks
In the article published by Avast researchers were not willing to attribute the attack to anyone APT group or nation sponsored group. However, the Czech Security Information service stated in a press release that they believe that Chinese hackers were behind the attack just like in the 2017 attack. The most recent attack is yet another reminder as to the threat posed by supply chain attacks to businesses and government organizations. Law enforcement agencies in both the US and France have issued warning to organizations warning of similar attacks conducted by Chinese hackers. The French National Cybersecurity Agency of France, known locally as ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) issued a warning in response to cyberattacks targeting both Airbus and Expleo.
The report noticed that the targeting of certain industries was becoming a trend. Chinese hackers over the past year had been actively targeting numerous sectors, from engineering to IT, gaming to aeronautical. A second report was published by the law enforcement agency which warned engineering firms of a campaign to steal credentials. These tactics are well-known to be used by state-sponsored cyber-espionage groups across the globe. Such tactics, stealing credentials then accessing networks via supply chain attacks, has proved incredibly successful in conducting espionage operations and stealing information vital to other countries' ambitions.
At the time of writing while Czech agency officials believe the threat actor in this latest attack to be of Chinese origin now direct attribution has been given linking APT 17 to these attacks. Given the success of the 2017 attack, it would surprise almost no one if it is indeed APT 17 behind the latest attempt to compromise CCleaner. The 2017 attack resulted in 2.27 million users receiving the tainted CCleaner update, from this a further 1,646,536 computers were infected with the first-stage Floxif trojan. In all, only another 40 computers were infected with the more powerful backdoor, which for cyber espionage 40 high-value targets were found and deemed important enough to form part of the attack campaign. The 2017 attack was an undoubted success for the attackers. Fortunately, it appears Avast has learned from previous attacks in looking to defend their assets.
Despite Avast’s success in preventing another 2017 incident, the threat posed by supply chain attacks has not diminished. To better defend against falling victim to such an attack US law enforcement officials advise users to:
- Organizations that rely on IT service providers should ensure their providers have conducted a review to determine if there is a security concern or compromise, and have implemented appropriate mitigation and detection tools for this cyber activity.
- IT service provider customers should also
- Review and verify all connections between customer systems, service provider systems, and other client enclaves;
- Verify service provider accounts in their environment are being used for appropriate purposes and are disabled when not actively being used;
- Ensure contractual relationships with all service providers implement
- Security controls as deemed appropriate by the client,
- Appropriate monitoring and logging of client systems provided by the service provider,
- Appropriate monitoring of service provider’s presence, activities, and connections to the customer network,
- Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
- Integrate system log files—and network monitoring data from IT service provider infrastructure and systems—into customer intrusion detection and security monitoring systems for independent correlation, aggregation, and detection.