Hackers Hid Malware in CCleaner for Nearly a Month?

Discussion in 'Windows OS and Software' started by LaptopNut, Sep 18, 2017.

  1. LaptopNut

    LaptopNut Notebook Virtuoso

    Reputations:
    1,610
    Messages:
    3,739
    Likes Received:
    87
    Trophy Points:
    116
    According to this site and the linked blog (with more technical details), CCleaner and it's servers were compromised.

    A little from their blog...

     
    Starlight5, hmscott and Prototime like this.
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,683
    Messages:
    13,725
    Likes Received:
    15,935
    Trophy Points:
    931
    Fortunately it was only the 32 bit version that was infected, and not the 64 bit version I use and recommend, and I missed that infected version completely. I've updated to the current 5.34 64 bit edition.

    Here is the apology, non-technical and technical explanation by Piriform:

    Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
    https://www.piriform.com/news/blog/...eaner-cloud-v1073191-for-32-bit-windows-users

    "PAUL YUNG - VP, Products

    Dear CCleaner customers, users and supporters,

    We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

    We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update.

    In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."

    Further technical info is included, worth checking out...

    "Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update.

    For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here. "
     
    Vasudev and LaptopNut like this.
  3. StormJumper

    StormJumper Notebook Virtuoso

    Reputations:
    491
    Messages:
    3,015
    Likes Received:
    340
    Trophy Points:
    151
    Lost my trust in them now I stick with versions before v5.33.6162 and no more. They sure have a way shoot themselves in the foot faster but can't seem to find a fix for those whom installed v5.33.6162 and have no way to know or how to get rid of it. That's what they should be doing instead of just deleting v5.33.6162 but we all know they won't so trust is lost now.
     
    Starlight5 likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,683
    Messages:
    13,725
    Likes Received:
    15,935
    Trophy Points:
    931
    I'm not going to stop using their software. I don't use the 32 bit version so I didn't have the infection, do / did you?

    The Avast! server given to CCleaner was the attack vector, and they have locked it down now.

    I don't expect they will have another incursion, and I put the problem in the lap of Avast!, not the Piriform people / developers.
     
    Last edited: Sep 19, 2017
  5. pathfindercod

    pathfindercod Notebook Deity

    Reputations:
    1,304
    Messages:
    1,620
    Likes Received:
    1,249
    Trophy Points:
    181
    If you knew how many companies and software that is compromised without you ever finding out and live by your convictions you'd never use a computer again. Have you lost faith in Microsoft and sworn off windows? Windows is compromised on a daily basis because of M$ and their crappy programming.
     
    jaug1337, Starlight5 and hmscott like this.
  6. StormJumper

    StormJumper Notebook Virtuoso

    Reputations:
    491
    Messages:
    3,015
    Likes Received:
    340
    Trophy Points:
    151
    If we live by grabbing for straws - I do wonder how we will ever live???

    That's a stretch to long here. CCleaner is a small time program and M$ is a big target on their back. I can see the O/S intrusion but a cleaner program common give me a break. This tells me if they can't even protect a popular program then what else can Avast not protect when it's Supposedly to be Protecting your computer from Malware and Virus. *hint*
     
  7. pathfindercod

    pathfindercod Notebook Deity

    Reputations:
    1,304
    Messages:
    1,620
    Likes Received:
    1,249
    Trophy Points:
    181
    A big company with target, unlimited financial supply and practically unlimited programming teams is excusable. However the small guy that has supplied a great free tool for many years gets the big shove up the butt.. well good enough for you to keep using an old version but denounced, shamed and marked with the big red A on their chest now.. makes total sense...
     
  8. Salad Bar Riot

    Salad Bar Riot Notebook Enthusiast

    Reputations:
    15
    Messages:
    10
    Likes Received:
    24
    Trophy Points:
    6
    Last edited: Sep 21, 2017
    hmscott likes this.
  9. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,683
    Messages:
    13,725
    Likes Received:
    15,935
    Trophy Points:
    931
    The Talos article is worth reading in detail:

    CCleaner Command and Control Causes Concern
    http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

    Another report on the overall situation:

    THE CCLEANER MALWARE FIASCO TARGETED AT LEAST 20 SPECIFIC TECH FIRMS
    https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/

    "...On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected.

    On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

    In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

    "When we found this initially, we knew it had infected a lot of companies," says Williams. "Now we know this was being used as a dragnet to target these 20 companies worldwide...to get footholds in companies that have valuable things to steal, including Cisco unfortunately."

    Talos EP 13:A Vast CCleanup, Strutting Your Stuff, and the Ex$ploit Economy Podcast...
    http://blog.talosintelligence.com/2017/09/beers-with-talos-ep-13a-vast-ccleanup.html

    Earlier Talos post:

    CCleanup: A Vast Number of Machines at Risk
    http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
     
    Last edited: Sep 21, 2017
  10. Papusan

    Papusan BGABOOKS = That sucks!! STAHP! Dont buy FILTH...

    Reputations:
    6,742
    Messages:
    15,193
    Likes Received:
    20,346
    Trophy Points:
    931
Loading...

Share This Page