Do not become a link in a supply chain attack

March 26, 2018

For some reason, we keep hearing variations on the same theme: “Our company is not a major player; it wouldn’t be interesting to an attacker.” However popular, it is a misconception. Here is one example of how an APT operator used a small company in a supply chain attack.

During the Security Analyst Summit, which took place earlier this month, our colleagues at AVAST presented the case of Piriform, a small British company they acquired last year. Piriform is famous for its CCleaner utility — software for cleaning potentially unwanted files and invalid Windows Registry entries. In fact, it is one of the oldest system cleaners, and it’s been downloaded more than 2 billion times. That’s probably why it was chosen by APT actors as a way to spread spyware.

CCleaner Attack

Initially, malefactors compromised Piriform’s compilation environment by infecting the server where programs were built. Although the source code was clear, the compiled builds contained malware that later was used for the attack. Furthermore, thanks to the altered compiler library, the malware obtained a legitimate Piriform digital signature. CCleaner 5.33.6162 and CCleaner Cloud 1.7.0.3191 were affected.

The attack scheme itself was quite complicated, consisting of at least three stages. The malware, hidden in a popular application with about 100 million active users, was distributed for a month. About 2.27 million people downloaded the compromised program, and at least 1.65 million copies of the malware attempted to communicate with the criminals’ servers. As it was later discovered, the command-and-control server contained a simple script that decided which victims would become targets of the second stage. It just looked at the victim’s domain and selected those who worked for high profile tech companies and IT suppliers. Only 40 computers were selected this way; they received additional malware.

The second stage served a similar purpose — it was used to adjust the targeting. It appears the malefactors gathered information from those 40 computers, analyzed it, and chose the most interesting targets. At this stage, they whittled the group down to four.

Those four received a tailored build of ShadowPad, well-known malware already used by Chinese-speaking actors. And that was the real purpose of this attack: delivery of a backdoor to certain employees of high-profile companies.

What can be done?

The main lesson of this incident was already stated — at the beginning of this post: Even if you are really not an interesting target for an APT, you can still be used in a delivery chain. Especially if you can boast billions of downloads. To minimize possible harm to your business, you need to adopt a strategy that can provide a full spectrum of protection against targeted attacks: from counteraction and detection to response, elimination of vulnerabilities, and forecasting of possible risks. It may be wise to get help from external experts from time to time.

The key to safety is threat hunting. A sophisticated targeted attack can implant malware and stay under the radar for a long time (in this case, Piriform unwittingly spread malware for more than a month). To prevent those attacks, you need experienced threat hunters. And here is where we can help, with Kaspersky Threat Hunting. With the Targeted Attack Discovery service, our experts will help you to identify current cybercriminal and cyberespionage activity in your network, to understand the reasons behind and possible sources of these incidents. They will also help with effective mitigation activities to avoid similar attacks in the future. Additionally, we can provide Kaspersky Managed Protection — around-the-clock monitoring and continuous analysis of cyberthreat data.

To learn more about detection of advanced threats by our security analysts, visit the Kaspersky Threat Hunting webpage.