The malware attack on CCleaner is now known to be more sophisticated and dangerous than first thought, but the end game of the hackers remains unclear.
CCleaner Malware Attack: What Happened?
The hackers were somehow able to inject malware into CCleaner version 5.33 and CCleaner Cloud version 1.07, with the infected versions hosted on the software's official page.
Piriform, the owner of CCleaner, which in turn is owned by Avast, eased the concern of the app's users by saying that the threat has already been disarmed. It was discovered, however, that the injection of malware into the software was just the first part of a larger cyberattack that has been neutralized.
CCleaner Hack Targeted Major Tech Companies
Researchers have been studying the data seized from a command-and-control center that the hackers were using for the cyberattack. They have discovered that, at the time that they took over the servers, the hackers were targeting a string of internal domains with the second part of their plan.
The second phase of the attack was to infect certain domains with a payload that will collect data and provide the hackers with persistent access to infected devices. The targeted domains, according to the Talos research group of Cisco, included Microsoft's internal domain for Windows developers and Google's internal domain for Gmail used by its employees. Other companies that had their domains targeted were Sony, Samsung, Intel, and even Cisco itself.
The discovery reveals that the plan of the attackers was to use CCleaner as a distribution vehicle for its malware during the first stage and, then for the second stage, focus on infected devices of users who were working in one of the targeted companies.
CCleaner Malware Attack Aftermath
An Avast spokeswoman said that the cybersecurity company has not ruled out the possibility that the cyberattack was sponsored by a state or that it was a case of industrial espionage. However, this is all speculation.
The focus of security researchers is currently on preventing any damage that the second-stage payload may have dealt, as Avast believes that the second phase of the attack was indeed carried out, contrary to earlier claims. According to Talos, at least 20 computers in the targeted domains were infected by the second-stage payload, though the number could very well be in the hundreds.