Initially, Avast claimed that the incident happened because one of the servers ran out of disk space on Sep 10, due to which the operator had to rebuild the database fully. That is, despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data instead, the CCleaner customers were used to gain access to corporate networks of select large enterprises.” “Analysis of the CnC server showed that the incident was, in fact, an Advanced Persistent Threat (APT) attack, targeting specific high-tech and telecommunications companies. The list was compiled after the company discovered a second server database, which was used by the malware in CCleaner to send information to attackers about the infected hosts.Īvast has narrated the details of the attack in its official blog post that reads: The company has been busy in investigating the issue of the presence of malware in its very popular and widely used CCleaner tool. Now, Avast has finally revealed the complete list of organizations affected by the second stage CCleaner malware in its newest update published last Friday. An initial investigation showed it was a state-sponsored attack. This lead to the download of the NotPetya wiper, which caused billions of dollars of losses for firms.Last week news came out that CCleaner software was infected with a backdoor. In this case, the malware was included in the binary which was hosted on Piriform’s server – not on a third-party site.Ī similar supply chain attack experienced a software update for the Ukrainian accounting application MeDoc being attacked. It is possible that external hackers gained access to the development or build environment or that the Trojan was introduced internally.Īttacks such as this could infect many millions of users since installations by developers of an application are trusted. While simply updating the software should address all issues, users are warned to perform a full virus scan to make sure no additional malware has been introduced onto their system.Ĭurrently, it is unclear who was responsible for this supply chain attack or how the Floxif Trojan was introduced. Users of the Cloud version need do nothing, as the application has been updated to a clean version automatically. Now that the malware has been deleted, users can simply install version 5.34 of the application which will remove the backdoor. The actors to blame for the attack used a valid digital signature that was issued to Piriform by Symantec along with a Domain Generation Algorithm to ensure that new domains could be created to receive exfiltrated data from compromised systems in the event that the main domain was discontinued. The malware was first noticed on September 13, 2017, although an announcement was not first made as Avast and Piriform were working with law enforcement and did not want to alert the hackers that the malware had been discovered. The malware reportedly did not execute on 64-bit systems and the Android app was unaffected. The versions of the software impacted were v and CCleaner Cloud v.
Avast says the attack involved a second stage payload, although it would appear the additional malware never ran. The CCleaner malware laced application was only part of the picture.
The CCleaner malware gathered details of users’ IP addresses, computer names, details of software downloaded to their systems and the MAC addresses of network adaptors, which were moved to the hackers C2 server. The particular malware was the Floxif Trojan, which had been included into the build before Avast acquired Piriform. On Monday this week, around 730,000 users had not yet updated to the most recent, clean version of the program.Īny person that installed the application on a 32-bit system between August 15 and September 15 was infected with the CCleaner malware, which was capable of obtaining information about the users’ system. However, Piriform suggests around 2.27 users had downloaded and downloaded the backdoor along with the legitimate application. During that time, around 3% of users of the PC cleaning application had been impacted according to Piriform.Ĭisco Talos, which independently identified the build of CCleaner had malware included, reported around 5 million users install the program each week, possibly leading to 20 million users may have been affected.
CCleaner malware infections grew for four weeks before a compromised binary was discovered and a fkaw ub the software was patched.Īvast, which purchased Piriform over the summer, revealed that between August 15 and September 15, a rogue version of the application was purchasable on its server and was being bought by users.