The CCleaner hack that took place over the summer and came to light this week might have been carried out by an infamous cyber-espionage group, believed to be operating out of China, and which targeted a list of who's who of western tech companies.
Thin lines connect evidence collected from the CCleaner incident to the activity of a cyber-espionage group that goes primarily by the name of Axiom, but is also referenced as APT17, DeputyDog, Tailgater Team, Hidden Lynx, Voho, Group 72, or AuroraPanda. Names vary from security firm to security firm.
First to spot a connection between the malware embedded in the tainted CCleaner app and Axiom was Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.
In a tweet on Tuesday, a day after the CCleaner incident came to light, Raiu pointed out similarities between the CCleaner malware and the Missl backdoor trojan, previously saw in Axiom operations.
In a report released late today by Cisco Talos, researchers confirmed the same similarities that Raiu saw yesterday morning.
"We are not definitively saying Group 72 was behind this, just that there was some shared code," Cisco Talos researcher Craig Williams told Bleeping Computer via email, showing the caution that all experienced security researchers showcase when it comes to cyber-espionage attribution.
In addition to confirming Kaspersky's findings, the Cisco Talos team also said that a third-party provided its researchers with a copy of the command and control server files, including its database.
This server was where the tainted versions of CCleaner were sending information collected from infected hosts. Gathered info included computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.
Cisco researchers were able to verify the validity of this database by checking for data collected from their own test machines.
After analyzing these files, researchers realized that initial reports on the CCleaner malware — named Floxif — were false.
Initial reports said the malware had the ability to download a second-stage payload and execute other malware, but this feature was never used.
After analyzing the C&C server's database, researchers said operators infected 20 computers around the globe. No Chinese or Russian companies were on the target list.
Very interesting targets. Now I wonder why there isn't a single tech company from the second largest economy of the world? https://t.co/DzzO82C6jU— x0rz (@x0rz) September 21, 2017
PHP files that ran on the C&C server would verify incoming users and identify suitable computers to download the second-stage malware, a lightweight backdoor. Researchers say that this second-stage backdoor would retrieve "an IP from data stegged into a github.com or wordpress.com search" and would download further malware on the system.
Cisco Talos says attackers targeted victims based on their computer's domain name. Ironically, the attackers targeted Cisco itself, along with other organizations such as Singtel, HTC, Samsung, Sony, Gauselmann, Intel, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), and even the almighty Microsoft and Google (Gmail).
Cisco says it contacted affected organizations and informed them of possible breaches.
Researchers are positively sure about their findings as the C&C server database contained two main tables, one listing all hosts infected with the first-stage malware (Floxif - the one that collected info on all users), and another table that kept track of all computers infected with the second-stage malware.
The first table contained data on over 700,000 computers, while the second on 20 — after removing duplicates. Both tables stored entries dated between September 12 and September 16.
"It appears the data prior to Sept 12 was erased. This was likely deliberate to limit the amount of information that could be derived from the server," Williams also told Bleeping.
Cisco points out the important value this database has. For example, just by running a simple SQL query, Cisco researchers were able to identify 540 computers sitting on government networks, and 51 inside banks.
"This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severity and potential impact of this attack," Cisco researchers explain.
Researchers also point out that because of the incomplete C&C server data and because attackers downloaded a silent second-stage downloader, users who ran the tainted versions of CCleaner should wipe clean or restore from backups made before August 15, when the two CCleaner tainted versions were released. The previous advice to deal with the malware was to only update the CCleaner apps.
Even if the evidence connecting the CCleaner hack to Axiom is held in place by very very thin lines, the targeting of technology companies fits the mold of past Axiom operations, a group that spent a great deal of effort of breaking into such targets, especially in the early 2010s.
In fact, it was this focus on technology companies that drew the ire of several cyber-security companies such as Cisco, FireEye, F-Secure, iSIGHT Partners (now part of FireEye), Microsoft, Tenable, ThreatConnect, ThreatTrack Security, Volexity, Novetta, and Symantec.
These companies united their efforts as part of Operation SMN, a joint effort to unmask the group's tools and modus operandi. The results of their findings are available in this report here. Other reports detailing Axiom operations are available here, here, here, or here, just to link a few. The recent Cisco Talos report includes IOCs and a more in-depth analysis of the C&C server files. It also shows that the C&C server was configured to use a Chinese timezone (PRC = People's Republic of China).
UPDATE [September 21, 04:50 ET]: Avast has published a blog post in which it says it independently confirmed most of Cisco's findings about the second-stage malware and the targeting of big technology firms.
Image credits: Cisco Talos, Avast, Bleeping Computer