CCleaner has gotten compromised in a massive security breach which could affect upwards of 2.27 million users of the popular clean-up software. Researchers at Cisco’s Talos unit discovered a hidden two-stage backdoor installed in a legitimate version of the tool.
The malicious program hitched a ride on CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 back in August 2017. It lay there undetected for a month collecting information like the name of the computer, list of running processes, installed software including Windows updates, and MAC addresses.
Piriform, the firm behind CCleaner, has now published a blog apologizing to its customers. It claims parent company Avast identified suspicious activity on September 12 when it saw an unknown IP address getting data from software installed in version 5.33.6162 of CCleaner and version 1.07.3191 of CCleaner Cloud on 32-bit Windows systems.
It seems these versions were illegally modified before they were released to the public. Customers had no reason to be wary since the updates were directly from the company itself. Piriform says that it’s resolved the threat by making sure the rogue server is down and others are out of the hacker’s purview.
Piriform is moving all current CCleaner v5.33.6162 owners to the latest v5.34 and beaming out an update to CCleaner Cloud version 1.07.3191 users. Note that the former group will have to delete the app and install the fresh version since the software doesn’t update itself automatically.
The attackers don’t appear to have caused any harm to the victims yet. Avast chief technology officer Ondrej Vlcek states that the second-stage payload was never activated as it was prep for something bigger. It was stopped in its tracks before any noticeable damage was done.
You can download version 5.34 of CCleaner here.