Piriform, makers of the popular file cleaner CCleaner, confirmed on Monday 18th, 2017 that hackers managed to attack the company's computer network successfully.
The hackers compromised two versions of the CCleaner in the attack which have been used by up to 3% of the company's user base.
The affected versions are CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. According to Piriform, only the 32-bit versions of the applications were compromised and distributed using the company's own infrastructure.
The company asks users to update their version of the program to the latest available release if that has not been done already. The latest release version of CCleaner is version 5.34 at the time of writing.
- CCleaner 5.33.6162 was released on August 15th, 2017, and an updated non-compromised version was released on September 12, 2017.
- CCleaner Cloud 1.07.3191 was released on August 24th, 2017, and a non-compromised version of the program on September 15th, 2017.
Security researchers of Cisco's Talos Group revealed details about the successful supply chain attack. Talos Group informed Avast, the parent company of Piriform, about the situation.
Talos Group"identified a specific executable" during tests of the company's new exploit detection tool which came from the CCleaner 5.33 installer which in turn was delivered by legitimate CCleaner download servers.
The download executable was signed with a valid Piriform signature. The installer contained a "malicious payload that featured a Domain Generation Algorithm" as well as "hardcoded Command and Control" functionality.
The Talos researchers concluded that the malicious payload was distributed between the release of version 5.33 on August 15th, 2017 and the release of version 5.34 on September 12th, 2017.
The researchers think it is likely that "an external attacker compromised a portion" of Piriform's development or build environment, and used the access to insert the malware into the CCleaner build. Another option that the researchers consider is that an insider included the malicious code.
CCleaner users who want to make sure that the compromised version is not still on their system may want to scan it on Virustotal, or scan it with ClamAV, as it the only antivirus software that detects the threat right now.
You can download the free ClamAV from this website.
The malicious payload creates the Registry key HKLM\SOFTWARE\Piriform\Agomo: and used it to store various information.
Piriform issued a statement on September 18th, 2017. According to that statement, non-sensitive data may have been transmitted to a server in the United States of America.
The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server.
Paul Yung, the company's VP of products, published a technical assessment of the attack on the company blog as well.
The only suggestion that Piriform has is to update to the most recent version.
The compromised versions of CCleaner and CCleaner Cloud were distributed for nearly a month. With over 20 million downloads per month, and the updates, that is a high number of PCs that have been affected by this.