Hackers Infected CCleaner With Malware. Are You At Risk?

It seems like no software application is safe from hackers

It is safe to assume that we all know what information security professionals all over the world want us to know.

They don’t hide the fact that most of their warnings involve the user not trusting random “things” on the internet.

That is their focus.

In other words, they don’t want users to click on web links from any untrusted sources.

They also don’t want users to open up attachments that come from a sender they don’t know.

Common sense dictates that users should only install reputed applications from trusted sources.

That can take the form of a website or even a trusted app store.


Because this is the best chance users are going to have to protect themselves against all types of hackers.

Talking about hackers, they are a clever bunch of people.

Most of the time, they tend to surprise online security experts with their devious plans.

Recent reports in the media have revealed that hackers are evolving their ways to hurt users as well.

In other words, they are now no longer worried about targeting the end user.

Recent attacks suggest that hackers have not shifted their focus of attack further up the software application supply chain.

What does that mean?

That simply means, that now they try to sneak their malware directly into downloads that users download even from trusted vendors.

Moreover, users don’t even have to hit the install button before the malware infects their system.

Just this Monday the Talos security research division at Cisco revealed in a report that hackers had actually managed to sabotage the ubiquitous and free PC cleanup tool by the name of CCleaner.

More worrying is the fact that hackers had compromised the popular PC software application for a good part of last month.

Some say they had infected the trusted software application for even longer.

What did the hackers do?

What they always do.

In other words, they inserted a backdoor right into the updates package for the popular software application.

And that essentially allowed hackers to land their malware into millions of computers around the world.

What Does The Attack Mean For Trusted Applications?

Security researchers have discovered that hackers are targeting more than just end-users.

One can’t say much about other trusted software applications but one thing is for sure:

This attack would seriously dent the reputation points that Avast, the developer behind CCleaner, had amassed in the past several years.

Avast has simply betrayed the consumer trust it had worked so hard for, say some experts.

Moreover, this type of attack doesn’t give out a positive message for a lot of other software firms that work in more broad software industries.

We now know that hackers can lace legitimate programs with other malware.

Moreover, they are capable enough to infect software application with malware that a security company distributes.

That is the most troubling part.

How are security firms going to protect the end user if they can’t ensure the security of their own security products?

And it gets worse actually.


Well, you don’t need us to tell you that the frequency of such attacks has only increased in the past several months.

From what we could gather, such types of attacks have damaged software applications in three separate incidents in just the last three months.

How do hackers exploit the digital supply chain so effectively?

Of course, representatives from various security firms have to answer this question.

They also have to answer the question as to how did hackers plan infected code that managed to hide itself in the security firm’s software application?

And hackers didn’t just go through the software application.

They managed to install their nasty code into the company’s own system of installation along with updates.

How did hackers hijack those trusted sources and channels to basically spread their malware-ridden code in such a stealthy manner?

Craig Williams who is the head of Cisco Talos team told reporters that the company had noticed a concerning trend in recent supply chain attacks.

He further said that hackers had started to realize that if they could find some soft targets (in other words, companies that don’t have a lot of security practices) then they could hijack their huge customer base with ease.

Moreover, he said, hackers now also wanted to use the customer base as their own with their malware install base.

Craig also explained that the more companies tried to see it, the more hackers would target it.

Avast Response Anyone?

Hackers are constantly finding out new ways to attack popular apps and services

According to an Avast report published in the media, about 2.27 million users had downloaded the tainted version of the company’s CCleaner app.

And those statistics only account for those downloads that took place between the first time hacker sabotaged CCleaner in August till last week.

So who and how did they find out that hackers had actually compromised CCleaner?

Well, we should all thank Cisco for that.

More specifically, the beta version of Cisco networking monitoring tool.

Because this tool actually discovered the above-mentioned rogue app’s suspicious behavior on a random customer’s network.

Moreover, now we also know that Morphisec, an Israeli security firm, had actually alerted Avast to the malicious code problem quite a bit earlier.

That was about in mid of August.

The Thing About Avast

In order to ensure the integrity of its products, Avast cryptographically signs its installation packages and update packages for its CCleaner application.

This way, the company can make sure that no hacker has the opportunity to spoof the company’s downloads without actually possessing a, what the experts call, cryptographic key which is for all practical purposes unforgeable.

But media reports have clearly said that hackers managed to infiltrate the company’s software development and/or distribution processes.

The only apparent explanation here is that maybe hackers did so before Avast had the chance to sign its software application.

That gave hackers some significant advantages.

In other words, Avast (the antivirus firm) unknowingly put the company’s stamp of approval on the hackers’ malware code.

And then the security firm essentially pushed out the infected software application to its customers.

More Online Attacks

As mentioned before, Avast isn’t the first security firm that hackers have tried to hurt with their malware code.

In fact, this attack has come about two months after online hackers and cybercriminals made use of a very similar supply chain vulnerability in order to deliver a massive cyber attack.

That cyber attack caused a huge amount of damage and it managed that via an outbreak of a very destructive software that goes by the name of NotPetya.

In that attack, hackers targeted hundreds of vulnerable users and other entities in Ukraine.

Of course, once hackers knew the damage that their malicious code could cause, they didn’t just stop at Ukraine.

They branched out their malicious code to other countries as well.

The US and other European countries also had to suffer the wrath of their malicious code.

NotPetya, of course, works a bit differently to the malicious code that hackers managed to sneak into CCleaner.

