Infecting legitimate software with malware is not a new hacker technique and has been used in multiple attacks.
Cisco Talos researchers speculate that attackers could have compromised a developer account that provided access or possibly were able to directly exploit a system within the CCleaner build environment.
It’s not currently known how the CCleaner attackers were able to modify the code to include the backdoor code.
15, meaning that users were exposed to risk of infection from the backdoor for approximately one month. According Cisco’s analysis, the infected version of CCleaner was first released on Aug. The Cisco Talos researchers noted that they discovered the CCleaner malware while performing customer beta testing of a new exploit detection technology. Although Piriform’s disclosure only mentioned Avast Threat Labs as helping in the analysis, Cisco Talos claims that it reported the security issue to Avast on Sept. While Avast and Piriform are not speculating on how long the attackers might have been in the CCleaner servers, Cisco’s Talos research group has made its own observations. “At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” Yung stated. Such a backdoor is capable of receiving and running code from an attacker command and control server. “Based on further analysis, we found that the version of CCleaner and the version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.”Īccording to Piriform, CCleaner was modified by an unknown attacker to include a two-stage backdoor. “A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version of CCleaner, and CCleaner Cloud version, on 32-bit Windows systems,” Paul Yung, vice president of products at Piriform, wrote in a statement.
Piriform has contacted law enforcement, shut down the impacted download server and updated CCleaner to version 5.34. “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”Īvast acquired Piriform in July, and in a statement Piriform thanked Avast Threat Labs for analyzing the attack. “We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines,” a spokesperson for software security vendor Avast told eWEEK. 18, Piriform publicly revealed that its servers had been hacked, with attackers modifying CCleaner with a backdoor that possibly infected millions of users. More than 2 billion users around the world have downloaded the Piriform CCleaner tool to help remove unwanted files and keep their systems secure.