Avast published earlier today a post-mortem of the CCleaner malware incident, in the hopes to clarify some of the details surrounding the event that many of its users found troubling.
Below is a simplified timeline of events, based on Avast’s recent statement.
July 18 – Avast decides to buy Piriform, the company behind CCleaner.
August 15 – Piriform, now part of Avast, releases CCleaner 5.33. The 32-bit version (CCleaner 5.33.6162) included the Floxif trojan.
August 20 and 21 – Morphisec’s security product detects first instances of malicious activity (malware was collecting device details and sending the data to a remote server), but Morphisec does not notify Avast.
August 24 – Piriform releases CCleaner Cloud v1.07.3191 that also includes the Floxif trojan.
September 11 – Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company’s engineers.
September 12 – Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 – Cisco notifies Avast of its own findings.
September ?? – Cisco had registered, in the meantime, all the domains that the malware would have used in the future to determine and calculate the C&C server IP address.
September 15 – Following a collaboration between Avast and law enforcement, the malware’s C&C server was taken down.
September 15 – Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the Floxif malware.
September 18 – CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.
Number of affected users goes down from 2.27 million to 730,000
In an email to Bleeping Computer yesterday, Avast CTO Ondřej Vlček said that telemetry data suggested that over 2.27 million computers were running the two compromised CCleaner versions.
In the updated statement released today, Avast CEO Vince Steckler and CTO Ondřej Vlček, say that number has now gone down to 730,000 as users removed or updated their CCleaner installations.
The company also wanted to stress that the compromise occurred before Avast bought Piriform, and following the incident, Avast migrated Piriform’s build environment onto Avast’s internal IT system.
In addition, the two Avast execs also wanted to make sure that incorrect media coverage did not cause any inconvenience to CCleaner users. The two stressed that customers don’t need to reinstall or roll back machines to a date before August 15. Updating the two affected applications is enough, they said.
“We regret the inconvenience experienced by Piriform’s customers,” Steckler and Vlček added. “To reiterate, we accept responsibility for the breach.”
While removing the infection is easy, victims should still be wary
While Avast is correct in stating that removing the infection is as easy as updating to a new version that replaces the infected CCleaner executable with a non-malicious one, that does not mean that users should not be concerned. As the installed Floxif infection was sending information about your computer and had the ability to download and install other programs, victims should change their passwords and perform security scans on the computer.
I suggest that victims stop using the infected computer and then change their passwords from a computer or cell phone that did not have this version of CCleaner installed on it. This is because it is not known if other malware was installed by the Floxif infection and is currently running that may steal passwords and other information.
Once you have changed your passwords, you should perform scans using a antivirus application, if not multiple applications, to make sure that there are no other infections present on the computer. After this has been finished, and anything that may have been detected has been removed, you can begin using your computer again.
For those who want to be truly safe, the best course of action is to always reinstall Windows to be 100% safe. It goes without saying that this is not always feasible, so at a minimum, the suggested actions should be completed before you use the computer again.
Dangers of supply-chain attacks
The incident was a cause of alarm for the IT security industry, as many experts likened it to the M.E.Doc incident, where hackers compromised the software update process of a Ukrainian company and used it to launch the NotPetya ransomware outbreak.
“If that hadn’t been found I believe that would have been a huge, very global incident,” said Kevin Beaumont, a renowned malware researcher, on Twitter. “No attacker goes [through] that much effort for no reason.”
“Supply chain hacks are real, happening and a genuine risk. Vendors need to lock down their build and update systems ASAP,” Beaumont added.
In the meantime, Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, published a series of tweets with helpful information on how companies could secure their software supply chain against similar events.
Oh hi infosec, I see you have all discovered supply-chain attacks, an in particular auto-updaters.
— Scott Arciszewski (@CiPHPerCoder) September 19, 2017
Bleeping Computer also published a simple need-to-know guide on the CCleaner malware incident.