What happens when trusted software is the virus?

Alexander Freund

Hackers have ingeniously struck again by adding a hidden backdoor into a popular maintenance and file clean-up tool, CCleaner for Windows. The hacked version of the tool allows for the malicious download of additional malware, meaning the hackers could do anything with those affected systems. According to Avast, the company that owns CCleaner, approximately 2.27 million systems ran the affected software.

On Sept. 18th, Forbes reported the hack.

It would be fair to assume that this type of hack is going to become more popular as time goes on. Adding backdoors to existing trusted software is a highly efficient way to rapidly distribute malware to millions of systems without detection, and only requires a hack in one place (the software manufacturer) to succeed. This type of hack is a good example of a potential data breach that is almost impossible to prevent or detect until some kind of public announcement has been made. At that point, from a cybersecurity perspective, it becomes a race against time, and the assumption has to be that any system with the hacked software might already be compromised with additional malware, and should be treated as a potentially hacked system.  This, by definition, is a mediation event.

The first step is to establish the scope of the potential breach by identifying every system that has the hacked software installed. The next step is to remove the offending software as quickly as possible from the entire environment. The final step requires that each of the identified systems be carefully scanned to confirm whether any additional malware was already downloaded and installed.  Another option for those environments that have imaging capabilities is simply to re-image all of the machines that had the hacked software installed. These three steps can be a daunting task for a busy IT department in a mid-market or larger organization, especially if the right IT management tools are not already in place.  This is where an integrated network management platform really helps in both reducing the amount of labor required to get these steps completed, but even more importantly, reducing the amount of time it takes to get it done.

Within 24 hours of the announcement, our Network Operations team was able to get all three of these steps completed on approximately 2600 managed nodes. The integration between the desktop/server management platform, the automated scripting engine, and the combination of anti-malware products that are completely integrated into the platform made all the difference.

The challenge with purchasing, installing, maintaining, and utilizing these types of tools is substantial, as they require a continuous investment in engineering labor to maintain them, and specialized expertise in software engineering to take maximum advantage of the automation built into the platform. As new IT management products are added the environment, ( i.e., malware detectors, threat intelligence engines, firewall, etc.) they need to be integrated into the management platform so that alerting and reporting are automated and workflow rules can be added to that the right people see the right alerts.

Effectively mediating a cyberattack (securing the environment after a breach) is going to increasingly become a more important component of the cybersecurity arsenal.

Share this post