Exploitation of Trust: Defeating Hidden Advanced Threats


XPERTEX LTD, iboss partner offering DISTRIBUTED GATEWAY PLATFORM in the cloud.

On September 18 researchers at Cisco Talos published details of a breach at Avast, the developers of CCleaner, a widely used free Windows utility software. As part of this breach, the attackers were able to inject a multi-stage malware payload within the otherwise legitimate CCleaner program. Between August 15, 2017 and September 13, 2017 the malicious version of CCleaner 5.33 was downloaded by 2.2 million users.

While the vast majority of CCleaner users are consumers, new details have emerged that show it’s likely this attack was targeting several high-profile technology vendors and was the work of Chinese government-sponsored hackers. This was a well-thought-out and executed campaign because it solved the number one obstacle of malicious hackers, trust.

When hackers are looking to deploy malware capable of stealing sensitive information, the obstacle is always getting the victim to install it. What better way than to do this than utilize software that they know millions of users already installed? Piggybacking trusted software that is already installed on users’ computers gets you past the approach of tricking users into clicking or installing things they find suspicious. Once they’re installed on the computers, it doesn’t take much to open doors from the inside for more malware to come in or get data out.

IT teams should be aware of installing freeware or software from unknown sources. Many freeware includes adware, toolbars, and suspicious add-ons. This doesn’t mean all freeware or software contains malware, but IT teams should always have security tools in place to catch these activities.

Organizations that embrace devices or software like CCleaner should have monitoring and tools in place to stop malware from being downloaded or data from being stolen, even if the programs have a good reputation.

Organizations should make sure that policies are in place to restrict anyone from installing their own software, but more importantly, they should have security solutions in place to catch these malicious activities. In the case of CCleaner, many enterprise organizations deployed the software to its own users.

This is another example of the benefits of malware sandboxes, like the type included with the Distributed Gateway Platform. If enterprise IT teams had the Distributed Gateway Platform or another sandboxing tool and executed the latest version of CCleaner in a sandbox before installing it on user devices, they could have detected backdoors and suspicious calls out to the Internet.

These types of attacks make clear the dangers of new decentralized networks and mobile workers. Distributed organizations need the ability to monitor and protect users no matter where their computer is. If you’re only focused on protecting devices within the office perimeter, a user could have installed this software at home and then brought it inside that protected perimeter.

The advice that I would give for organizations that may have deployed the CCleaner application is to first remove it using a trusted AV software, scan for any unknown applications that could have been installed, and evaluate if their networks are protected from data exfiltration.

A lot of emphasis is placed on preventing malware from being installed, but once it’s already in place, you need the ability to lock down suspicious transfers to high-risk regions, file sharing services, and continuously monitor the network for application downloads.

To learn more about how to protect your distributed organisation download our whitepaper here.  Also, contact us @info@xpertex.co.uk  or at the Enterprise Cyber Security Event 28th September London Victoria Plaza Hotel