Consumers who downloaded the CCleaner security program thought that they were protecting their devices from malware, but security researchers at Cisco Talos say the app directly delivered malware to millions of users.
The discovery made earlier this month involves what the researchers call a “supply chain attack.” Supply chain attacks happen when hackers target a company or manufacturer that delivers a product to consumers.
In this case, the download servers used by Avast (CCleaner’s parent company) were breached. Hackers used their access to the servers to modify CCleaner’s download package to include malicious malware that was delivered to users.
“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” explained the researchers.
Millions of users affected
CCleaner is an extremely popular tool amongst consumers for ridding computers of malware and improving speed and performance. In November, Avast boasted that the program had been downloaded over 2 billion times, with 5 million users downloading the app per week. Unfortunately, the researchers say that these high growth numbers can be disastrous from a security standpoint.
“If even a small fraction of those systems were compromised, an attacker could use them for any number of malicious purposes,” said Cisco Talos researcher Edmund Brumaghin in a blog post.
Piriform, the company that operates the affected download servers, has confirmed that versions 5.33.6162 and 1.07.3191 of CCleaner for 32-bit systems were compromised by hackers. The company estimates that as many as 2.27 million people are using the affected software or have downloaded a compromised version of CCleaner Cloud.
“The compromise could cause the transmission of non-sensitive data…to a 3rd party computer server in the USA,” the company said. “We sincerely apologize for this and are committed to making sure nothing similar happens again.”
What to do
Brumaghin says that users who have downloaded a malicious version of the CCleaner program need to restore their devices to a state before August 15, 2017 and update to the latest available version of the program to avoid infection.
Piriform encourages users to download the latest version of the software here. (Note that visiting this link will initiate a download for the latest version of CCleaner.)