More than 2 million Windows users may be at risk: Maintenance app CCleaner was hacked and used to deliver malware to unsuspecting computers and Android devices, according to a Monday report from Cisco Talos.
CCleaner is an app from Piriform, a company which was recently purchased by Avast, that allows users to perform routine machine maintenance, cleaning temporary files and managing installed applications. It boasted over 2 billion total downloads at the end of 2016, and a growth rate of 5 million additional users per week. Both a free version and a business version of the app are available.
In August, CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 were compromised, with an unknown IP address receiving data from software found in those versions on 32-bit Windows systems. “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public,” Paul Yung, Piriform’s vice president of products, wrote in a blog post.
Some 2.27 million users had downloaded that version of CCleaner, while 5,000 users had installed the compromised version of CCleaner Cloud, Vince Steckler, CEO of Avast, told TechRepublic. However, “we believe that these users are now safe as our investigation indicates we were able to disarm the threat before it was able to do any harm,” Steckler said.
“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update,” Yung wrote in the blog post.
SEE: Information security incident reporting policy (Tech Pro Research)
On September 13, Cisco Talos identified an executable in the installer for CCleaner, which was being delivered to endpoints by the legitimate CCleaner download servers. While the downloaded installation executable was signed using a valid digital signature from Piriform, it included a malicious payload with a Domain Generation Algorithm (DGA) and hardcoded Command and Control (C2) functionality–potentially allowing hackers to gain control of victims’ devices.
The malicious payload also collected and encrypted the name of the computer, a list of installed software and Windows updates, a list of running processes, MAC addresses of the first three network adapters, and additional information such as whether the infected machine had administrator privileges, according to Piriform.
The affected version was released on August 15, 2017, and an update was released on September 12, 2017. Yung wrote in the post that Piriform identified the malicious activity on September 12, and contacted law enforcement.
While users of the cloud version of CCleaner have received an automated update, other users should update their CCleaner software to version 5.34 or higher immediately. The latest version is available for download here.
“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” Yung wrote in the post. “The investigation is still ongoing.”
Supply chain attacks like this are often a very effective way to distribute malware into organizations, because attackers are relying on the trusted relationship between a manufacturer or supplier and their customer, Cisco Talos wrote in their report.
“In many organizations data received from software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources,” according to the report. “Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected.”
To keep your machines safe from malware, always make sure your software is up to date, Steckler advised. For users who find it challenging to maintain regular updates of various software, there are tools available to help identify when updates are available and support with installation. To learn more about how to manage security when working with third-party partners, click here.
The 3 big takeaways for TechRepublic readers
1. Maintenance app CCleaner from Piriform and Avast was hacked and used to deliver malware to unsuspecting computer and Android users, according to a Monday report from Cisco Talos.
2. About 2.27 million users had downloaded the infected version of CCleaner, while 5,000 users had installed the compromised version of CCleaner Cloud.
3. Users of CCleaner Cloud have received an automated update, but other users should update their CCleaner software to version 5.34 or higher immediately.