Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News Categories

Samsung, Singtel, Sony, and other tech firms infected via CCleaner backdoor

By Liu Hongzuo - on 30 Sep 2017, 9:53am

Samsung, Singtel, Sony, and other tech firms infected via CCleaner backdoor

Note: This article was first published on 27th September 2017.

More information has surfaced since we last heard about CCleaner’s multi-stage malware payload. The outbreak specifically targets high-profile tech companies and telcos, infecting 40 PCs out of a potential 1.6 million devices.

Avast – the cybersecurity firm that owns Piriform, creators of CCleaner – detailed the second wave of attacks via a blog post on Monday. In its key findings, Avast learned that 1,646,536 unique MAC addresses (unique PCs) communicated with the hacker’s servers via the infected CCleaner backdoor, but only 40 pre-determined PCs received the second malware payload. The malicious actors also have another list of potential targets.

The list of infected companies (below) contains mainly major tech firms, telcos and carriers, ISPs, and military domains. The malware payload has yet to act, according to Avast.

Image credit: Avast (blog).

This other list (below) collated by Avast contains other firms that did not get infected but are seen in the attacker’s database.

Avast first deduced that the attack’s origins might be from China, given the lack of targeted Chinese firms, along with multiple clues strewn about the PHP code discovered on the attacker’s server, log notes, and resemblance to a previous China-attributed APT (advanced persistent threat) attack. However, this could be a deliberate maneuver to hide the true origins of the attacker.

Avast then narrowed down the attacker based on their activity. Based on the operations made throughout the outbreak, the antivirus maker learned that the server operators are manually maintaining the connections, and they have a typical IT worker’s employment shift – the attackers were inert on weekends as well.

The investigation resulted in Avast deciding that the attackers are state-sponsored (professionals, with office hours), and located somewhere in UTC+5 or UTC+8 time zones, which leads to the eastern part of Middle East, Central Asia, and India.

Besides China, the hackers also did not target firms from India or Russia.

Avast has reached out to assist the infected businesses.

Source: Avast (blog)