CCleaner, an application distributed by security company Avast that helps users perform routine maintenance on systems, has been compromised, according to a report Monday, allowing hackers to distribute a malware payload through the legitimate software.
Researchers at Cisco Talos, who discovered the hack, said in a blog post that the attack used the download servers to distribute a multistage malware payload alongside the installation of some versions of the CCleaner software.
Cisco Talos said the attack affected CCleaner version 5.33, which was launched Aug. 15. The report said the malicious version was hosted on the servers for download as recently as Sept. 11, after which a new version of the software was released (version 5.34). The affected version is no longer available for download on the CCleaner site.
The free version of the CCleaner software does not update automatically, the blog post said. It recommended users running older versions of the software manually update their software to the latest version, which currently is version 5.34.
In an email statement to CRN, Avast EVP and CTO Ondrej Vlcek said the update only affected older versions of the company’s Piriform CCleaner software, including Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. He said, "no other Piriform or Avast products were affected."
Vlcek said the company has fully resolved the issue and "believe no harm was done to any of the CCleaner users." He said the company started an investigation on Sept. 12, when it detected suspicious activity and "immediately started an investigation process," including contacting law enforcement. He said Cisco did not notify Avast of the issues until Sept. 14, at which point he said "our investigation as underway."
"We are continuing to investigate how this compromise happened, who did it, and why. We are working with U.S. law enforcement in their investigation," Vlcek said.
Vlcek countered Cisco’s claims about the extent of the hack’s impact, saying the company estimated 2.27 million users were initially affected. He said the company has since remedied the issue for those users. The company created a blog post to keep users up-to-date with the investigation and more technical details of the issue.
"We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm. Also, a simple software update does remove the software that was affected and other claims that a full restore is required are false," Vlcek said.
"We sincerely apologize for this and are committed to making sure nothing similar happens again. We encourage any user of the 32-bit version of CCleaner v5.33.6162 to download the latest version of Piriform CCleaner found," he said.