Security Alert: Criminals Slip Backdoor in CCleaner to Spread Malware
Compromised CCleaner Versions Endanger Millions of Devices
IT infrastructure is important for any company to better perform on the market. And every part of the system should provide maximum security and safeguard sensitive data. But unfortunate incidents happen, critical pieces of infrastructure are affected and produce business disruptions. Like this recent one with CCleaner, a popular PC cleaning software app.
The attack against CCleaner has been labeled as a “supply-chain attack” which involves exploiting vulnerabilities in the supply network used by a specific organization.
CCleaner, one of the most widely used PC cleaner and optimization applications created by Piriform and acquired in July 2017 by the antivirus company Avast, has been compromised by cyber criminals. Attackers managed to infiltrate two versions of CCleaner and slip backdoors into them, potentially impacting millions of devices and their users.
If you are using the older version of CCleaner app, 5.33 and above, you should upgrade to the 5.34 version immediately.
Here’s what we know so far
- A compromised version of CCleaner was released on August 15 and “went undetected by any security company for four weeks” said Avast on an updated article on their blog
- Morphisec researchers identified and prevented CCleaner.exe installations on August 20 and 21, at customers logs, and some of them shared their logs on September 11
- The following day, on September 12, Morphisec started the investigation and notified Avast about its findings to identify the issue
- Separately, Cisco also reported this problem to Avast on September 13
- Avast first learned about the compromise on September 12, and, by the time the Cisco message was received (September 14), they already analyzed the threat, assessed its risk level and started investigating the root cause of the issue.
- Avast worked with law enforcement in the US and the offending Control and Command server was taken down on September 15
- During that time, the Cisco Talos team was also working on the issue and registered the secondary DGA domains. With these two actions, “the server was taken down and the threat was effectively eliminated”
- The Piriform and Avast teams provided a quick fix for CCleaner users by assuring that the currently shipping version (5.34) and previous versions didn’t contain the threat.
- Then they released a fixed version 5.33.6163, identical to 5.33.6162 but with the backdoor removed
- Avast notified the remaining users to upgrade to the latest version of the product as soon as possible
- On September 18, Piriform made the official announcement on their blog about this security issue providing. “Older versions of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for only 32-bit Windows users had been compromised in a sophisticated manner”.
- September 19: in the update, Avast said about this incident that they will keep updating it and “to take all possible measures to ensure that it never happens again.”
CCleaner is a popular application that helps users clean unwanted files on various programs by saving and optimizing the hard disk space for better performance.
It’s also worth mentioning that, for almost one month, 2.27 million people used the affected version of CCleaner.
Since November 2016, CCleaner has had over 2 billion downloads worldwide, with a growth rate of 5 million desktop installations per week, so the potential impact that cyber criminals wanted to achieve was massive!
Given the proactive approach of the Avast team, the number of affected people went down to 730,000 users still using the affected version (5.33.6162).
The company is strongly encouraging users to download the latest version available, 5.34 or higher of the application to avoid being exposed to a potential attack.
What is a supply-chain attack
Definition: This type of attack initiated by cybercriminals aims to damage an organization by leveraging vulnerabilities in its supply network. Basically, hackers often manipulate with hardware or software during the manufacturing stage and implant rootkits or tie in hardware-based spying elements. The malware has been delivered through a backdoor, and still remaining undetected.
Such attacks are effective mainly because cyber criminals try to spread malware throughout the target organizations by leveraging a resource used internally.
The current publicly available information suggests that cyber criminals managed to access the company’s download servers used by CCleaner and deliver compromised versions of the app to unsuspecting users. No specific details about malware delivery through these impacted versions have surfaced so far.
When the trust relationship between a manufacturer/supplier and its customers is abused, it leads to confusion among all parties involved in the process. This was one of the consequences of this compromise, which is why we’re aiming to provide guidance and help you understand the situation better.
How to check if you’ve been affected
If you are one of the users who have installed CCleaner older versions, your device is at risk! Please read on.
The attack affects anyone who’s been downloading CCleaner version 5.33 or updated their app to this version between August 15 and September 12, when the new 5.4 version was released.
The first thing to do is to check for updates and see if you have the new, 5.4 version of CCleaner.
Should I still update my software? What if it’s infected?
It is worth saying that software patching is one of those proactive things we can do to enhance our security online. And we still need to take all needed measures to update our software products. We highly recommend reading our roundup on what security experts have to say about the importance of software patching.
Despite observations that these kind of attack are on the rise, the reality is that they remain extremely rare when compared to other kinds of attacks users might encounter. This and other supply chain attacks should not deter users from updating their software. Like any security decision, this is a trade-off: for every attack that might take advantage of the supply chain, there are one hundred attacks that will take advantage of users not updating their software.
We quoted the Electronic Frontier Foundation which is a leading nonprofit organization defending civil liberties in the digital world. Their work is focused on ensuring that rights and freedoms are enhanced and protected as the use of technology quickly grows.
Details about the CCleaner update delivered through Heimdal products
As soon as the news about the CCleaner backdoor, we conducted a thorough analysis of the patch delivered by Heimdal™ Threat Prevention, Thor Free, and Endpoint Security Suite on August 16 (for v5.33). The way Heimdal delivers the patch does not also involve executing any code. Therefore the backdoor is never opened. In the case of the CCleaner patch, no malicious connections were made.
Additionally, we immediately blocked the DGA domains and IP addresses used in distributing the potential infection. Following a thorough analysis of the traffic on all PCs and other endpoints protected by Heimdal, we identified zero blocks of malicious traffic associated with any of the DGA domains involved in the CCleaner security breach.
