Hackers broke into Piriform's popular CCleaner software last month potentially allowing them to control the devices of more than two million users.
The free program CCleaner is downloaded for personal computers and Android phones as often as five million times a week. It allows users to perform routine maintenance on their systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications. Piriform, which was bought in July by computer security vendor Avast, says that 130 million people use its software.
Security researchers at Cisco's Talos unit recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size the security firm decided to move quickly. On September 13, 2017 Cisco Talos notified Avast of its findings so that they could initiate appropriate response activities.
The researchers identified a version of CCleaner downloaded in August, which included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs
The sophisticated attack penetrated an established and trusted supplier in a manner similar to June's "NotPetya" attack on companies that downloaded infected Ukrainian accounting software.
The optimization software had a proper digital certificate, which means that other computers automatically trust the program, the researchers said.
Piriform confirmed that two programs released in August were compromised. It advised users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download new versions. The company said that 2.27 million users had downloaded the August version of CCleaner while only 5,000 users had installed the compromised version of CCleaner Cloud.
A new version of CCleaner was released the same day and a clean version of CCleaner Cloud was released on Sept. 15, it said.
Piriform said it had worked with U.S. law enforcement to shut down a server located in the United States to which traffic was set to be directed.
This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates. In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected.