
CCleaner Command and Control Causes Concern - runesoerensen
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
======
craftyguy
[https://news.ycombinator.com/item?id=15274339](https://news.ycombinator.com/item?id=15274339)

~~~
runesoerensen
This is a follow-up to that story. The HN discussion might still be relevant
for context though

------
0x0
Can you imagine the havoc you could create if you compromise
microsoft+samsung+vmware+intel and push malware embedded in software+firmware
updates that combine the (also a HN top post right now) Intel ME hack and
perhaps a couple of the (also HN top post right now) broadcom wifi chip
exploits?

Will we end up with a setup where every system within range of a wifi chip is
instantly and persistently compromised? Could we even recover from that?

~~~
milesokeefe
>Will we end up with a setup where every system within range of a wifi chip is
instantly and persistently compromised?

＊every system within range of a wifi chip _and connected to a power source_

~~~
0x0
A power source such as a non-removable battery in many laptops and phones?
Doesn't Intel ME run even when the system is powered down?

~~~
milesokeefe
Yes, so many/most phones and laptops would be compromised. But there are also
plenty of computers in every form that aren't plugged into anything at all and
completely invulnerable.

It would be devastating but nothing we couldn't rebuild from.

~~~
outoftacos
You mean like desktops? That are unplugged? How many of those do you think are
sitting around? How old is the version of Windows on them do you think?

If your recovery strategy is "drive as fast as you can to the thrift shop"
then I don't know how effective "rebuilding" would be. This is fucking
terrifying.

------
lawnchair_larry
"During our investigation we were provided an archive containing files that
were stored on the C2 server."

I find that more interesting than the article itself. Some unknown entity just
happened to hack the command server and drop a dump of it in their lap?

~~~
bob33212
FBI

------
raesene6
Supply chain attacks are an obvious avenue for high-end attackers, where their
direct targets are hardened, so I guess we'll see more of these going forward.

Whilst companies like Microsoft can likely afford to harden their software
update systems well enough to deter this, I do wonder what impact it'll have
if smaller software providers/open source software providers who can't afford
high-end OpSec teams start getting targeted.

Realistically a lot of software auto-updates these days so it's a nice avenue
for attackers to exploit...

------
basicplus2
I think one of the biggest issues is..

operating systems like windows give no indication to the ordinary user what
internet connections they are making either legitimately themselves or

from software installed separately and giving users the opportunity to review
and grant or deny access.

If ALL connections were transparent it would be much easier to see what was
not appropriate.

Operating systems should say that a connection is being made and for what
purpose and the user given the opportunity to grant or deny.

This is what i liked about Sophos' original interface sadly gone by the
wayside.

~~~
sengork
Yes, tools like Comodo firewall by default are set to be quiet and prevent end
user prompts as much as possible.

Regardless the amount of components (whether it be OS, software or website
elements) which attempt connecting is overwhelming for even a non-average tech
savvy user.

For example install [https://pi-hole.net/](https://pi-hole.net/) and you'll no
doubt realise that most of the DNS queries traversing your home network are
not directly made by the end-user.

------
bob33212
These attackers are after the IT blueprints of other organizations. So that
they can build a hibernating bot inventory. They can then sell pwned corporate
computers to 3rd parties for BTC. Phishing and Spear Phishing doesn't work
well on pro users. But this does.

