Hackers backdoored CCleaner, likely affecting millions of users

Legitimately signed but backdoored versions of the popular CCleaner utility were available for download from the developer’s Web site and servers for nearly a month, Cisco Talos researchers have discovered.

backdoored CCleaner

It is still unknown how the compromise happened. Piriform – the company that develops CCleaner and which has been recently acquired by AV maker Avast – has confirmed that the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud were affected.

“Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15,” the company stated.

They estimate that up to 3% of their users used the two compromised versions of the software, but did not mention actual numbers. A press release from November 2016 puts the number of CCleaner downloads at 2 billion, but that includes all versions of the software (PC, Mac and Android, free and paid).

Piriform boasts of over 5 million weekly CCleaner desktop installs. “If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes,” Cisco researchers noted.

The discovery

An instance of a backdoored CCleaner version has been first flagged by Cisco, while customer beta testing their new exploit detection technology.

The flagged executable was signed with a valid digital certificate issued to Piriform, but came with an additional payload.

Paul Yung, VP of Products at Piriform, explained that it was “a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

The backdoor also collected information about the target systems (name of computer, its IP address, list of installed software, list of running processes, etc.) and sent it, encrypted, to a remote server located in the USA.

OPIS

“We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done,” the company stated.

What now?

Piriform and Avast continue the investigation in order to find out how this compromise happened, who did it, and the hackers’ ultimate goal.

In the meantime, they have already made download sites remove CCleaner v5.33.6162, they pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, and automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214.

They didn’t say it, but it’s likely that they’ve used a new digital certificate to sign these latest versions.

As Cisco researchers noted: “The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.”

Yung pointed out that even though the second stage payload was received by the targets after the information was sent, they “have not detected an execution of the second stage payload and believe that its activation is highly unlikely.”

Antivirus detection for the threat is extremely low, so even if you have downloaded and installed one of the affected CCleaner versions, your computer has likely been backdoored.

“Affected systems need to be restored to a state before August 15, 2017 or reinstalled. Users should also update to the latest available version of CCleaner to avoid infection,” Cisco advises.

Supply chain attacks are a very effective way to distribute malicious software, as we have witnessed in the NotPetya attack: the ransomware/wiper was traced back to hacked servers of Ukrainian software maker MeDoc. Unfortunately, end users can’t do much about that – it’s on the developers to keep their servers secure and clean.

UPDATE: Piriform estimated that the number of people who used the affected software is around 2.27 million.