Security researchers have urged users of a hugely popular performance optimization tool to upgrade to the latest version, after discovering a sophisticated supply chain attack which inserted malware into the software.
During beta testing of new security tool, Cisco Talos discovered malicious code in the 32-bit version of the CCleaner 5.33 installer by London-headquartered Piriform, now part of Avast.
Far from being a fake CCleaner app, the version spotted by Cisco was found to be legitimate and signed with a valid digital certificate.
“It is likely that an external attacker compromised a portion of [Piriform’s] development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization,” the firm explained.
“It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”
If true, the modus operandi of the hackers is reminiscent of the way 'NotPetya' was spread after attackers targeted popular Ukrainian accounting software at source.
Cisco Talos also suggested that portions of the signing process for the certificate in question may have been compromised, and argued the certificate should be revoked and untrusted.
“When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it,” it added.
The malware in question works only on an administrator account, profiling and gathering system information – such as computer name, IP address, list of installed software, list of active software, and list of network adapters – before sending to a US-based C&C server.
Attackers could use infected machines “for any number of malicious purposes” as there are capabilities in the malware to download and run second-stage payloads; possibly to steal personal and financial information. Detection rates are also very low (1/64) for this threat, Cisco warned in a blog post on Monday.
CCleaner has been downloaded over two billion times worldwide and five million new users are said to be signing up each week, although it’s unclear how many have downloaded the malicious version. Piriform said as many as 3% of its huge user base “may” have been compromised.
The spread of the malware is likely to have been restricted by Cisco’s early intervention and Piriform/Avast’s quick action in forcing the shut-down of the C&C server in question and releasing an updated version of the affected tool: CCleaner 5.34.
“Affected systems need to be restored to a state before August 15, 2017 or reinstalled,” urged Cisco Talos. “Users should also update to the latest available version of CCleaner to avoid infection.”