After Cisco Talos researchers determined that Avast’s CCleaner software was distributed with multi-stage malware between August 15 and September 12, 2017, 27 percent of IT pros surveyed by Spiceworks say they’ll continue to use the software anyway.
An online poll of more than 800 IT professionals found that 27 percent said they’ll continue using CCleaner, and another 32 percent said they haven’t decided yet.
Just 14 percent said they’ll stop using CCleaner in response to the news, and another 27 percent didn’t use the software to begin with.
One survey respondent wrote, “Things happen… That’s why we prepare ahead. I don’t question ‘if’ something I use is going to be hacked but ‘when.’ When it does happen, I look at the response of the company and how they handled the situation. That is how I determine if I’ll use it or not in the future.”
The Malware Threat
In a blog post, Paul Yung, vice president of products at Avast subsidiary Piriform, explained, “An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”
Still, Yung claimed that “the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version.”
The Cisco Talos researchers noted, however, that the version containing the malicious payload was signed using a valid certificate issued to Piriform by Symantec. “The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised,” the researchers wrote.
“When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate,” the researchers added. “Only the incident response process can provide details regarding the scope of this issue and how to best address it.”
And Nathan Wenzler, chief security strategist at AsTech, told eSecurity Planet by email that the malware itself presented a fairly serious threat. “An attacker would have full access to the system, including anything a user did while logged on, such as inputting credit card information to a shopping site or user names and passwords when logging in anywhere,” he said.
“It’s potentially very damaging, especially considering it is almost impossible to tell that such activities are taking place,” Wenzler added.
Supply Chain Compromise
BitSight research scientist Dan Dahlberg said by email that the compromise of a key software provider is proving to be a growing cyber security threat. “The recent spread of ‘NotPetya’ ransomware originated after the software update process of MeDoc, a popular accounting software tool used in Ukraine, was hijacked,” he said.
“Attackers are actively targeting commonly used applications and platforms because it can be easier than targeting organizations directly, and they may get a higher rate of return,” Dahlberg added. “Organizations need to be vigilant and continuously monitor the security of critical organizations, applications, and platforms present within their supply chain.”
Lastline senior security researcher Marco Cova said it’s also notable that the attackers had access to the infrastructure used to build the software itself, in addition to its distribution channel. “This is very troublesome because it indicates that attackers were able to control a critical piece of the infrastructure used by the vendor,” he said.
“I expect that a lot of software vendors will be reviewing the security of their build and distribution channels as a consequence of this finding,” Cova added.