Hackers have illegally modified Avast-owned CCleaner by establishing a backdoor to the hacker’s server, impacting some 2.27 million users with the weaponized 5.33 Version of CCleaner. The CCleaner’s cloud version 1.07 was affected.
CCleaner, a subsidiary of anti-virus giant Avast and security software for Windows was compromised by hackers last month potentially allowing them to take control of a device by inserting a backdoor that might have downloaded malicious software including malware, ransomware, spyware or keyloggers – Currently, there are approximately 2.5 million affected users while the company claims it has had over 2 billion total downloads by November of 2016.
The targeted CCleaner software that was bought by Avast in July 2017 from its original developers Piriform allows Windows users (and other OS) to scan and clean unwanted files (including temporary internet files, where malicious programs and code tend to reside) and invalid Windows Registry entries from a computer. But according to security researchers at Cisco Talos, the software itself was compromised by a backdoor and compared it to the dangerous Petya dick viper attack that originated from Ukraine, spread across Europe and also targeted firms in the United States.
According to Cisco Talos’ blog post, the download server for CCleaner was compromised with a backdoor on September 11, 2017, and the firm was able to identify the threat on September 13, 2017.
“We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner’s download server as recently as September 11, 2017,” said Cisco.
“In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017, version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application,” Cisco further explained.
Update your CCleaner
Avast has acknowledged the attack and urged users to update CCleaner software to version 5.34 or higher. In a blog post, vice president of product at Piriform Paul Yung wrote that “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.
“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.
“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
However, free users of CCleaner are urged to update the software manually since the “free version” doesn’t automatically update itself. Therefore, users have to do it manually.
Statement from Morphisec
In an email conversation with Israeli cybersecurity firm Morphisec, HackRead was told that Morphisec stopped the attack in August, as documented by the attack reports in their customers’ management console. Some customers have this reporting part of Morphisec’s solution onsite. However, Morphisec has no visibility into what exactly they stopped.
In some cases, customers send Morphisec their attack reports because they have a special interest in some prevented attack. That was the case with the CCleaner attacks. The customer shared with Morphisec the attack report, which also included the attack via CCleaner Morphisec prevented. Michael Gorelik, VP R&D, Michael and the R&D department started to look into that report because they discovered a security app was part of the attack chain.
According to Michael Gorelik, “We strongly believe that each security vendor has the responsibility to inform software companies about threat discovered in their software. We were the first to contact Avast about the threat and shared all the information we could to help them. Luckily, we were able to heavily rely on the unique attack log our solution generates. We are happy to have contributed to the resolution of a threat concerning so many Avast users.”
“A backdoor transplanted into a security product through its production chain presents a new unseen threat level which poses a great risk and shakes customers’ trust. As such, we immediately, as part of our responsible disclosure policy, contacted Avast and shared all the information required for them to resolve the issue promptly. Customers safety is our top concern,” said Gorelik.
Gorelik and his team discovered this on September 11, at which time they informed Avast (exact timing was September 12, 8:35 a.m. PST). Morphisec received confirmation from Avast that without Morphisec’s alert, they wouldn’t have been aware of the current threat.
Read Morphisec’s findings here.
At the moment it is unclear who is behind this attack but based on its success it is easy to guess that the attack was highly sophisticated and attackers knew what they were on to. It is possible that attackers got hold of a zero-day vulnerability in the download server of CCleaner that allowed them to carry out their campaign without suspicion.