Around 2.27 million users of Piriform’s popular CCleaner security app have been advised to update the application—a result of sophisticated hacker-hidden malware. Discovered by researchers at Cisco’s Talos division, the attack involved remote code execution that piggy-backed off of CCleaner by pushing a fake update that included malware.
Several users report that various other security applications such as MalwareBytes Anti-Malware detected the threat bundled inside the 5.33 version of CCleaner.
Piriform, owned by security firm Avast, says up to three percent of its customers could have been affected after using CCleaner 5.33 (offered for download between August 15 and September 12), and CCleaner Cloud 1.07 (launched on August 24). Piriform Confirms Windows 32-bit of CCleaner version 5.33.6162 and 1.07.3191 of CCleaner Cloud are affected. It seems 64-bit users may have dodged a bullet. But it’s essential that all users conduct a thorough security review. This would include both normal and safe-mode scans with multiple anti-malware tools and a review of firewall logs for any signs of malware at a minimum.
Piriform has released an updated 5.34 version to fix the issue. And will hopefully be conducting a thorough security review to secure its operations. They’re also working with third-party download services to remove affected versions.
“The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a third party computer server in the USA,” said Piriform in this blog post. “We have no indications that any other data has been sent to the server… We are continuing to investigate how this compromise happened, who did it, and why. We are working with US law enforcement in their investigation. A more technical description of the issue is on our Piriform blog.”
In a separate post, Talos reports: “In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains. As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware.”