CCleaner supply chain compromise
A version of the widely used utility software CCleaner has reportedly been delivering malware via a recent software update. This tactic of targeting through supply chains, exploiting the trust between consumers and suppliers, provides wide scope for infection, as illustrated by the case of NotPetya malware which spread via Ukrainian accounting software.
Avast, the parent company of CCleaner developers Piriform, initially reported that 2.27 million computers were affected from 15 August 2017 to 15 September 2017, although this was later reduced to 700,000 machines. On 15 September, the command and control server was taken down by US law enforcement. Based on analysis of the server, Avast suggests that several hundred machines may have received a second stage payload.
The incident has been described as a highly targeted attack, with intellectual property being the probable target. A list of twenty specific targets included large technology and telecommunications companies based in the UK, Taiwan, Japan, Germany, and the United States. Avast reports it has notified companies affected by the second stage malware. It advises home users of the affected version of CCleaner to upgrade to the latest version, and to use a good antivirus product. Business customers have been advised to speak with their IT departments.
Security researchers at Armis disclosed a collection of eight Bluetooth vulnerabilities this week, collectively known as BlueBorne. Three of the eight vulnerabilities identified have been deemed ‘critical’. The vulnerabilities pose a threat to Bluetooth implementations in Android, iOS, Microsoft and Linux, and reportedly impact almost all Bluetooth device types including smartphones, laptops, IoT devices, and smart cars. Over 5.3 billion devices worldwide are thought to be affected by Blueborne.
If exploited, the BlueBorne vulnerabilities could enable an attacker to take over devices, spread malware, or establish a ‘man-in-the-middle’ to gain access to critical data and networks without a user’s knowledge or permission. These attacks do not require targeted devices to be paired to the attacker’s device – Bluetooth implementations have high privileges on all operating systems, so exploiting them provides virtually full control over a device. By probing the device, an attacker can determine which operating system their victim is using, and adjust the exploit accordingly. The attacker then exploits a vulnerability in the implementation of the Bluetooth protocol in the relevant platform, and gains the required access to act in furtherance of a malicious objective.
As part of a coordinated disclosure, Google and Microsoft have already made patches available to their customers. However, according to researchers, a large proportion of devices will not receive BlueBorne patches due to devices having reached ‘end of life’ and no longer being supported. It is reported that only 45% of Android phones are patchable, leaving approximately one billion Android devices running older operating systems vulnerable.
The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.