You are currently viewing IT security: CCleaner hack.

IT security: CCleaner hack.

The CCleaner hack:

Who is affected:
People who have downloaded CCleaner version 5.33.6162 32-bit version download between August 15th and September 12th.

If I have a 64-bit PC could I be affected:
No, 64-bit was not compromised.

I use 32-bit, but an older version than 5.33 am I safe?
Yes, only 5.33.6162 was infected.

What should I do if affected:
Uninstall CCleaner or upgrade to CCleaner version 5.33 from here https://www.piriform.com/ccleaner/download

If I downloaded CCleaner from the official website can I still be affected?
Yes, the hackers modified the download files on Avast Piriform servers.

How many people were affected:
2.27 million users have been affected by the attack.

What does CCleaner do?
The program is used to clean up cookies and can give some web privacy protection.
CCleaner has been downloaded more than 2 billion times, making it an very interesting target for hackers.

Avast Piriform believes it was able to prevent the breach harming customers, however that remains to be seen, Piriform hasn’t completed its investigation.
“Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson.

Piriform apologized to its users and said law enforcement was involved. They believe they have shut down the hackers’ access to its users and updated their software.
“In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm,” said Paul Yung, Piriform’s vice president of products, in a statement.

You can see the blog here:
https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

The hack was discovered by Cisco Talos on 9/13, who found that the official download of the free versions of CCleaner 5.33 and CCleaner Cloud 1.07.3191 also contained “a malicious payload that featured a Domain Generation Algorithm as well as hardcoded Command and Control functionality.”
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

The attackers used Floxif malware downloader, which gathers information about the infected systems and sends it back to its command and control (C&C) server.
https://en.wikipedia.org/wiki/Botnet

The malware could download and run binaries, but at this time, there is no evidence that Floxif downloaded additional second-stage payloads on the infected hosts.
The malware collected different information like computer name, installed applications, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer.
The malware would quit execution if the user was not using an administrator account.

Tags: , , , , , , , , ,

Thor Pedersen

IT, information security, and project management trainer Best selling CISSP. CISM, and PMP instructor on Udemy. CISSP, CISM, C|EH, CDPSE, PMP, 2x CCNP, CompTIA Security+, SCP, 3x CCNA, et. Al.