Security Experts:

Connect with us

Hi, what are you looking for?



Backup Database Reveals Scale of CCleaner Hack

A backup of a database containing information on Windows systems compromised via a maliciously modified version of the CCleaner software utility has provided investigators with a clearer view of the incident.

A backup of a database containing information on Windows systems compromised via a maliciously modified version of the CCleaner software utility has provided investigators with a clearer view of the incident.

The backup was created on September 10, shortly after the attackers discovered that the server holding the original database ran out of space. On Sept. 12, the actors completely erased the database, which had become corrupt in the meantime.

The attack on CCleaner started in early July, before Avast acquired Piriform, the firm behind the popular Windows maintenance tool. The supply chain incident was found to be sophisticated, highly targeted, and the discovery of the database backup proves that.

It all started with unknown actors compromising Piriform’s servers and replacing the legitimate 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases with modified ones containing backdoor code. The infected iterations were downloaded over 2.27 million times.

The initial findings in the investigation revealed that 700,000 infected systems had reported to the command and control (C&C) server between Sept. 12 and Sept. 16. The initial infection database was erased from the server on Sept. 12, but the attackers created a backup before that.

This backup revealed the connections to the C&C made between August 18 and Sept. 10, when the server ran out of space and the logging operation ceased. Thus, the researchers concluded that a total of 5,686,677 connections were made to the C&C and that a total of 1,646,536 unique machines (based on MAC addresses) reported to the server.

The backdoor code in the CCleaner installer also allowed attackers to deploy a stage 2 payload onto affected machines, but only 40 unique computers received it, Avast reveals. The attackers were very selective when deciding which computers to deliver the payload to, likely basing that decision on the infected PCs they could access.

The 40 machines were found to be part of the networks of well-known telecoms and tech companies worldwide, including Chunghwa Telecom, Nec, Samsung, Asus, Fujitsu, Sony,, O2, Gauselman, Singtel, Intel, and VMware.

“Clearly, the logs also indicate that the attackers were looking for additional high-profile companies to target, some of them potentially leading to additional supply-chain attacks (Carriers / ISPs, server hosting companies and domain registrars),” Avast notes.

The security researchers also discovered that the attackers had to conduct continuous server maintenance, as they connected 83 times to it. Based on the attackers’ active hours, the researchers also determined that they are most likely located in Russia or the Eastern part of Middle East / Central Asia and India. Moreover, none of the hit companies is from China, Russia, or India.

“Our security team has reached out to all companies proven to be part of the 2nd stage, and we’re committed to working with them to resolve the issue fully. Obviously, the fact that the 2nd stage payload has been delivered to a computer connected to a company network doesn’t mean that the company network has been compromised. However, proper investigation is in order and necessary to fully understand the impact and take remediation actions,” Avast says.

Related: CCleaner Infection Database Erased

Related: Attack on Software Firm Was Sophisticated, Highly Targeted

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.