NotPetya came in the form of a software that posed itself as a ransomware.

But security experts still believe that NotPetya did not have the characteristics of a ransomware.

Instead, they said, NotPetya acted like a data-wiping disruption tool.

Similar to what hackers have done with CCleaner, NotPetya also took command of the update mechanism of a relatively obscure piece of software.

But that software had a large number of customers in the country of Ukraine.

The accounting software went by the name of MeDoc.

Hackers made use of the update mechanism of MeDoc as their infection point.

After that, they managed to spread their malicious code through several more corporate networks.

Media reports now have also revealed the NotPetya managed to paralyze critical operations at over hundreds of companies based in Ukraine and other countries.

NotPetya targeted companies that worked in the banking sectors along with the power sector.

In other words, it affected power plants and some banks in Ukraine.

As mentioned before, NotPetya didn’t just stop in Ukraine.

It spread into other countries as well.

NotPetya also infected Maersk, the Danish shipping conglomerate along with Merck, the US pharmaceutical giant.

After A Month We Witnessed Another Attack

Regardless of whom hackers attack, the end user has to bear the brunt of all malicious code

Just a month after the NotPetya attack, hackers launched another potent supply chain attacks.

This time, hackers called it the Shadowpad.

Researchers at Kaspersky, a Russian security firm, discovered and then confirmed these attacks.

In these attacks, hackers had found out a way of smuggling a backdoor that had the capability to download malware right into hundreds and thousands of banks and other companies working in the energy and drugs industries.

Hackers achieved their objective with the help of corrupted software distribution.

Okay, so the logical question here becomes:

Who performed the distribution this time around?

Well, reports say that a South Korean-based security firm by the name of Netsarang managed the distribution in this attack.

The company had built up quite a reputation by selling network and enterprise management tools before the attack.

Igor Sounmenkov, a Kaspersky analyst, said at the time that ShadowPad formed a perfect example of how wide-scale and dangerous a properly executed supply chain attack could be.

Moreover, he said, hackers now had a lot of opportunities to reach even further and collect even more data.

He said that with the collected data hackers would most likely try to reproduce the attack again and again.

Igor predicted that hackers would target some other big-name and widely-used software application or its component as well.

Perhaps this is a good time to mention that Kaspersky as security firm is busy in dealing with the company’s own software trust issues.

In other words, no one can use Kaspersky in US government agencies.


Because the Department of Homeland Security has banned it.

Moreover, BestBuy, the US retail giant, also pulled Kaspersky security application from its shelves quite a while ago.

Now, why would BestBuy do that?

Well, reports at the time revealed that BEst Buy had suspicions on how the Russian government could abuse customers who used Kaspersky security software applications.

Supply Chain Attacks And Why Hackers Like To Launch Them

Supply chain attacks are nothing new.

Hackers have used such techniques for a good part of several years now.

As indicated earlier, the last couple of months have seen a slight uptick in the number of reported attack incidents.

This is what Jake Williams, who works at a security firm Rendition Infosec as a researcher and consultant.

Jake told reporters that the current setup had relied heavily on open source and/or widely distributed pieces of software applications.

He further said that these open source and widely distributed software application had vulnerable distribution points.

And that’s why such vulnerabilities had become the new form of low-hanging fruit for hackers around the world.

Williams also argued that hackers could have moved up the software supply chain for a reason.

He said that security firms had managed to improve the security of their customers to a very high degree.

And that would have pushed hackers around the world to look for another way to launch cyber attacks.

Moreover, we also have to keep in mind the fact that many security companies had actually cut off some rather easy and straightforward routes for hackers to infect software applications.

According to Williams, security companies had done a good job in ensuring that Firewalls achieved the near-universal status.

Hackers now could not find easy vulnerabilities in software applications such as PDF readers and/or Microsoft Office.

Security firms also had done a great job of increasing the frequency of their application’s security patches.

Of course, not all security firms did that.

But the fact that the majority of software companies installed security patches on a regular basis and at important times, made it hard for hackers to get their way.

Williams further said that generally speaking, people had started to learn more about general security issues and had actually improved their online habits.

So hackers had to find a way to break all the previous models.

Enter software supply chain attacks.

According to Williams, these type of attacks can slip by basic security checks and antivirus software applications.

And as alluded to before, sometimes hackers use the patching process itself as an attack vector.

Hackers Moving Up The Supply Chain

Security researchers have also noticed that hackers have started to move further up the chain in the overall link.

That means, hackers are now not just attacking software companies instead of online consumers, they are attacking the development tools of programmers that work in those software companies.

Back towards the end of the year 2015, hackers managed to distribute a malicious version of Xcode, the Apple developer tool, on trusted sites that developers from China frequented.

The fake version of development tools injected malicious snippets of code, also known as XcodeGhost, into more than 35 iOS apps.

The other interesting bit is that several of these malicious iOS apps passed Apple App Store’s review.

As a result, iOS users saw the biggest ever iOS malware outbreak in the past many years.

Last week, hackers used similar techniques to attack Python developers.

They injected malicious code into PyPI, Python Package Index, a popular Python code repository.

To contain the damage, the Slovakian government had to issue a notification to developers to not use the repository.

How Will Software Developers And Firms Respond?

Well, that is entirely up to them.

Ultimately though, software companies have to make sure that they take care of their own vulnerabilities before they can protect users from the growing trend of supply chain attacks.


Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.