Monthly Archives: September 2017

CCleaner Hack – Spreading Malware To Specific Tech Companies

The CCleaner Hack is blowing up, with it initially estimated to be huge, it’s hit at least 700,000 computers and is specifically targeting 20 top tech organisations including Cisco, Intel, Microsoft, Akamai, Samsung and more for a second, more intrusive and pervasive layer of infection.

CCleaner Hack - Spreading Malware To Specific Tech Companies


This could be classified as slightly ironic too as CCleaner is extremely popular software for removing crapware from computers, it was a clever assumption that a corrupt version would find itself installed in some very high-value networks.

Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.

CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. 2.27 million users have been affected by the attack, and Avast Piriform believes it was able to prevent the breach harming customers. “Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson.

Source: The Verge


This CCleaner Hack is a fairly advanced attack with some people making links to the Chinese government, an attack of this scale and focus does feel like a nation-state attack. There is some code reuse from the Group 72 also known as Axiom who are linked to the Chinese Government.

Some of the configuration files are also set in China’s time zone, which whilst it does indicate it probably is from China – it doesn’t link it for certain to the government.

Earlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company’s security checks. It wound up installed on more than 700,000 computers. On Wednesday, researchers at Cisco’s Talos security division revealed that they’ve now analyzed the hackers’ “command-and-control” server to which those malicious versions of CCleaner connected.

On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself. In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they’d compromised within the company’s network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

Source: Wired

And as a user, it means you should be careful. It seems the malicious version in this CCleaner hacking seems to have dug in pretty deep, even more so if it was installed inside one of the ‘target’ networks as the second piece of more intrusive malware was pushed in.

Avast is recommended computers be restored from backups taken before to the compromise happened.

It doesn’t appear to be ransomware at this point, hopefully, some more details will emerge, but it’s most likely a more insidious attack like NotPetya.

Tor Project boosts support for anonymous mobile browsing

or Project has announced measures to improve secure web browsing for mobile devices.

The Tor Project, a non-profit which develops and maintains the Tor network for anonymized browsing and as a way to skirt censorship-heavy government controls, keeps its eyes on the state of censorship worldwide.

Recently, areas with citizens forced to use low bandwidth connections and limited data plans have come under scrutiny.

China, North Korea, Iran, India, and Myanmar are only a handful of many countries worldwide which keep tabs on what citizens visit, see, and say online. The US and UK have entered this list now, too, but many residents in these countries have access to high-end mobile devices or traditional PCs.

But what happens to those that have no desktop system or laptop, and must rely on low-end mobile devices to access the Internet?

“Most people in these regions only use smartphones to access the internet, and we want to better support these users,” the organization says. “So we developed a strategy to do better for folks who have low-bandwidth connections, limited data plans, or who can only connect to the internet through low-end devices.”

Roughly a year ago, the non-profit and the Guardian Project, a developer of tools and hardware designed to circumvent censorship, began talks of how to tackle this problem. The teams began with the concept of Orfox, a Google Summer of Code (GSoC) project for Tor network mobile browsing.

According to the Tor Project, Orfox is well on the way to having “similar functionality and security guarantees” as the Tor Browser for desktop software.

The first improvement that has been made is the introduction of the Security Slider from the desktop system to Orfox, which allows users to choose between permitting all website features, banning some features which can be compromised — such as JavaScript — or only allowing basic website functionality which strips out everything which may be used to track a visitor or potentially compromise their device.

Videos which automatically load and play, for example, rely on scripts which a threat actor may be able to use to identify a visitor.

The UX Team and the Guardian Project reviewed the system and ran validation tests at the beta stage, and together with Orfox developer Amogh, tested the UI with 12 users in India and three in the United States for feedback.

“This was the first time Tor did a full development cycle following UX best practices, such as being involved with the conceptualization of the UI and performing user testing to validate our hypothesis,” the team says. “Since we don’t collect data on user behavior, we had to build a testing methodology so our community could help us perform these tests with our users. We are now applying UX best practices to all of our development cycles.”

Orfox, containing the new slider, is now available from the Google Play store and a GitHub repository. The Tor Project expects more updates in the near future.

Beware – This giant ransomware campaign just sent millions of malware-spreading emails

Over 23 million emails containing Locky were sent in a short amount of time.

Image: AppRiver

Once considered almost dead, the Locky strain of ransomware has continued its resurgence with a new email distribution campaign, which researchers say is one of the largest malware campaigns of this half of the year.

Over 23 million messages containing Locky were sent in just 24 hours on 28 August, with the attacks spiking in time to hit US workers as they arrived at their desks on Monday morning.

The new campaign was discovered by researchers at AppRiver who say it represents “one of the largest malware campaigns seen in the latter half of 2017”.

Millions of emails were sent with subjects such as ‘please print’, ‘documents’ and ‘scans’ in an effort to spread Locky ransomware.

The malware payload was hidden in a ZIP file containing a Visual Basic Script (VBS) file, which if clicked, goes to download the latest version of Locky ransomware — the recently spotted Lukitus variant — and encrypts all the files on the infected computer.

Locky distribution email.

Image: AppRiver

While the delivery method might seem basic, it’s worth remembering that only a handful for the millions of messages sent need to successfully deliver the malicious payload to provide the attackers with a significant profit.


Victims unfortunate to succumb to Locky are presented with a ransom note demanding 0.5 bitcoin ($2,300/£1800) in order to pay for “special software” in the form of a “Locky decryptor” in order to get their files back.

Instructions on downloading and installing the Tor browser and how to buy Bitcoin are provided by the attackers in order to ensure victims can make the payment.


Unfortunately for victims of Locky, researchers are yet to crack the latest version of the ransomware in order to provide free decryption tools.

Locky is one of the most successful families of ransomware of all time, rising to prominence during 2016 following a number of high-profile infections. Indeed, Locky was so successful that at one point it was one of the most common forms of malware in its own right.

But Locky has since had its position as king of ransomware usurped by Cerber, although this sudden resurgence shows that it remains very much a threat, especially as there isn’t a free decryption tool available to victims.

This isn’t the first time Locky has reappeared after a period of inactivity — the ransomware appeared to stop spreading in December last year before coming back to life in January.