If you’re like most computer users, you probably wish that your machine could run faster. If you’re also like most computer users, you probably lack the technical skills and knowledge to accomplish this on your own.
Therefore, you might be tempted by one of a number of programs that purport to make your computer run faster with no special skills required. Many of these programs are shady, to say the least, but there’s one – CCleaner – that’s apparently legitimate. Back in August 2017, however, this apparently legitimate product went feral. Hackers seized control of the update servers and began delivering industrial espionage malware to CCleaner’s nearly 2 billion users. Here’s how they did it – and how to defend yourself next time.
Software Developers a Target for Malware Hackers
Imagine you’re a hacker. You want your newly-created malware to infect as many people as possible, but you don’t possess the kind of widely-distributed zero day that would allow you to do this. For whatever reason, a massive phishing campaign is also out of the question. Your next best option is to find a popular computer program and hack its developers.
By hacking a software developer, you get access to all the tools they use to push software updates to millions of people. There’s also the digitally-signed certificates that the developers use to give their updates legitimacy. If you insert malware into a software update, then most likely it will go right past users’ firewalls without ever being scanned by antivirus software.
By hacking just one initial target, attackers get a vector that can spread a secondary infection to millions of people, without being detected. Unsurprisingly, this tactic has often been used by APT groups to conduct mass surveillance. Other incidents include:
- NotPetya: The recent NotPetya outbreak was distributed in Ukraine via a malicious update in a tax accounting program known as M.E.Doc. The attack shut down critical Ukrainian state industries, as well as many international companies, including the shipping giant Maersk.
- XCodeGhost: In 2015, attackers breached a number of developers by tricking them into downloading a compromised version of Apple’s development kit, Xcode. The resulting infected applications were downloaded onto hundreds of mobile devices.
In both cases, the culprits behind these attacks are suspected to be a state actor. Similarly, the attackers behind CCleaner are suspected to have been working on behalf of a state or other large entity. Although targeted towards a large number of people, the malware specifically checked if infected users worked for a variety of technology or software manufacturers and installed additional software if they were.
Developers – Protect Your Users from Malicious Updates!
Obviously, having your product become a vector for malware is not likely to inspire consumer confidence. If you’re a software developer, you want your update servers to be airtight – which is a service that Safe-T can provide.
Safe-T’s new Software Defined Access product proactively hides your attack surfaces behind your network, preventing malware hackers from gathering intelligence on your critical data storage platforms. Attackers can’t hack what they can’t see, so hiding your network is a crucial foundation of network security. For more information about Safe-T, and other ways in which our products can help reinforce your security and compliance efforts, get a free trial today!