![]() Soooooo, If you not Cisco, Microsoft, Gmail, et. UTC According to Piriform, only 32-bit versions of the software are affected. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy." Users of CCleaner Cloud version have received an automatic update.' UPDATE: Sept. Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed CCleaner version 5.3 reformat their hard drives. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a 'fileless' third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. The second stage appears to use a completely different control network. Microsoft, Cisco, and VMWare among those infected with additional mystery payload. "Backdoored CCleaner has a nasty surprise for at least 20 targeted tech firms The previous advice to deal with the malware was to only update the CCleaner apps. Researchers also point out that because of the incomplete C&C server data and because attackers downloaded a silent second-stage downloader, users who ran the tainted versions of CCleaner should wipe clean or restore from backups made before August 15, when the two CCleaner tainted versions were released. "This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severity and potential impact of this attack," Cisco researchers explain. For example, just by running a simple SQL query, Cisco researchers were able to identify 540 computers sitting on government networks, and 51 inside banks. This was likely deliberate to limit the amount of information that could be derived from the server," Williams also told Bleeping.Īttackers could have targeted anything they wantedĬisco points out the important value this database has. The 64-bit version of CCleaner was not affected. " It appears the data prior to Sept 12 was erased. Update: The exact versions that were infected were the 32-bit version of CCleaner and CCleaner Cloud. Both tables stored entries dated between September 12 and September 16. The first table contained data on over 700,000 computers, while the second on 20 - after removing duplicates. Researchers are positively sure about their findings as the C&C server database contained two main tables, one listing all hosts infected with the first-stage malware (Floxif - the one that collected info on all users), and another table that kept track of all computers infected with the second-stage malware. Cisco says it contacted affected organizations and informed them of possible breaches.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |