Tag Archives: CCleaner

Security News for the Week Ending Friday August 3, 2018

Old Hacks Never Die

Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it.  This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.

The simple solution is  not to do it and hand the media to your information security team to review. Source: Krebs on Security.

 

23 and Me Licensed All Customer’s DNA to Big Pharma

In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.

23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means.  The deal lasts for four years.  I am not sure what happens after four years – do they have to give back everyone’s DNA?  Probably not.

And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.

23 and Me says that you can opt out of letting them sell your DNA when you sign up.  Apparently I opted out.  You can also change that option at any time but it is not obvious how to do that.  It is buried in the research tab after you sign in.  I assume that change is not retroactive.  If you didn’t opt out, GSK has a copy of your DNA.  Source: Motherboard.

More Woes for CCleaner

Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.

Piriform sold CCleaner to security firm Avast a few months ago.  Right after the sale CCleaner was found to be distributing a malware laced version of the software.  Over a million copies of the infected software were downloaded but it only targeted a handful of victims.  That was done by an attacker.

This problem is self inflicted.  The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.

Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue.  They are rethinking the wisdom of doing this and will release a new version of the software.  Real soon.  Source: ZDNet.

Idaho Inmates Hack Prison Issued tablets

Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions.  Some of those functions cost money and that is where the rub comes in.  The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks.  Now JPay is trying to get their money back.  At least it is not taxpayer money.  Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

Software Supply Chain Attacks are Real

For those of you who have been reading my blog for some time, you know that I have written about the software supply chain security problem.  In a nutshell, the problem is that programmers rarely write code from zero anymore.  Instead teams write pieces of code and integrate it.  Then there is limited testing due to time and budget.  Finally, everyone crosses their fingers and the code is released.

The folks at CCleaner discovered the hard way that it doesn’t always work out the way you expected.  Or hoped.

About 6 months ago researchers at Talos (a part of Cisco) and Morphisec discovered that the absurdly popular disk cleaner software CCLEANER had been compromised and was downloading infected software from the official web site and had been doing so for a month.

Worse yet, the code was cryptographically signed, meaning two things.  Most users would trust it and the attack happened from within Ccleaner’s four walls.

Finally more details of the story are coming out; useful for anyone else that writes software, for free or for money, and distributes it to outside parties.  This could be YOU!

2.27 million infected downloads (in just a month) later, Avast, the owner of Ccleaner is spilling the beans.

Not only is this a software supply chain lesson, but it is also a merger and acquisition lesson because this was discovered right after Avast bought Ccleaner from Piriform.

The attackers had stolen credentials and used them to log into Piriform’s London network using the remote desktop software Team Viewer that Piriform used.  From there they infected other computers, only working at night when the computers were likely not used, to avoid detection.

They then installed some malware called Shadowpad, which allowed them, among other things, to log every single keystroke on the infected machines.

Then they waited.  Two months after the acquisition closed, they infected the software inside the fence and waited for the infected software to be signed and uploaded to the web.

The attackers were very smart on top of this.  While 2.27 million infected copies were downloaded and 1.65 million copies asked the control server for instructions, only 40 payloads, representing 11 highly targeted companies, were activated with a second stage.  That is very patient.  To be willing to download over two million copies to only infect 40 very precise targets.  Those targets were in particular tech companies like Cisco .

Information for this post came from Wired.

So what does this mean for you?

First, if you are acquiring a company – or selling one – this could happen to you.  If you are the seller, you could sued for millions.  If you are the buyer you could be on the hook for millions.  It all hinges on the words in the contract.  CONDUCTING SOFTWARE SECURITY DUE DILIGENCE DURING AN ACQUISITION IS VERY IMPORTANT.  This is an example of why.

While this is not an example of downloading an infected library, the library did get infected.  How did the bad guys infect the code and get it checked in to the official library?  How come no review detected the added code that no one officially added?  The SECURE SOFTWARE DEVELOPMENT LIFECYCLE process might have caught this.

Could this have been caught during testing?  Probably.  You would have needed to be watching for where on the Internet that CCleaner was talking to – that it shouldn’t have been.  In fact, since it was trying to talk to Russian and Korea, that could have been an alarm bell since the test network likely should never have tried to do that.  But you have to be looking for it.

How come the attackers were able to compromise Team Viewer in the first place.  My bet is that Piriform was not using two factor authentication.  Bad boys and girls.  I know two factor is not friendly.  Neither is having 2 million infected copies of your software downloaded by your customers.

In the end you need to look at the entire software development process and think like a hacker to decide where he or she could compromise the process.

Obviously, these guys did.

How many other companies are already infected and don’t even know it?  THAT IS WHAT IS SCARY!

Facebooktwitterredditlinkedinmailby feather

CCleaner Malware Adds New Risk For Users

CCleaner is a very popular disk utility that allows a user to securely erase certain content from their hard drives – like deleted files and cookies, among many other things.

Coming in both a free and paid version, CCleaner has been used safely by users for years.

Last month, however, hackers managed to inject malware into the CCleaner download.  This malware was not just any garden variety malware, but rather highly targeted to very select tech and telecom companies.

To improve security, CCleaner digitally signs all downloads and this infected one is no exception.  That means that the bad guys managed to insert the malware into the development cycle prior to the code being signed and in a way that it was not detected during testing.

The infected code was downloaded over two million times!

Without going into the gory details (you can read the Ars Technica article linked below if you want that information), the malware inside the official release of CCleaner, once installed, downloaded a second stage malware but only to a very select, few individuals.

The software included a list of companies to doubly infect, including Intel, Sony, Samsung and a handful of others.  The folks that own CCleaner have detected 40 of these doubly infected PCs, but, of course, there might be others.

It is likely that an attack as sophisticated and targeted as this one is state sponsored.  Current guess is China.

It SEEMS like this attack has been contained, but what if the attackers were not focused on stealing intellectual property from specific tech firms.  What if the hackers were bent on doing damage.  Let’s say the software erased or encrypted the data on those two million computers instead and rather than doing that on only 40;  what if it did that to all of them.  And, what if, it didn’t provide any way to get the data back.  Likely that would have cost, compliance, brand damage, and maybe, even, health and life safety implications.

If YOU develop software, you could be the next CCleaner.  You could be distributing very nasty malware.

What if it happened to your PC?  Or the software that you distribute?  Are you ready to deal with it?

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather