Hackers installed a backdoor system into the popular security application CCleaner, according to reports. Version 5.33 was issued back on August 15, and the problem was not detected until September 13. According to Avast, the parent company of Piriform, around 2.27 million users ran the affected software.
CCleaner is a popular utility tool that promises to remove useless software on your computer to improve performance, earning it the moniker of “Crap Cleaner.” Boasting around 2 billion downloads, it was, therefore, a perfect target for the hackers, as it was a widely used piece of software from a legitimate organization, as Talos, the researchers who first discovered the hack, explained in its write-up:
This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.
The attack came in the form of a “multi-stage malware payload that rode on top of the installation of CCleaner,” the Talos team wrote. This made it possible for other suspicious software to be downloaded and executed without the user knowing. It also gathered data, including computer names, list of installed software, list of running processes, and MAC addresses of network adaptors.
Paul Young, vice president of product at Piriform, wrote a blog post about the incident:
Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
Avast’s Chief Technology Officer Ondrej Vlcek told Forbes that despite the hacking, there was no reason for anyone to panic:
2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic… To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.
However, not everyone was so convinced by Avast’s assertion that everything was okay now. Martijn Grooten, the editor of security publication Virus Bulletin, said that he felt they were downplaying the seriousness of the attack:
As I read the Cisco blog, there was a backdoor that could have been used for other purposes. This is pretty server. Of course, it may be that they really only stole… ‘non-sensitive data’… but it could be useful in follow-up targeted attacks against specific users.
If you own a copy of the infected version of CCleaner, it is recommended that you download the most recent update of it from Piriform’s website, which you can access here.