On Monday Piriform announced that their popular utility, CCleaner, had been hacked and 2.27 million users have downloaded and installed a compromised version of their software. Those users may have been running malware tainted software for up to a month. This raises some important questions. If our trusted software can no longer be trusted, how can an organization protect itself? Is the use of malware detection software no longer viable?
CCleaner is a free multi-platform program (Windows, Android, Mac OS) used by up to 130 million people worldwide. The software cleans up computers by deleting temporary internet files, cookies and obsolete files from a device. In addition, it includes tools to reconfigure startup procedures and, in the update in question, a remote access tool.
A backdoor enabled hackers access to 2.27 million devices
The downloads affected were those released on August 15th and August 24th for Piriform’s CCleaner and CCleaner Cloud. These copies of the software included malicious code inserting a backdoor through which further code could be downloaded from a remote server and run on the infected computer, without user consent. The incident potentially enabled unauthorized access to some 2.27 million devices. Piriform have posted an in-depth description of the specifics of the malware on their website.
The company indicated that 3% of its users downloaded the affected software, and suggest that all users of CCleaner visit this link and download the latest, clean version. The software does not update automatically and Piriform recommends a clean install following a virus scan.
Piriform was bought by cybersecurity firm Avast Software in July 2017. Its CCleaner program has been around since 2003 and has long been considered a must have by many users, who have trusted it to clean up their devices quickly and reliably. It is this familiarity and breach of trust which is so disturbing.
Avast alerted to security breach by third parties
Cyber security specialists Morphisec and Cisco’s Talos digital security team discovered the malicious code last week, immediately informing Avast. The download in question featured relatively new tools for remote administration, and it appears the malicious code would have instructed the host device to contact the hacker’s servers for further instructions and or downloads when activated. Avast reported that they have isolated the hacker’s servers with the assistance of law enforcement agencies.
Upon uncovering the malicious code on September 12th, Piriform released a clean version of CCleaner the same day, with CCleaner Cloud following on September 15th. However, users of the software may have been vulnerable for up to a month.
The intentions of those who hacked CCleaner’s code are unclear and it seems the code was detected and deleted before it was used. Piriform’s parent company Avast is facing criticism however, nothing appeared on its Twitter feed for twelve hours and there are no announcements on its website. In addition, they have failed to credit the third parties who uncovered and alerted them to the compromised software.
Latest in a series of supply chain attacks
The hack is the latest in a series of ‘supply chain’ attacks and highlights the evolution of cybercrime. Whereas hackers have previously occupied themselves on individual users, now they are increasingly targeting systems further up the supply chain and using software vendors’ distribution infrastructure to spread malware.
The ‘Petya’ ransomware attack earlier in the year involved malicious code distributed via a software update for M.E.Doc, a popular tax software in Ukraine. In August, Kaspersky Labs uncovered malware which created a backdoor into enterprise management tools distributed by South Korean firm Netsarang. The backdoor was closed before it was used, fortunate since hundreds of companies worldwide including banks and energy providers use the software.
The problem for users, and the industry alike, is that malware has been placed inside of a legitimate and very popular software program, and in this case, belonging to one of the world’s foremost cybersecurity firms. If the hackers can find a soft spot in security, they insert the malicious code and then wait for the updates containing it to be rolled out to users. And since CCleaner is a trusted application, no end of scans for malware and viruses would have detected it. This approach circumvents any malware detection mechanisms on the end users’ devices.
A confusion of trust
For years, avoiding malware was relatively straightforward, use the latest malware detection software, don’t click on dodgy links on the web, and don’t open file attachments from unknown email senders. Time and time again we hear the mantra ‘Don’t download from an untrusted sender. Only install applications from a trusted source.”.
Talos researcher Craig Williams said, “The nature of the attack code suggests that the hacker won access to a machine used to create CCleaner”. So, the hackers are targeting the trusted sources. We are now firmly in new territory, a place where we cannot trust those trying to protect us.
