Cisco's TALOS security researchers discovered a devious way to infect millions of machines. They said: "Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons."
Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast's own figures, 2.27 million ran the affected software, though the company said users should not panic.
The affected app, CCleaner, gets 5 million downloads a week, making the threat particularly severe, researchers at Cisco Talos warned.
Further investigation found the CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.
The CCleaner app, designed to help users carry out good cyber hygiene, was itself infected.
"The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.
"Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."
Not all are convinced by the claims of Piriform, acquired by Avast in July. "I have a feeling they are downplaying it indeed," said Martijn Grooten, editor of security publication Virus Bulletin. Of the Piriform claim it had no evidence of much wrongdoing by the hacker, Grooten added: "As I read the Cisco blog, there was a backdoor that could have been used for other purposes.
"This is pretty severe. Of course, it may be that they really only stole ... 'non-sensitive data' ... but it could be useful in follow-up targeted attacks against specific users."
Avast CTO: No need to panic
Avast chief technology officer Ondrej Vlcek said there was, however, little reason to panic. He told Forbes the company used its Avast security tool to scan machines on which the affected CCleaner app was installed (in 30 per cent of Avast installs, CCleaner was also resident on the PC). That led to the conclusion that the attackers hadn't launched the second phase of their attack to cause more harm to victims.
It's unclear just who was behind the attacks. Yung said the company wouldn't speculate on how the attack happened or possible perpetrators. For now, any concerned users should head to the Piriform website to download the latest software.
More at Forbes.