CCleaner: how to use Perch to confirm you weren't compromised
Cisco’s Talos research team published a blog post Monday covering another supply chain attack involving CCleaner, the well-known and popular system maintenance software.
According to Cisco: For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.
Attacks like this against a trusted supply chain between the software manufacturer and the customer are a growing attack vector due to its potential effectiveness and impact. Security controls like firewalls and endpoint protection are often unable to initially detect supply chain attacks due to trust relationships already in place.
In the wake of supply chain attack, you can benefit from reviewing your network traffic for any indicators of compromise (IOC); and access to network traffic history (like Perchybana) lets you analyze and respond immediately.
Perch customers can quickly search for any indications of compromise using Perchybana, Perch’s new network data search and correlation tool. In Cisco’s report, the following observable was published:
- 216.126.225[.]148
Additionally, Perch analysts were able to add additional observables from Cisco’s report:
- 52.213.122[.]236
- ns2.ab1145b758c30[.]com
- ns1.apavcul[.]ru
- ns2.februarystorm[.]net
- ns1.kdcmwuz[.]ru
- ns2.gdgctwymm[.]net
- ns1.lutmkwr[.]ru
- ns2.hideallip[.]net
- ns1.uvttrpa[.]ru
- ns2.soyuzinformaciiimexanikiops[.]com
To review for any network traffic with these observables, Perch users can quickly use these search terms within Perchybana to determine if further incident research and response is warranted:
As always, Perch’s Security Operations Center team is monitoring for these IOCs and proactively reached out to any customers who may be impacted.
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: Other People's Analysts
Share this on: