Published: 19/09/17 by Gulraj Rijhwani
In a post on the community forum for Piriform’s CCleaner in the small hours of Monday morning (US time) the administrator revealed that last week, their own legitimately signed installation/upgrade for the 32-bit version of the product carried with it compromised code. In the words of the post, the malicious code could “cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.”
Since discovery the company has worked with US law enforcement to have the target host shut down and are investigating the source and method of the compromise. Piriform removed the compromised product download, and released a clean version, before making their announcement. The issue affects CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. Users should already have received a push notification from Piriform, of a notification to update to the latest releases (CCleaner v5.34, CCleaner Cloud 1.07.3214).
Although not a complex utility, Piriform do claim two million users for the CCleaner product, and even a small percentage of these users being affected is still a signficant number. What is more disturbing is that the code infection somehow got into their own product-base. This was not a reverse-engineered infected package on a rogue third-party download site. This was their own, security signed, installable product, which implies either a malicious employee or that Piriform themselves have been compromised and the malicious code inserted to their development library by an outsider. Neither option is particularly comforting, but it does demonstrate the value in detecting and controlling what comes into (and persists in) the environment and not just focussing on attackers exporting information.
It’s all a little bit Hollywood, the notion that an attacker would go to the bother of breaking in to deposit a rogue asset in the production line, but clearly it happens. How well do you know your environment? Could your production processes – whatever they may be – be interefered with without detection?
10th Floor, 3 Hardman Street
1st Floor, 138a Main Street