AS5 - CCleaner

CCleaner is a popular system cleanup software

To Campaign Map

Techniques:

Reconnaissance

T0137 - Weak Authentication Methods

The TeamViewer credentials where probably obtained from a different breach. If MFA was enabled - these credentials would not have been enough for connecting to the workstation

T0137 page

Initial Access

T0153 - Compromised Developer Workstation

Attacker accesses unattended workstation of on of the CCleaner developers and installed a backdoor

T0153 page

T0113 - Compromised User Account

The developer machine was accessed by using TeamViewer. This suggests that the developer's credentials where compromised

T0113 page

Defense Evasion

T0176 - Misconfigured Security Measures

The attacker not only managed to infect more the 40 workstations in the company network but also did that for the CCleaner but also for the build system.

T0176 page

Impact

T0191 - Malicious Code In Artifacts

Attackers compiled a customised version of ShadowPad, an infamous backdoor that allows attackers to download further malicious modules or steal data.

T0191 page

Campaign Links:

https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

LEGEND

CCleaner