Imagine you hire a professional cleaning company to do some work on your house. Now imagine that you hired the wrong cleaning company, and they actually double as mercenaries hired to steal valuable objects from your home. That’s basically what happened when version 5.33 of the CCleaner app was released on August 15. Infected CCleaner software for computers was just recently discovered by Cisco Talos, loaded with the Flofix malware.
The danger of this hack is that CCleaner is one of the most trusted and widely used apps to provide maintenance on a PC or Mac in order to achieve better performance. According to Cisco Talos, “CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week.” The infected CCleaner software was available for download from August 15 — September 12. Cisco Talos concluded with the sobering remark, “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.” It is unknown if the threat actor which compromised CCleaner was done externally, apart from the knowledge of the developer Avast. Or if it was done by an “insider”, as Cisco Talos speculates is a possibility, “It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”
CCleaner’s (CC) original developer, Piriform was bought by Avast this past July, a
mere month before version 5.33 was released. Avast did confirm the infected CCleaner software in their blog today, issuing a formal apology. “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process” Paul Yung, Vice President of Products at Avast explained. “We also immediately contacted law enforcement units and worked with them on resolving the issue,” Yung continued, “Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
For anyone who downloaded the infected CCleaner software, Avast CTO Ondrej Vlcek claims that updating CC to the most recent version will resolve the issues. Vlcek also added, “There is no indication or evidence that any additional “malware” has been delivered through the backdoor.”
In all, this compromise in CCleaner’s software is a rarity. But it goes to show, nobody is immune to malware hacks. Even the most trusted cleaning services.