CCleaner contained malicious backdoor that secretly stole information from users’ computers
Researchers at the security firm, Cisco Talos have reported that CCleaner, a system-optimization tool distributed by anti-virus firm Avast, was hacked to distribute malware directly to its users through a hidden backdoor. The malware allows hackers to potentially get access to the user’s computer, and other connected systems, to steal personal data or credentials.
CCleaner is a popular utility program used to clean potentially unwanted files (including temporary internet files, where malicious programs and code tend to reside) and invalid Windows Registry entries from a computer. CCleaner was developed by Piriform and has been recently acquired by Prague-based antivirus maker Avast in July. CCleaner has more than 2 billion downloads worldwide and is downloaded as often as 5 million times per week.
According to the Cisco Talos researchers, the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud contained a multi-stage malware payload that rode on top of the installation during the period between August 15 and September 12.
“We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner’s download server as recently as September 11, 2017,” the researchers wrote.
Confirming the attack, Paul Yung of Piriform said in a statement, “We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public.”
However, the Mac and Android versions of CCleaner do not appear to have been affected.
While Piriform estimated that 2.27 million people used the infected software, and 5,000 installations of CCleaner Cloud had received the malicious update to that software.
“We resolved this quickly and believe no harm was done to any of our users,” the company said in a statement.
The company also added that the rogue server is down and other potential servers are out of the control of the attacker.
“Supply chain attacks are a very effective way to distribute malicious software into target organizations,” Cisco’s threat intelligence group, Talos, explained in a blog about the hack.
“This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons.”
The Talos blog notes that the nature of the attack code suggests that the hacking may have been an inside job, as the hacker gained access to a machine used to create CCleaner.
“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing,”Piriform’s Yung said.
Piriform have advised users who have installed CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 on their system to delete them and update their CCleaner software to version 5.34 or higher. The latest version can be downloaded here.
“We are continuing to investigate how this compromise happened, who did it, and why,” Piriform said. “We apologise and are taking extra measures to ensure this does not happen again. We are working with US law enforcement in their investigation.”