Recently security researchers at Cisco Talos discovered that malicious hackers had injected a malware into Piriform CCleaner and CCleaner Cloud. CCleaner is a PC optimization tool. It removes potentially unwanted files, such as temporary internet files, and invalid Windows Registry entries. CCleaner Cloud is a cloud-based control center for CCleaner. It enables the management of CCleaner, on multiple PCs, from a single interface.
This is of concern because CCleaner is used by over 75 million users worldwide. It was reported that approximately 2.27 million users were affected by the malware-laden version of CCleaner. Piriform confirmed that CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems, were illegally modified before they were released to public.
How did it happen?
The attackers had penetrated into one of the update servers of Piriform and injected a two-staged backdoor in the executable binaries of CCleaner and CCleaner Cloud. This backdoor is capable of remotely executing code on the affected systems. It was reported to target top technology companies. The rogue server has been taken down now.
As per the security notification, issued by Piriform, the suspicious code was storing and collecting the following information:
- It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
- MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
- TCID: timer value used for checking whether to perform certain actions (communication, etc.)
- NID: IP address of secondary CnC server
- It collected the following information about the local system:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Such code can also be used to download and execute another malware on the system. Similar mechanism was used to spread the Petwrap disk wiper. In this attack, malicious hackers broke into a Ukraine-based software developer firm’s update servers. They then injected the updated binaries of the firm’s software with disk-wiper payload. The disk-wiper payload was camouflaged as ransomware.
How to counter this malicious attack:
- Remove the affected versions of CCleaner and CCleaner Cloud.
- Download the latest stable release from Piriform website.
- It is also advised, though not mandatory, to format and re-install the affected endpoints.
- Organisations, using an application backlisting solution, can block the installation of affected versions of CCleaner and CCleaner Cloud.
What are these new line of attacks?
These attacks are known as supply chain attacks. This attack vector is increasing in popularity. It provides wider reach and requires relatively less efforts to attain similar impact. It also provides stealth by hiding the malware payload in a genuine software. Though beneficial for attackers, supply-chain attacks often have a devastating reputational impact on the organization whose servers were compromised. It also hinders the trust relationship between the software developer firm and its customers.
The popularity of supply-chain attacks would affect the software industry at large. Customers would even feel wary of installing updates and patches from firms which have not been affected by such attacks.
Join us at DSCI-NASSCOM Annual Information Security Summit (AISS) 2017 for an extensive discussion on supply-chain attacks. To know more about AISS 2017 and registration visit https://www.dsci.in/aiss-2017/
To stay updated on latest cyber threats, subscribe to our newsletters. To participate in DSCI Threat Intelligence & Research (Ti&R) initiative, drop us a mail at firstname.lastname@example.org.