CCleaner: how to use Perch to confirm you weren't compromised

Cisco’s Talos research team published a blog post Monday covering another supply chain attack involving CCleaner, the well-known and popular system maintenance software.

According to Cisco: For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.

Attacks like this against a trusted supply chain between the software manufacturer and the customer are a growing attack vector due to its potential effectiveness and impact.
Security controls like firewalls and endpoint protection are often unable to initially detect supply chain attacks due to trust relationships already in place.

In the wake of supply chain attack, you can benefit from reviewing your network traffic for any indicators of compromise (IOC); and access to network traffic history (like Perchybana) lets you analyze and respond immediately.

Perch customers can quickly search for any indications of compromise using Perchybana, Perch’s new network data search and correlation tool. In Cisco’s report, the following observable was published:

Additionally, Perch analysts were able to add additional observables from Cisco’s report:

To review for any network traffic with these observables, Perch users can quickly use these search terms within Perchybana to determine if further incident research and response is warranted:

Perchybana Screenshot

As always, Perch’s Security Operations Center team is monitoring for these IOCs and proactively reached out to any customers who may be impacted.

Wes Spencer

Wes Spencer
Avian Security Officer

Wes Spencer is a hands-on cybersecurity executive with a wealth of experience in the financial services industry and as a professor of information security. Wes built out one of the first threat intelligence platforms for a community bank. Wes is passionate about information security and has a knack for clearly articulating cybersecurity to all levels of the organization. While at FNB, Wes served as the chairman for the Financial Services Information Sharing and Analysis Center's (FS-ISAC) Community Institution Council, providing leadership to over 4,000 member financial institutions. Wes was also selected as a charter member of American Banker's Digital Leadership Council and is a frequently requested speaker at conferences throughout the country.

LinkedIn