This report is drawn from recent open source reporting.

CCleaner update

Cyber security company Avast continues to investigate the 2017 supply chain attacks involving clean-up tool CCleaner. For a month last summer, Advanced Persistent Threat (APT) attackers are reported to have maliciously modified versions of CCleaner and CCleaner Cloud at source, before being downloaded by 2.27 million customers worldwide. The attackers then selected a small number of high profile technology and telecommunications companies to receive a secondary payload.

Avast’s ongoing investigation has now revealed that CCleaner developer Piriform (acquired by Avast in July) was probably compromised as early as March 2017, although no information is given about the original attack vector.

The investigation also points to a possible third stage of the malware that may have been distributed via the CCleaner attack: once on the Piriform network, the attackers deployed a tool known as Shadowpad, which included keylogging and password stealing functionality, as well as other tools, to allow them to progress their attack remotely. The same tool may have been deployed to those customers who received the secondary payload.

Avast also details the steps it has taken to remove the threat from the Piriform network.

Ransomware re-infects Colorado Department of Transportation IT system

We previously reported on SamSam (or Samas) ransomware infecting Colorado Department of Transportation (CDOT) computers. Although the organisation had begun to recover from this cyber incident, international media state that CDOT has been affected by another ransomware infection only a week after the original attack. Reports suggest that computers have been re-infected with a new variant of the SamSam ransomware. 

CDOT is responsible for managing and maintaining roads as well as monitoring traffic in the US state of Colorado; however, critical operational IT systems are not believed to be affected. Employees are making use of personal devices, as well as pen and paper, to continue to work, but the organisation has been forced to send home some contract workers whose jobs rely on IT access.  

It remains unclear how CDOT’s systems were originally infected, or how this new variant entered their network, but authorities continue to work to recover data using backups and do not plan to pay the ransom demand. 

Security researchers investigating previous SamSam incidents believe the attackers initially compromise corporate networks before deploying ransomware. The malware encrypts data, requesting payment in Bitcoin to decrypt and recover files. It has existed in various forms since at least 2015 and has previously affected the US education and healthcare sectors. We are unaware of any UK organisations being affected by SamSam.  

This case illustrates how quickly those responsible for developing SamSam are able to create new strains of the ransomware, enabling them to continue to use it in a targeted way to attempt extortion.