Unnamed hackers infected up to 4 million PC users after they hijacked CCleaner, a popular software used for optimising system performance.
Hackers installed a malware in CCleaner software to spy on PC users and to steal their sensitive credentials.
Security research firm Cisco Talos recently discovered that a download server used by Avast to offer a verified version of CCleaner to its customers also contained a multi-stage malware payload that could help hackers spy on millions of PC users who use CCleaner.
The said malware was found installed on CCleaner version 5.33 which was released on 15th August. This version was downloaded by millions of PC users across the world until Avast released version 5.34 on 15th September.
How serious was the threat?
The revelation meant than a legitimate software offered by a leading security software provider was being used to harbour a powerful spyware for a period of time without even being detected.
According to Cisco Talos, this is another classic example of a supply chain attack where a malware uses legitimate software to infect computers and help hackers steal sensitive data and user credentials from affected systems.
‘With supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons,’ the firm noted in a blog post.
According to Piriform, the maker of CCleaner and a subsidiary of Avast, the multi-stage malware payload in CCleaner version 5.33 was detected by Avast on 12th September and was subsequently replaced by a new version a few days later.
Piriform added that the affected version of CCleaner was used by up to 3% of its users and that the malware only affected customers with the 32-bit version of the software. The total number of such users could be up to 4 million worldwide.
However, considering that CCleaner enjoys over 2 billion downloads worldwide and adds 5 million users every week, the true number of affected users could be mugh higher than 4 million.
‘The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server,’ said Piriform, adding that it had succeeded in shutting down the said server on 15th September with the help of law enforcement agencies.
How did a malware get into CCleaner software?
According to Cisco Talos, the installer for CCleaner v5.33 was found to contain the malware even though the downloaded installation executable was signed using a valid digital signature issued to Piriform by Symantec. This indicates that portions of the development or signing process of the software version were compromised.
Either the malware injection was an insider job or the Piriform team that signed on the software with valid digital signature did not demonstrate enough care to ensure that the installation server was free of malware before it was made public.
‘In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected,’ the firm concluded.
The revelation opens a previously-unknown risk window that cyber security workers at organisations need to mitigate at the earliest. The practice of naming software installations as ‘trusted’ or ‘untrusted’ may not work any more. If a legitimate software like CCleaner can be compromised, so can hundreds of thousands of other software products that are downloaded all over the world without being given the required inspection that they merit.