Security researchers from Cisco Talos claim a vast number of machines are at risk as hackers added a backdoor to CCleaner that could be used to download malware, ransomware and keyloggers. The infected version of CCleaner was available for download via the official CCleaner server since September 11, 2017 and features a valid digital signature:
Cisco Talos noticed suspicious activity on 13 September, finding that "for a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner."What makes it even more embarrassing is that Piriform was acquired by security company Avast! in July 2017.
Investigations by Talos revealed that the compromised version of the software had been available for download from the CCleaner server since 11 September, although an updated, non-compromised version was released a day later. The affected version was released back on 15 August, and it was signed using a valid certificate issued to Piriform Ltd by Symantec which was valid until October next year.
Piriform blogged about the issue but downplays the severity. The company claims they were able to disarm the threat before it was able to do any harm:
We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.Users of CCleaner need to manually update to version 5.34 to ensure they're safe.