![]() ![]() S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb Interestingly the following compilation artifact was found within the CCleaner binary that Talos analyzed: Only the incident response process can provide details regarding the scope of this issue and how to best address it. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Ideally this certificate should be revoked and untrusted moving forward. The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Talos provides a little insight into possible scenarios: He goes on to provide a technical description of the compromise, and says: "we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it." In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm. Users of CCleaner Cloud version have received an automatic update. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v users to the latest version. We also immediately contacted law enforcement units and worked with them on resolving the issue. Based on further analysis, we found that the version of CCleaner and the version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version of CCleaner, and CCleaner Cloud version, on 32-bit Windows systems. We would like to apologize for a security incident that we have recently found in CCleaner version and CCleaner Cloud version. In a statement on the site, vice president Paul Yung says: While Talos says that a large number of computers were put at risk, Piriform thinks otherwise. The affected version was released back on 15 August, and it was signed using a valid certificate issued to Piriform Ltd by Symantec which was valid until October next year. Investigations by Talos revealed that the compromised version of the software had been available for download from the CCleaner server since 11 September, although an updated, non-compromised version was released a day later. Avast opens up about CCleaner hack and outlines how it will protect usersĬisco Talos noticed suspicious activity on 13 September, finding that "for a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.".The problem is being compared to the NotPetya ransomware threat. With 2 billion downloads - a number that's rising at a rate of 5 million per week - the software was targeted by hackers who added a backdoor that could be used to download malware, ransomware and keyloggers. ![]() CCleaner is produced by Piriform, now a subsidiary of security firm Avast, making the compromise not only serious, but also embarrassing. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |