Security researchers say hackers were able to booby-trap a popular tool offered by Czech cybersecurity firm Avast to remotely install a backdoor implant on millions of computers, according to new research by Cisco’s Talos team.
A sabotaged software update mechanism in an outdated version of the file clean-up software program CCleaner allowed for a hacker to covertly download malicious code onto computers. The backdoor left infected devices open to future attacks and other malware.
The news illustrates how hackers are actively targeting and in some cases, successfully exploiting vulnerabilities in the supply chains of prominent software vendors.
The latest version of CCleaner was released in mid-September. The affected version, CCleaner 5.33, was only available for download for about one month.
Piriform, a British software firm acquired by Avast in July, originally developed CCleaner. The program is predominantly used on computers running Windows, although there’s also a version for MacOS.
“We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines,” an Avast spokesperson told CyberScoop. “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”
CCleaner has been downloaded more than 2 billion times since it was originally released in 2003. There have been multiple iterations of the tool since then.
While a patch has been offered to fix the problem, several important questions remain, including who was responsible.
Researchers believe an insider was likely involved at some point in the attack, according to Talos senior researcher Craig Williams, because the hacker was able to sign the malware with a legitimate Avast software certificate.
The incident calls into question the “integrity and security” of Piriform’s software development process, Williams explained.
“The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised,” a blog post by Talos reads. “Ideally this certificate should be revoked and untrusted moving forward.”
Law enforcement and a private firm are now working with Avast to investigate the situation.
Internally, the company has not yet determined who may have been responsible for the incident, but they believe the issue originated from Piriform.
“The most likely attack vector was modification of the Piriform build environment,” the spokesperson said.
Avast first learned of the issue on Sept.12. It does not credit Cisco for finding it.
“Despite some misleading media reports, Cisco was not the source of information about this threat. Suspicious activity was identified on September 12, 2017, and we immediately started an investigation process,” the Avast spokesperson told CyberScoop. “Cisco informed us on September 14, 2017 about this issue. At the request of law enforcement authorities, we asked Cisco to delay publicizing the breach until we were successful in bringing down the server.”
Morphisec, an endpoint security software developer who makes an engine in Cisco’s own malware detection system, was the original firm who notified Avast about the supply chain attack.