CCleaner, one of the most popular system tools on Windows, was confirmed to be compromised early this month, resulting in up to 3% of CCleaner’s users, roughly around 2 million, are/were using two compromised versions of CCleaner on their Windows computers. If you are using CCleaner to help you keep your system clean, here is what you need to know, according to the CCleaner’s official blog post and Cisco Talos post.
Two things first,
- Only Windows 32-bit edition is affected.
- Two versions released between August 15 and September 12, 2017, are affected. They are:
- CCleaner 5.33.6162
- CCleaner Cloud 1.07.3191
If you are running a version later than these two or running the same version but on a 64-bit of Windows, you are safe.
What can these hacked versions do?
The compromised version will collect the following information about the local system and encrypt them before sending off to a remote IP address or a different location if the IP address becomes unavailable.
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
It also reads a reply from the same IP address and downloads a second stage payload from that address, further encrypted by the same algorithm as in the first stage. However, CCleaner stats that they have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
What to do if I am using CCleaner?
Here are steps you need to take:
- Check the version of CCleaner on your computer.
- If it’s older than 5.33.6162 or Cloud 1.07.3191, you are safe. It’s time to update to the latest version.
- If it’s the newer or the same version of infected one,
- Update to the latest version if you want to continue using the tool, and
- Run a manual scan of your AV and make sure your system is clean.
- Check the following registry and delete it if you find it existed in your system.
What really happened?
The attack is called Supply Chain Attack that is a very effective way to distribute malicious software into target organization, using the trust relationship between a manufacturer or supplier and a customer.
In short, hackers were able to hack their way to the CCleaner’s site and inject the malicious code into two versions of CCleaner, 5.33.6162 of CCleaner and 1.07.3191 version of CCleaner Cloud. Luckily, both CCleaner and Cisco were able to quickly detect the suspicious downloading activities and stop them from being widely distributed.
As to why and how the hackers made their way in, it’s still under investigation.