Hackerssuccessfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.
CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. 2.27 million users have been affected by the attack, and Avast Piriform believes it was able to prevent the breach harming customers. “Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson.
The Talos site update as of this week:
Update 9/18: CCleaner Cloud version 1.07.3191 is also reported to be affected
Update 9/19: This issue was discovered and reported by both Morphisec and Cisco in separate in-field cases and reported separately to Avast.
Update 9/19: There has been some confusion on how the DGA domains resolve.
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
Piriform, the developer of CCleaner now owned by security firm Avast, says that its download servers were compromised at some point between 15 August, when it released version v5.33.6162 of the software, and 12 September, when it updated the servers with a new version. In that period, a trojan was loaded into the download package which sent “non-sensitive data” from infected users’ computers back to a server located in the US. The data, according to Piriform, included “computer name, IP address, list of installed software, list of active software, list of network adapters”.
As well as the data leak, however, the infection also resulted in a “second stage payload” being installed on to the affected computer – another piece of malware, which Piriform says was never executed.
“At this stage, we don’t want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” the company’s vice president, Paul Yung, said.
The company says 2.27m users were infected, but added that “we believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm”. By taking down the “command and control” server, Piriform may have prevented the infection being used to inflict further damage.
https://www.theguardian.com/technology/2017/sep/19/ccleaner-2m-users-install-anti-malware-program-security-avast-supply-chain-attack-hack
https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/
