11/9/2023 0 Comments Ccleaner 5.33Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. “Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” they explained. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. “About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Previously, Cisco has advised compromised users to restore their systems to a state before Augor reinstall them, but Steckler and Vlcek disagree. “These users should upgrade even though they are not at risk as the malware has been disabled on the server side,” they advised. Steckler and Vlcek reiterated that 2.27 million users were affected by the compromise, and that since the compromise discovery, that number has come down to 730,000 (those still using the affected v). As a temporary precaution, they migrated the Piriform build environment to the Avast infrastructure, and are in the process of moving the entire Piriform staff onto the Avast internal IT system. Moreover, this code is executed before any of the original CCleaner code is executed and the executable is automatically signed by the build machine,” he added.īut how did the attackers managed to compromise this server and this machine? Avast is still not ready to share. This makes the code injection very useful and stealth. “Such modifications can be done by someone with access to the machine that compiles the code. Michael Gorelik, VP R&D at Morphisec, explained that, after analyzing the malware, they found that the TLS initialization of callback functions was probably altered by a modification of the visual studio runtime file. We strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition,” they noted. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017. “The compromise may have started on July 3rd. In today’s update on the situation, Avast CEO Vince Steckler and CTO Ondrej Vlcek said that the hackers were likely already in the process of hacking into the Piriform servers as Avast was putting everything in place to complete the acquisition of Piriform (in July 2017). September 18: Piriform makes the announcement about the compromise, Cisco Talos releases a blog post detailing the threat, later that day Morphisec releases a short write-up about it.As Avast noted in an update today, “the threat was effectively eliminated as the attacker lost the ability to deliver the payload.” Around the same time, Cisco registered the malware’s secondary DGA domains. September 15: Avast and law enforcement take down the backdoor’s C&C server.September 13: Cisco discovers the malware (also via customer log analysis) and notifies Avast.September 12: Morphisec notifies Avast, Avast releases a clean version of CCleaner (), pushing it out as a lightweight automatic update to CCleaner users where it was possible, and started notifying the remaining users to upgrade to the latest version of the product ASAP.September 11: Morphisec researchers flag the malware after analyzing the logs of some of its products installed at customer sites.August 24: Malicious CCleaner Cloud (v) made available for download from Piriform’s servers.August 15: Malicious CCleaner (v) made available for download from Piriform’s servers.The timeline of the incident and Avast’s response to it is as follows: On Monday, Cisco and Piriform – the Avast-owned company behind the popular CCleaner utility – announced that certain versions of the software have been backdoored by hackers.Ī blog post by security outfit Morphisec later revealed they were the ones who first notified Avast of the problem.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |