Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected.
“In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates,” Talos researchers state in their blog.
“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. “To the best of our knowledge, we were able to disarm the threat before it was able to do any harm,” Yung says. The company has no indication who was behind the attack, where it came from or how long it was being prepared for. All CCleaner users are also being moved to the latest version. He says that the company has disabled the rogue server and other potential servers. Based on further analysis, we found that the version of CCleaner and the version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process,” comments Piriform's VP of Products, Paul Yung. CCleaner or CCleaner Cloud both released in August 2017 The Windows 32-bit version of the 2017 release CCleaner released in January 2019 Finding out which CCleaner version you have is simple and can be done by following a few steps. “A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version of CCleaner, and CCleaner Cloud version, on 32-bit Windows systems. Piriform, the company behind CCleaner, posted a blog today which explains the technical details of the hack. The malware also used valid digital signatures to further mask its malicious intent. The hack was able to collect information such as the name of the computer, list of installed software and windows updates, list of running processes, MAC addresses of the first three network adapters, as well as whether the process was running with administrative privileges and whether it is a 64-bit system. On September 12, the official 5.34 version was release. In other words, to the best of our knowledge, we were able to disarm the threat.
In this case, the software's update servers were compromised to deliver malware to victims and Piriform was hosting the malicious software itself.Īnyone who updated to CCleaner 5.3.3 between August 15 and September 11 is at risk of the hack. Users of CCleaner Cloud version have received an automatic update. The hack called a ‘supply chain attack', banks on the trust relationship between supplier and customer.
We've added in the option to hide the tray icon for the CCleaner Cloud agent, which means in addition to our tiny system footprint, end users won't see any trace of the application while in use!Ī full list of changes are in the change log below: If you’d like to help shape the future of CCleaner Cloud we’d love you to visit the portal, or get in touch. We've now published our roadmap at /roadmap for our users to view and give us feedback on. A two-stage backdoor in digitally signed binaries of 32-bit CCleaner and CCleaner Cloud caused the sending of 'non-sensitive data' to a server in the US. Your endpoints agents will be upgraded automatically (to ) in the coming hours.Īll CCleaner Cloud improvements come from the people that matter most – our users. If you are logged in, please refresh your browser. Malwarebytes blocks the IP and domains related to this malware.
Affected versions: CCleaner version and CCleaner Cloud version.
Hot on the heels of our 1.06 release, we’re pleased to introduce more features for business users and further performance improvements. The latest version is available for download here.