Avast has admitted that the compromise of its popular CCleaner tool over the summer was more sophisticated than it originally believed, and has warned that a second stage, highly targeted payload was delivered to hundreds of PCs by the malware.
Researchers from Cisco's Talos Intelligence earlier this week claimed that CCleaner had been compromised in August and September in a supply-chain attack, in which the download was modified to deliver malware to unsuspecting victims.
The compromised applications was downloaded some 2.7 million times, according to Avast.
The company then publicly played down Cisco Talos' involvement in finding the breach, as well as honing down the number of users affected and the likely long-term implications for them.
It had said that, based on an analysis of machines that used Avast's security software, it believed that the second stage payload was never activated, and therefore the only malicious code present on customer machines was the one embedded in the ccleaner.exe executable.
It claimed at the time that users therefore did not need to restore their affected machines back to before August 15, when the attack had supposedly begun.
Now, after a subsequent blog post in which Cisco Talos researchers confirmed that at least 20 victim machines were served specialised secondary payloads in four days in September, Avast's CEO Vince Steckler and CTO Ondrej Vlcek, have admitted that further analysis of the data from the command-and-control server has indicated that the attack was programmed to deliver a second stage payload to selected users.
Avast now says that the server logs indicated that 20 machines at eight organisations were sent the second-stage payload. However, it said that as the logs were collected for little over three days, the actual number of computers that received the second stage payload "was likely at least in the order of hundreds".
It continued: "This is a change from our previous statement, in which we said that, to the best of our knowledge, the second stage payload never delivered."
While Avast said that it would not disclose the list of targeted companies publicly "for privacy reasons", Cisco said that the domains the attackers were attempting to target included those held by HTC, Sony, Samsung, Intel, VMware, Microsoft, Vodafone, Google, D-Link, Linksys, Akamai and even Cisco itself - as well as a German gambling company, for some reason.
Cisco added that the array of high-profile tech companies suggested it was "a very focused actor after valuable intellectual property".
Steckler and Vlcek said that the techniques used demonstrated the attacker's high level of sophistication. They said that Avast was working with law enforcement to trace the source of the attack.
"We are committed to getting to the bottom of who is behind this attack. While providing routine periodic updates, our energies are focused on catching the perpetrators. Our approach is to do all of this in the background, to increase our chances of identifying the perpetrator," they said.
In another dig at Cisco Talos, though, they added: "We believe nothing is served by being too noisy, e.g. stating who was targeted and/or compromised and it is up to the target to choose when to disclose."
Cisco said the new findings supported and reinforced its previous recommendation that those affected by the supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or re-image systems to ensure that they completely remove both the backdoored version of CCleaner as well as any other malware.
However, Avast stands by its recommendation to upgrade CCleaner to the latest version (now 5.35). It said that the decision may be different for corporate users and will depend on corporate IT policies.
Self-sailing container vessels won't be more efficient, says Soren Skou
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells