How attackers tried to get into the 1st computer On the third try, the attackers succeeded to drop the payload, using VBScript, the scripting language developed by Microsoft. The attackers tried to install two malicious dlls, however, the attempts were unsuccessful due to lack of admin rights to the system. While we don’t know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilized for another service, which may have been leaked, to access the TeamViewer account.Īccording to the log files, TeamViewer was accessed at 5 AM local time, when the PC was unattended, but running. They successfully gained access with a single sign-in, which means they knew the login credentials. To initiate the CCleaner attack, the threat actors first accessed Piriform’s network on March 11, 2017, four months before Avast acquired the company, using TeamViewer on a developer workstation to infiltrate. CCleaner attack: How the threat actors got into the Piriform network Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded a computer, observing a money transfer. As we looked for similarities with other attacks, we also analyzed older versions of ShadowPad, the cyber attack platform we had found on four Piriform computers. Since the update we gave at SAS last month, we have made further discoveries about how the attackers infiltrated the Piriform network and the tactics they used to fly under the radar. Thereafter, our threat intelligence team has been investigating what happened. The modified installation file was downloaded by 2.27 million CCleaner customers worldwide. Last September, we disclosed that CCleaner had been targeted by cybercriminals, in order to distribute malware via the CCleaner installation file. Today, I shared new findings from Avast’s continued investigations of the CCleaner APT (Advanced Persistent Threat) at RSA. We've reached out to Microsoft for comment on the discrepancies.Unrelated to the CCleaner attack, Avast also found ShadowPad samples active in South Korea and Russia, logging a financial transaction "Aside from Chrome, these are handled via an accept decline opt-in," Avast said, noting the screenshots supplied by Microsoft are outdated. Users are simply asked whether to accept or decline installing the antivirus products, not automatically opted in. However, Avast says Microsoft's description of the bundling is inaccurate. Existing antivirus software, including Microsoft Defender Antivirus, might be turned off or uninstalled during this process,” the company added. “If users choose to continue, the bundled antivirus product installs in the background. “When it is launched, it provides a preselected option to install Avast Free Antivirus,” Microsoft claims. On install, CCleaner uses a plugin to contact and download an additional file called Microstub.exe. The company also provided screenshots that illustrate how the alleged bundling works. “While the CCleaner installers do provide an option to opt out, some users can easily inadvertently install these bundled applications,” Microsoft claims in the notice.Īn example of the bundling, but Avast says this image is outdated (Credit: Microsoft) The other applications CCleaner can try to install include Avast Free Antivirus, AVG AntiVirus-which Avast also owns-along with Google Chrome and Google Toolbar. (Avast gets a fee from Google for distributing the Chrome browser.) “While the bundled applications themselves are legitimate, bundling of software, especially products from other providers, can result in unexpected software activity that can negatively impact user experiences,” Redmond says in its notice (Opens in a new window). The same installers can bundle third-party software from CCleaner’s parent company, antivirus provider Avast.īut according to Microsoft, these other applications are not required to install and run the junk file removing program. The alerts occur when Windows Defender scans certain installers for the free and 14-day trial versions of CCleaner. Microsoft’s Windows Defender antivirus software is-perhaps ironically-flagging CCleaner, a junk file remover, as a “Potentially Unwanted Application." How to Set Up Two-Factor Authentication.
0 Comments
Leave a Reply. |