However, if you have auto-update turned off for CCleaner in Heimdal™ Threat Prevention or Heimdal Free and you’re still running v5.33.6162, we highly recommend you upgrade right away to v5.34 or v5.35 (the latest in the Heimdal patching system) to eliminate any potential vulnerability.
How to fend off supply-chain attacks if you’re a home user
- Whenever possible, choose official and trusted software products to protect your data
- If you are using CCleaner, see what version you’ve installed on your computer
- If you’ve been using the affected version, do a scan for your system and check for a potential malware infection
- Protect your data with at least two backups: one on an external hard drive and another one in the cloud. Also, check that your backups are intact and can be restored if you need to.
- Use a proactive security solution to provide multi-layered protection for your devices
- Keep your system and all software up to date, because the latest security updates are especially important.
- Knowledge is the best weapon you can use, so take action and learn about cybersecurity and how you can prevent cyber threats.
How you can protect your company from supply-chain attacks
In a business environment, the supply chain, whether concerning a manufacturer or a service provider, is a prime target for cyber attacks. Here’s what you need to do to maximize your protection against these attacks.
- Supply chain security is every company’s responsibility and you need to take all necessary security measures to protect your customers
- It is vital to have a crisis plan in place, but also to focus some of your resources in proactively manage cybersecurity risks, no matter the attack type they’re related to
- Raise awareness among your employees of how such cyberattacks can occur.
- Clearly define the regulatory compliance between you and your suppliers and ensure that all due diligence is covered
- Monitoring your supply chain’s access to your company data and network
- Make sure the supply chain vendor has clear security policies and procedures that you are aware of
- Be proactive and implement a solid IT infrastructure in your company
- If you’ve been using or downloaded CCleaner 5.33 or updated this version, immediately update to the latest version of CCleaner 5.4 on all your devices. Keeping software up to date can prevent from being infected and remove the backdoor code from their systems. If possible, restore the affected endpoints to the state before August 15.
- All companies should have a backup strategy to safeguard their sensitive data.
If you’re interested in reading technical details and following how the situation evolves, we recommend the following articles:
- Piriform official statement
- Cisco Talos analysis
- Morphisec analysis
- Avast clarification
- Researchers Link CCleaner Hack to Cyberespionage Group
- Avast Threat Labs analysis of CCleaner incident
Should you still use CCleaner?
This recent incident is a reminder of the danger that is supply chain attacks. Cybercriminals took advantage of an essential piece of infrastructure to reach and impact a potentially large number of users.
Users did not expect such attacks to happen, as neither did Avast or Piriform. Still, the company reacted promptly and allocated time and resources to solve this incident to the best of its abilities.
Although no one wants to see this situation happen again, it could happen to any tech company, unfortunately. This is why situations like these prompt us to look at our own security habits, both as individual users and as employees and companies, and see how we can contribute to our overall safety.
Did you know about this security incident? What questions did it trigger for you? (Maybe we can help with some additional answers.)
I started having issues with CCleaner back in 2016, a site that I stream TV, Movies from that I just posted about seems to be someones test ground for Malware. I got fake CC and Flash, Win, other Update notices that took you to site that looked real but I know were loaded with malware. That same site uses Facebook plugins to access your system take control I suggest taking a good look at them. G
Defragment your hard disk drive – As a PC user, you have to know the defragmentation. The mouse’s motion is
translated through a cursor that is certainly displayed on the pc screen.
The dll error arises like a result in the dll file failing to communicate
a selected command which will enable a certain program to open.
Nice Guide Rat Malware Remover thanks for sharing good article
Thank you for the feedback!
You have Ccleaner in the repository, is this the 32 bit or 64 bit? and do you perfom a test of the software, before you deliver it through Heimdal´s patching system?
Hi Tobey! We deliver patches for both versions and we’ve updated the article to include details on this. We did a thorough analysis of the communication from computers and other endpoints protected by Heimdal products and identified no incoming or outgoing connections to the malicious domains. Please see the details and contact us at support [at] heimdalsecurity.com if you need any details. Thank you!
I think an advise about what to do if your data was compromised should be given to the readers.
We’ve included some details about that as well, as the end of the article. If you’re interested, we’d also recommend this helpful guide, so you can check your PC: https://heimdalsecurity.com/blog/malware-removal/
Total nightmare. As a Heimdal Pro user I am very concerned whether Heimdal has auto-installed the compromised version of CCleaner and in case my PC got infected what Heimdal has done to protect my data.
We’ve updated the article with details and we’re always here to answer your questions if you have any. A thorough analysis of all blocked communication by Heimdal has revealed zero connections to the domains included in the security incident. You can also email us at support [at] heimdalsecurity.com to get technical answers and details. We’ll keep this post updated as well.
I have the version 54.6207 of CC Cleaner installed due to your software update patches. I went to check the program and I get a prompt saying that there is an update available, 54.6210. Heimdal hasn’t updated my version to this version yet. Should I use their update and install it manually? The update comes from CC Cleaner company I think. Should I disable their own automatic check for updates tool and then wait for Heimdal trusting that computer is in the safe zone now? already.
All Heimdal users who had autoupdate checked received the latest patches. Versions starting with 5.34 are clean and pose no risk. The latest version available in the Heimdal software management system is 5.35. If you have autoupdate enabled, you already have the latest version.
If you already had autoupdate for CCleaner, they also pushed out the safe version (starting with 5.34) as soon as they were notified of the compromise, so either way, you are covered.
I hope you find the guide helpful and we’ll keep it up to date if any crucial information arises. Thank you!