The confusion of trust is perhaps most effectively highlighted by the US Government’s contentious ban on its government computer networks using the afore mentioned Kaspersky Labs cybersecurity software. This is over concern that Russian owned Kaspersky is in collusion with the Kremlin and conducts espionage. From a cursory perspective, this would seem a classic case of shooting the messenger.
Itsik Mantin, the Director of Security Research at Imperva, disagrees however, “Like anyone that got the scary pop-up – YOU GOT 23 VIRUSES!! PRESS THIS LINK TO GET PROTECTED! – using fear from malware as a means to distribute malware is common practice for attackers, and thus infecting anti-virus software with a malicious backdoor is less surprising than one would expect.”
Mantin cast doubt on the software industries ability to detect and delete malicious code running on their systems, “According to what was published, the CCleaner version was ‘illegally modified’ before being released to the public. Regardless of whether this modification was made by a hacker that gained control over the download server, or over an endpoint that had access to this server, and regardless of whether the attacker came from outside or from within, history teaches us that modern attackers tend to remain stealth and keep their foothold in the organization for as long as possible, despite the calming sounds coming from Piriform and Avast that the event is over.”
How should enterprises be protecting themselves
The series of supply-chain hacking incidents of the last year suggests that the companies in which we entrust the detection and combating cyber crime are just not properly informed, or not taking security and malware detection seriously enough.
This extends beyond the software industry. The recent leaking of 143 million customer details by Equifax, a leading credit agency and a company selling identity protection services, underlines the issue (indeed Equifax reportedly used the password ‘Admin’ on an Argentinian web portal).
When asked how they were securing their software development from future threats, Piriform stated, “We are making sure the problem doesn’t happen again by moving the entire Piriform product build environment to a more robust, secure infrastructure provided by Avast.”.
Enterprises need to go beyond basic malware detection solutions and do more to protect themselves. Mandin recommends that, “There are several basic practices that should be used in order to validate downloaded software, especially its origin. However, when the infection resides in the supply chain as was the case in the Avast hack, there’s not much the organization can do to prevent the infection. This is another biting example that although the protection on the perimeter keeps most of the threats outside the enterprise network, some of the attackers will find their way in, either through a careless user that is lured into opening a malicious attachment, or by downloading infected software from more or less legitimate sources. This means that security controls should also be placed inside the network to track the activity of users, specifically their access to business sensitive data in files, databases and applications.”
Advanced malware detection may not help
While there have been rapid advances in malware detection, today’s solutions offer just part of the solution. Mantin explains, “Various anti-virus approaches, signature-based, heuristics-based (sometimes referred to as behavioral) or sandboxing – all have their pros and cons, and more importantly, all have their blind spots. Signature-based detection is backward looking by nature, heuristic methods are prone to false positives and false negatives, and sandbox methods are, in many cases, defeated by anti-virtualization/anti-sandbox technology. While combining these methods improve the threat detection rate, this does not change the overall picture, that some threats will cross the perimeter, infect endpoints and crawl their way into the data systems.”
Mantin further suggests that a new attitude is required by company executives responsible for security, “As seen recently when the cyber expert of a known cyber vendor got hacked, this is yet another example that no organization is immune to infection, and every CISO must assume that the attacker has a foothold in his organization and is crawling around looking for ways to spread and steal data.”
All of which indicates that the best defense is for enterprises to adopt a perpetual state of paranoia within their operations, co-operate and share information on malware detection. This state of mind would prompt them to adopt more secure checks and balances. This would go a long way towards closing off the weak points hackers target to get their code installed inside the organizations. For the moment at least, it is the users who will have to shoulder the burden of paranoia and keep themselves informed on the latest threats.
Increasingly, the companies offering solutions to protect users are the new battleground for those of malicious intent. As these enterprises grapple with the rise of supply chain attacks, and until they catch up, users are left wandering a murky world, wondering whether they can indeed trust the ‘Trusted Source”.