Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

CCleaner Server Was Compromised in Early July

A server distributing a version of PC utility CCleaner infected with malware might have been compromised in early July, Avast revealed.

A server distributing a version of PC utility CCleaner infected with malware might have been compromised in early July, Avast revealed.

Two versions of the highly popular Windows maintenance tool (32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) were modified to distribute information stealing malware, and over 2 million users have been impacted by the incident. The infected binary was released on August 15 and remained undetected for four weeks.

CCleaner was developed by Piriform, which was acquired by anti-virus company Avast in July, 2017. After news of the infected installer broke on Monday, the security firm decided to step forward and clarify that the compromise likely happened before the July acquisition.

“Before we completed the acquisition, the bad actors were likely already in the process of hacking into the Piriform systems. The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017,” an Avast blog post signed by Vince Steckler, CEO, and Ondrej Vlcek, CTO and EVP Consumer Business, reads.

The company also disclosed that they were warned of the infection by security company Morphisec, which says that it first encountered the malicious CCleaner installations on Aug. 20. However, it was only on Sept. 11 that Morphisec received logs from some of its customers and could start an investigation.

On Sept. 12, Morphisec warned Avast of the infection, and the latter was able to resolve the issue within 72 hours. By Sept. 15, the command and control server that the malware was contacting had been taken down and Piriform had already released a clean version of CCleaner.

Avast also claims that no actual harm was done to the impacted computers, despite the fact that 2.27 million users downloaded the infected application release, as the final payload in this attack never activated.

“About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” the company says.

Advertisement. Scroll to continue reading.

CCleaner v5.34 and CCleaner Cloud v1.07.3214 have been released without the malicious code inside, and Avast says that only around 730,000 users are still running the affected version 5.33.6162 on their systems. The free CCleaner variant doesn’t include automatic updates, meaning that users need to manually download and install the clean version.

“We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again,” Avast also says.

Affected users are advised to update to the latest versions of CCleaner as soon as possible, to remove any malicious code from their computers.

Related: Millions Download Maliciously Modified PC Utility

Related: Avast Acquires CCleaner Developer Piriform 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...