Avast have revealed more on the CCleaner hack, that hit the headlines last year.
The company's executive VP and CTO, Ondrej Vlcek, explained took to the stage at RSA to disclose more details, including how the breach was executed, which type of organisations were compromised, and how the hack will affect future mergers and acquisitions.
The company behind CCleaner, Piriform, was breached on March 11. The first machine that was compromised was in Piriform’s London office. Hackers had breached it using stolen credentials to log into a TeamViewer remote desktop account on a developer PC.
From there, they moved laterally, usually after hours, so that nobody would spot them, to install the ShadowPad malware.
Avast acquired Piriform later that year, in June, and during its due diligence it analysed things like financials and intellectual property and legal risks, but did not look for data breaches. After the acquisition, Avast quickly realised that it is looking at a potential disaster. Quickly after the acquisition, hackers started compromising CCleaner.
Avast worked with the FBI to quickly shut down the hackers' command and control centre, but the damage had already been done. The compromised version was downloaded 2.27 million times. However, hackers weren't looking to compromise as many machines as possible – they were looking for specific devices. In just 40 cases, they proceeded to stage 2 – installing the ShadowPod. The companies that were targeted were IT and enterprise targets. A total of 11 companies were infiltrated.
"It’s hard to tell whether the number 40 made the attackers happy or did not make them happy, but I think it was perceived as a pretty successful operation," Vlcek says. "The investment these guys had to make to infiltrate 11 companies I don’t think was very high."
One of the virus samples popped up in an attack on a South Korean university, and one targeted a Russian organisation that works with the Russian finance ministry.
Image source: Shutterstock/alexskopje