Legitimately signed but backdoored versions of the CCleaner utility were available for download from the developer’s Web site and servers for nearly a month, researchers said.
The company that develops CCleaner, Piriform, was just purchased by Avast.
Piriform said the 32-bit version of CCleaner’s v5.33.6162 and v1.07.3191 of CCleaner Cloud were affected.
“Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15,” the company said in a post.
It is still unknown how the compromise happened, the company said.
They said up to 3 percent of their users used the two compromised versions of the software.
Piriform estimated the number of people who used the affected software is around 2.27 million.
“If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes,” Cisco Talos researchers said.
An instance of a backdoored CCleaner version ended up flagged by researchers at Cisco Talos, while customer beta testing their new exploit detection technology.
The flagged executable was signed with a valid digital certificate issued to Piriform, but came with an additional payload.
“We immediately contacted law enforcement units and worked with them on resolving the issue,” said Paul Yung, vice president of products at Piriform. “Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
The backdoor also collected information about the target systems (name of computer, its IP address, list of installed software, list of running processes, etc.) and sent it, encrypted, to a remote server located in the USA.
Piriform and Avast continue the investigation in order to find out how this compromise happened, who did it, and the hackers’ ultimate goal.
In the meantime, they have already made download sites remove CCleaner v5.33.6162, they pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, and automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214.
They didn’t say it, but it’s likely that they’ve used a new digital certificate to sign these latest versions.
“The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised,” said Cisco Talos researchers. “Ideally this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.”
Yung said even though the second stage payload was received by the targets after the information was sent, they “have not detected an execution of the second stage payload and believe that its activation is highly unlikely.”
Antivirus detection for the threat is extremely low, so even if you have downloaded and installed one of the affected CCleaner versions or have upgraded to them, it’s likely that your computer has been backdoored.
“Affected systems need to be restored to a state before August 15, 2017 or reinstalled. Users should also update to the latest available version of CCleaner to avoid infection,” Cisco said.