![]() ![]() Thanks to its varied and efficient features, it's only logical that it ranks quite highly among the world's most-used cleaning tools. UPDATE: Piriform estimated that the number of people who used the affected software is around 2.27 million.CCleaner is probably the world's most famous cleaning tool and the one Windows users turn to most to solve their space and performance problems. ![]() Unfortunately, end users can’t do much about that – it’s on the developers to keep their servers secure and clean. Supply chain attacks are a very effective way to distribute malicious software, as we have witnessed in the NotPetya attack: the ransomware/wiper was traced back to hacked servers of Ukrainian software maker MeDoc. Users should also update to the latest available version of CCleaner to avoid infection,” Cisco advises. “Affected systems need to be restored to a state before Augor reinstalled. Yung pointed out that even though the second stage payload was received by the targets after the information was sent, they “have not detected an execution of the second stage payload and believe that its activation is highly unlikely.”Īntivirus detection for the threat is extremely low, so even if you have downloaded and installed one of the affected CCleaner versions, your computer has likely been backdoored. Only the incident response process can provide details regarding the scope of this issue and how to best address it.” When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Ideally this certificate should be revoked and untrusted moving forward. They didn’t say it, but it’s likely that they’ve used a new digital certificate to sign these latest versions.Īs Cisco researchers noted: “The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. In the meantime, they have already made download sites remove CCleaner v, they pushed out a notification to update CCleaner users from v to v5.34, and automatically updated CCleaner Cloud users from v to. ![]() Piriform and Avast continue the investigation in order to find out how this compromise happened, who did it, and the hackers’ ultimate goal. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done,” the company stated. “We have no indications that any other data has been sent to the server. The backdoor also collected information about the target systems (name of computer, its IP address, list of installed software, list of running processes, etc.) and sent it, encrypted, to a remote server located in the USA. Paul Yung, VP of Products at Piriform, explained that it was “a two-stage backdoor capable of running code received from a remote IP address on affected systems.” The flagged executable was signed with a valid digital certificate issued to Piriform, but came with an additional payload. The discoveryĪn instance of a backdoored CCleaner version has been first flagged by Cisco, while customer beta testing their new exploit detection technology. “If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes,” Cisco researchers noted. Piriform boasts of over 5 million weekly CCleaner desktop installs. A press release from November 2016 puts the number of CCleaner downloads at 2 billion, but that includes all versions of the software (PC, Mac and Android, free and paid). They estimate that up to 3% of their users used the two compromised versions of the software, but did not mention actual numbers. CCleaner Cloud v was released on the 24th of August, and updated with a version without compromised code on September 15,” the company stated. “Piriform CCleaner v was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. ![]() Piriform – the company that develops CCleaner and which has been recently acquired by AV maker Avast – has confirmed that the 32-bit version of the v of CCleaner and the v of CCleaner Cloud were affected. It is still unknown how the compromise happened. Legitimately signed but backdoored versions of the popular CCleaner utility were available for download from the developer’s Web site and servers for nearly a month, Cisco Talos researchers have discovered. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |