Cisco UK & Ireland Blog

What happened with CCleanup and why are a vast number of machines now at risk?

September 19, 2017

Cisco’s threat research division, Talos, have identified that a legitimate software package was being distributed with a hidden malicious back door.

How did it happen?

Upon beta testing a new version of Cisco’s AMP for Endpoint solution, Talos identified malicious code within CCleaner – a legitimate software tool.

Further research showed that version 5.33 of CCleaner (released on August 15, 2017), included malicious software that was also installed on that user’s endpoint machine. In other words, a threat actor had found a way to ‘piggy back’ on the distribution legitimate software. So, when a user downloaded the August update, they also downloaded malicious software onto their machines.

How potentially large is the attack?

It is reported that 2.27 million users downloaded the malicious update. Upon discovering the back door, Talos immediately contacted the vendor so that they could respond appropriately.

An updated version of CCleaner has been released that affected users should install to replace the malicious version.

We do not yet know the motivation behind the attack, or even if the malicious code was used to issue instructions or download further malware. Nevertheless, it should be assumed that affected machines have been compromised. Talos are advising that affected systems should be restored to a state before August 15, 2017 or reinstalled.

Finally, with the increase of ‘Bring Your Own Device’ (BYOD), this compromised software may introduced into a corporate network without the knowledge of security managers. This is why it is so important to insist on strong malware protection, such as AMP, on devices connected to a corporate network, and to use the network as a sensor to identify malicious command and control traffic.

Why is this attack so significant?

The Nyetya (NotPetya) malware attack earlier this summer involved the compromise of a vendor of legitimate accountancy software which was used to distribute malware.

These two attacks represent a potential shift in the threat environment. Long held cybersecurity advice insists users “not to click on that link in that email” or “don’t open that attachment”. That advice is still relevant for the vast majority of attacks, but it doesn’t provide protection against supply chain attacks such as these.

By compromising legitimate software, this may well ‘inspire’ more of the bad guys to adopt this type of technique. As defenders, we must be aware of this fact, and be vigilant.

As Talos’ Craig Williams put it, “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.”

What can software companies do to prevent the bad guys piggybacking their software?

It’s crucial that any company who distributes software is paranoid about their code base, and protects against unauthorised code being introduced into their products, or distributed along with it.

Your defence must be multi-layered, in order to keep threats away from end users. And you must have a strong process in place that alerts you as soon as a compromise is attempted.

Cisco Stealthwatch and Advanced Threat Analytics can help to detect malicious software, and the novel communications between the malware and its command and control centre.

Additionally, it’s important to know where the malware is so that you can take action. Cisco Advanced Malware Protection is designed to do this.

For a detailed analysis of how this threat was found and some more advice, please see our in depth response by Cisco Talos.


Leave a comment