Two Factors, One Breach
On the 15th of August 2017 CCleaner version 5.33.6162 was released in a regular update. Four weeks later, 15th of September 2017, security company Morphisec notified Avast that their legitimate update contained malware.
The breach end to end was recently detailed by Avast’s Ondrej Vlcek https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer or for those of a TL;DR nature in my recent twitter thread.
I just wanted to write some of my thoughts in a more long form. This is my first article so please don’t hold back on any feed back.
The initial breach occured when a developer made the decision to reuse a password for his TeamViewer account. This password had subsequently been leaked from another data breach.
My guess is the attackers actively targeted Piriform. It has a large user base (2 Billion as of November 2016) and is mostly installed with Admin RIghts due to the nature of the software. A perfect host for a backdoor.
If I were in the attackers position my initial intel gathering would be to do a simple search on LinkedIn looking for software devs currently working for Piriform, build up a picture of the devs personal accounts and look for a weakness. This could be actively Phishing them or even just searching your local breach database until you locate one of these devs’ account details. (Top tip: start with HaveibeenPwned for a quick target).
Many users will reuse these passwords for services such as email accounts, social media and more importantly work logins. Somehow the attackers established that Piriform uses TeamViewer to allow their employees to work from home.
What Piriform forgot, or chose not to do, is enforce Two-Factor Authentication on all remote logins. Any VPN/Remote access that allows users to access a work network should be supported by One Time Passwords/Token Generators. A user’s computer is a hotbed for malware. They are outside your firewall, they are outside your SEIM and they are outside of your kingdom. The chances are most users will have a password compromised at one point or another. If you do not have 2FA, any malware or attacker on the user’s device can now access your network whenever they feel like it.
Once the attacker had access to the network through the helpful developer, they attempted three times to install a persistent backdoor as reused creds aren’t reliable for long, and changing them is a massive red flag, alerting the host to your presence.
The first two attempts failed it seems, error code 5 .ie. Access denied. Piriform correctly blocked the devs from having admin access on their systems and made the attackers life a little more difficult, but in the end it didn’t slow them down.
From this initial infection point they pivoted throughout the network using a mix of RDP vulnerabilities, administration credentials, helpfully provided by Keyloggers, until they had access to a build server.
They then deployed what is widely believed to be their final payload ShadowPad, which was delivered as a .dll file. Interestingly, this is similar to the backdoor recently found in Netsarang. Personally, I don’t know much about malware analysis so it would be interesting for somebody to do a comparison between these two payloads. ShadowPad sends out DNS-queries to its command and control server on a regular basis. This would contain basic information about the host system (user name, domain name, host name). If the attackers considered the host to be of value or interest the C&C server would trigger the download of further malicious code or begin exfiltrating data.
The attackers were in Piriform’s network for at least four months before they slipped their additions into the source code for CCleaner, which was successfully built, signed and shipped. This free development contribution ended up being installed on two million users’ devices. What’s more interesting is that this was only the first stage. The second stage malware was then dropped onto 40 devices, many of which were owned tech companies including Microsoft, suggesting this may have been specifically targeted. Avast are unaware if the third stage, ShadowPad, was successfully installed on any users. It’s up to you to decide if the attackers were unsuccessful or just haven’t been detected yet.
Avast have ended up responsible for this breach by purchasing Piriform. This pushes the view that the information security team should be involved during mergers to the same level that they are involved for hiring suppliers. I work in this area, my day job involves reviewing vendors against a set of standards to identify any areas where we believe they should improve. I believe that a successful third party review would have been able to identify this vulnerability to the network. One of the things we specifically focus on is external access being through a VPN or third party. Many people say that a questionnaire doesn’t add value or is out of date the moment it is filled in, but it would have identified the lack of 2FA on teamviewer which could have in turn triggered a review possibly uncovering the APT.
The root cause of this breach is the lack Two Factor Authentication. If the network Admins had taken the time to turn it on for TeamViewer ( https://www.turnon2fa.com/tutorials/how-to-turn-on-2fa-for-teamviewer/) this would not have happned, two million people wouldn’t have had to wipe their devices and now more then two million people have lost trust in CCleaner and by assosiation Avast.
What can you do as a user? You can turn on 2FA on all services, you can bug developers to add 2FA support to all applications and you can ask your network admins why there isn’t 2FA on your work accounts. We have a long way to go — only 10% of Gmail users have 2FA turned on — but we can start by doing it right now. Go.
Follow me on Twitter
Thanks to those who convinced me to write this down and gave me some pointers.
References:
