Hackers infiltrate free PC cleaning software
Even if you’re cautious, it’s still possible for hackers to infiltrate your computer.
The latest security breach targeted British software firm Piriform, known for its free software CCleaner. Hackers compromised CCleaner in a sophisticated attack that affected over 2 million computers, security researchers and Piriform confirmed Monday.
CCleaner deletes unneeded files and web browser caches to keep Windows computers free of junk. But hackers were able to successfully place malware into a new version, released in August. This allowed them to control infected computers.
Piriform said in a blog post its parent company Avast discovered the hack affected two products — CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 — on September 12. The firm has since updated the software.
The company said it worked with law enforcement to shut down the hacker’s server “before any known harm was done.” The breach could let hackers collect computer names, IP addresses, and lists of what software people use, but no sensitive data was collected, it added.
Researchers from security firm Cisco Talos, which detected the hack, call it a “supply chain attack.” Attackers got into the original computer system where the software was built, and those who downloaded would have no way of knowing their computer was compromised
Research indicated the hacker was collecting information, like reconnaissance, about infected computers, according to Talos researcher Craig Williams.
In July, Avast acquired Piriform and said about 130 million people use CCleaner.
“The malware works like a loader,” Williams said. “The bad guy could take any kind of malware he wanted, like ransomware, and push that down to end users.”
The strategy is similar to the major global NotPetya attack in June that targeted Ukrainian tax software, Williams added. Hackers infected trusted software and people downloaded it without realizing it contained malware.
According to research released late Wednesday, Avast found that hackers sent a “second stage payload” — or malware — in addition to what they sent already, to at least 20 machines in eight businesses. Avast CEO Vince Steckler said the second-stage attack targeted telecommunications firms, though did not release the company names.
Cisco Talos also discovered the additional hacking attempts and published a list of companies potentially affected.
“There seems to be no targeting to consumers whatsoever,” Steckler told CNN Tech. “It’s trying to get stuff into businesses through a backdoor.”
In a blog post, Avast explains that many more machines were likely affected.
“[G]iven that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds.”
Piriform advises Windows users to check if they are running compromised versions, delete the app, and install the new safe version.