The CCleaner Attack Was Worse Than We Knew

The CCleaner Attack Was Worse Than We Knew

When Avast announced that 2.27 million people had downloaded a malware-riddled copy of its performance optimisation software CCleaner, it was initially believed that a second payload — that can control a system — was never delivered to victims. It’s now clear that wasn’t the case, and it appears the attackers may have been targeting tech firms for the purposes of industrial espionage.

Image Sources: Piriform, Pixabay

Security researchers at Cisco’s Talos released a new report intensifies the alarm bells and provides more details on those who were affected.

At first, researchers thought a second payload, one that would give hackers a more permanent presence on the infected machines, was never delivered, and that the attackers were likely biding their time.

But according to Cisco, at least 20 machines at eight companies worldwide were served the second, more dangerous payload. In a blog post yesterday, Avast warned that the actual number of infected victims is more likely in the hundreds.

While reviewing an archive of files from the Command and Control server, Cisco says it discovered a list of domains that the hackers were specifically targeting. The companies on the list include Singtel, Intel, Google, Epson, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, Microsoft and Cisco.

Reached by Gizmodo, Avast declined to publicly confirm the list of affected companies “for privacy reasons”, but says it has “been reaching out individually to those companies who we know have been impacted, and providing them with additional technical information to assist them”.

It’s believed that the attackers were attempting to use the popular software (130 million users) to spread their malware as widely as possible, and then, according to Cisco, they systematically narrowed down the targets to companies with valuable data and information to be stolen.

Talos research manager Craig Williams tells Wired that in about half the cases, the hackers were able to use their backdoor to compromise at least one machine on the company’s network. The archive that Cisco obtained only covered four days in September, so there’s no way to say for sure that these companies were the only targets.

In all, Cisco claims the infected version of CCleaner was installed on 700,000 computers.

Cisco now believes that this was the work a sophisticated actor. The researchers are urging anyone who downloaded the 5.33.6162 version of CCleaner or the 1.07.3191 version of CCleaner Cloud — available from August 15 to September 13 — to restore their systems from backups or reimage systems.

Simply updating or deleting the software is not enough. The latest version, CCleaner 5.34, is said to be safe.

We don’t have a whole lot of information on who is responsible for this or what their motives are. Cisco says it noticed shared code in the malware that has been used in tools employed by hackers known as Group 72 or Axium.

The tools were employed in what’s known as Operation SMN in 2014. Security firm Novetta believes that the group is connected to Chinese intelligence services.

[Avast, Cisco, Wired]


    • My guess would be that every enterprise operates their own way, has their own security and protocols.
      The place i work for as an example basically has no rules on software installations except teamviewer despite recommendations from security experts, i can only speak from first hand experience though.

    • when i first started working in support, i found the tool to be handy for cleaning the registry, the various data that apps hold as well as just temp files in general.

      that said I always had it installed on a USB and never locally on an end user machine, there really is no reason for enterprises to install it locally (imo) but that just depends on how admin permissions are set

      • Over the years I’ve seen too many posts about how you should never clean the registry, and if you do and it doesn’t break anything, it does nothing anyway.

        Windows disk cleanup seems to be the best option, as it knows what is needed and not.

        • cleaning / maintaining your registry can be very handy when troubleshooting applications by modifying / deleting records to manipulate the program, in saying this its not recommended to let an application like ccleaner make the decision for you.

        • oh definitely over the years and especially after moving to another company I’ve come to understand the internal guts of an OS more

          while @cesario have pointed out valid reason to poke around the registry, in general deleting / modifying registry should really be a last resort kind of thing

  • good thing i dont install these so-called optimsation apps that are a drain on resources and a malware risk.

    people download anything these days

  • Ccleaner was trusted as a safe app for removing crapware (Where one of the C’s in Ccleaner comes from) – now I’m just not so sure.

    • I still find it useful that said I’ve adopted to using a usb that is basically loaded with useful apps (AV for example) and I don’t install CCleaner on my home pc

      kind of like a toolkit on a CD which was a thing back in the 90s when I was in uni ha

  • Stopped using Ccleaner and similar programs back in 2013, haven’t looked back since & my Gamer Rig has been running flawlessly without a virus for years since.

Show more comments

Log in to comment on this story!