Hack Of Avast's CCleaner Application Highlights Growing Challenge Around Supply Chain Attacks

CCleaner, an application distributed by security company Avast that helps users perform routine maintenance on systems, has been compromised, according to a report Monday, allowing hackers to distribute a malware payload through the legitimate software.

Researchers at Cisco Talos, who discovered the hack, said in a blog post that the attack used the download servers to distribute a multistage malware payload alongside the installation of some versions of the CCleaner software.

Cisco Talos said the attack affected CCleaner version 5.33, which was launched Aug. 15. The report said the malicious version was hosted on the servers for download as recently as Sept. 11, after which a new version of the software was released (version 5.34). The affected version is no longer available for download on the CCleaner site.

[Related: Solution Providers: Equifax Breach Shows Incident Response Needs To Include The 'Nontechnical' As Well]

Sponsored post

The free version of the CCleaner software does not update automatically, the blog post said. It recommended users running older versions of the software manually update their software to the latest version, which currently is version 5.34.

In an email statement to CRN, Avast EVP and CTO Ondrej Vlcek said the update only affected older versions of the company’s Piriform CCleaner software, including Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. He said, "no other Piriform or Avast products were affected."

Vlcek said the company has fully resolved the issue and "believe no harm was done to any of the CCleaner users." He said the company started an investigation on Sept. 12, when it detected suspicious activity and "immediately started an investigation process," including contacting law enforcement. He said Cisco did not notify Avast of the issues until Sept. 14, at which point he said "our investigation as underway."

"We are continuing to investigate how this compromise happened, who did it, and why. We are working with U.S. law enforcement in their investigation," Vlcek said.

Vlcek countered Cisco’s claims about the extent of the hack’s impact, saying the company estimated 2.27 million users were initially affected. He said the company has since remedied the issue for those users. The company created a blog post to keep users up-to-date with the investigation and more technical details of the issue.

"We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm. Also, a simple software update does remove the software that was affected and other claims that a full restore is required are false," Vlcek said.

"We sincerely apologize for this and are committed to making sure nothing similar happens again. We encourage any user of the 32-bit version of CCleaner v5.33.6162 to download the latest version of Piriform CCleaner found," he said.

In the Cisco Talos blog post, researchers said the discovery highlights the danger of supply chain attacks, which use legitimate software to distribute malware. It said this attack is particularly concerning given the wide distribution of CCleaner, which Avast said had 2 billion total downloads as of November 2016.

"This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates. In many organizations data received from commonly [used] software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected," the blog post said.

The blog post also noted that anti-virus detection of the malicious software "remains very low," saying it was detected only one out of 64 times at the time of the blog post publication.

Justin Kallhoff, CEO of Infogressive, a Lincoln, Neb.-based cybersecurity specialist, said leveraging popular freeware programs with a large distribution footprint is unfortunately a "really good strategy for hackers." By doing that, he said they can distribute their malware with a more efficient use of time and effort.

Kallhoff said he advises his customers to not use freeware in a business context.

"Generally, it's probably not a good idea to install freeware in a business environment. If it's free on the internet, chances are that it already has or will contain more than you bargain for," Kallhoff said.