Hackers Hid Backdoor In CCleaner Security App
-
Low hanging fruit. Definitely not a good thing.
-
Damn closed source software
It's generally easier to hide this stuff in closed source than open source.
-
The fact that Piriform doesn't list a MD5 Hash as a basic means of stopping this kind of issue is odd. It takes an additional minute or 2 to generate and post to your website.
So why not do it?
-
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
The fact that Piriform doesn't list a MD5 Hash as a basic means of stopping this kind of issue is odd. It takes an additional minute or 2 to generate and post to your website.
So why not do it?
Yup, simple fixes being missed here.
-
Kinda makes you wonder why such a popular piece of software went more than a month without being noticed there was a breech.
-
@kyle said in Hackers Hid Backdoor In CCleaner Security App:
Kinda makes you wonder why such a popular piece of software went more than a month without being noticed there was a breech.
Because there was no easy way to detect the backdoor. Someone had to sit there and test it with each specific version to find that it existed.
Where as a MD5 Hash, all anyone has to do is run the calculation to see if they pulled a compromised version. Hell Piriform could've even done the test themselves. It takes seconds.
-
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
@kyle said in Hackers Hid Backdoor In CCleaner Security App:
Kinda makes you wonder why such a popular piece of software went more than a month without being noticed there was a breech.
Because there was no easy way to detect the backdoor. Someone had to sit there and test it with each specific version to find that it existed.
Where as a MD5 Hash, all anyone has to do is run the calculation to see if they pulled a compromised version. Hell Piriform could've even done the test themselves. It takes seconds.
Someone needs to create a secure open source version of that software. Something that can't be as easily hacked. I mean it's pretty ironic that a piece of software that's supposed to help resolve issues on Windows OS was giving hackers backdoors into people's systems.
-
Here is the MD5 I got from the free version of their website.
1a5ad5d2f52871c4f811485236671310 for Version 5.34
-
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
Here is the MD5 I got from the free version of their website.
1a5ad5d2f52871c4f811485236671310 for Version 5.34
But we don't know if that one is a legit copy either. Without being able to see the code the security vendor has, hopefully, lost the market's trust. We can't be sure there isn't an undiscovered vulnerability in the most recent build.
-
@kyle said in Hackers Hid Backdoor In CCleaner Security App:
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
@kyle said in Hackers Hid Backdoor In CCleaner Security App:
Kinda makes you wonder why such a popular piece of software went more than a month without being noticed there was a breech.
Because there was no easy way to detect the backdoor. Someone had to sit there and test it with each specific version to find that it existed.
Where as a MD5 Hash, all anyone has to do is run the calculation to see if they pulled a compromised version. Hell Piriform could've even done the test themselves. It takes seconds.
Someone needs to create a secure open source version of that software. Something that can't be as easily hacked. I mean it's pretty ironic that a piece of software that's supposed to help resolve issues on Windows OS was giving hackers backdoors into people's systems.
What makes this one easily hacked? What makes open source more secure? Mint Linux is open source and it was hacked similar to CCleaner - the ISO was infected.
-
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
Here is the MD5 I got from the free version of their website.
1a5ad5d2f52871c4f811485236671310 for Version 5.34
But we don't know if that one is a legit copy either. Without being able to see the code the security vendor has, hopefully, lost the market's trust. We can't be sure there isn't an undiscovered vulnerability in the most recent build.
I'm confused - is CCleaner itself at fault? or was their network breached and an infected version compiled from source that was then hosted on their website? or even more simply - the website was hacked an infected version uploaded there?
-
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
Here is the MD5 I got from the free version of their website.
1a5ad5d2f52871c4f811485236671310 for Version 5.34
But we don't know if that one is a legit copy either. Without being able to see the code the security vendor has, hopefully, lost the market's trust. We can't be sure there isn't an undiscovered vulnerability in the most recent build.
Oh I know, but if it changes from that for you (tomorrow) then we know it's compromised further.
-
@dashrender said in Hackers Hid Backdoor In CCleaner Security App:
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
Here is the MD5 I got from the free version of their website.
1a5ad5d2f52871c4f811485236671310 for Version 5.34
But we don't know if that one is a legit copy either. Without being able to see the code the security vendor has, hopefully, lost the market's trust. We can't be sure there isn't an undiscovered vulnerability in the most recent build.
I'm confused - is CCleaner itself at fault? or was their network breached and an infected version compiled from source that was then hosted on their website? or even more simply - the website was hacked an infected version uploaded there?
Does it matter? All three are plausible scenarios. They had been distributing compromised installers from their official servers for almost a month. That's kind of a big deal regardless of the cause.
-
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
for almost a month. That's kind of a big deal regardless of the cause.
0.o
(╯°□°)╯︵ ┻━┻
-
@mattspeller said in Hackers Hid Backdoor In CCleaner Security App:
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
for almost a month. That's kind of a big deal regardless of the cause.
0.o
(╯°□°)╯︵ ┻━┻
Pretty much.
-
@kyle said in Hackers Hid Backdoor In CCleaner Security App:
Kinda makes you wonder why such a popular piece of software went more than a month without being noticed there was a breech.
Because... closed source. Many fewer eyes on it, no way to automate testing it. And the vendor has little incentive to invest in doing that since their customers can't tell if they've been ignoring it or not (unless something like this happens.)
-
@dashrender said in Hackers Hid Backdoor In CCleaner Security App:
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
Here is the MD5 I got from the free version of their website.
1a5ad5d2f52871c4f811485236671310 for Version 5.34
But we don't know if that one is a legit copy either. Without being able to see the code the security vendor has, hopefully, lost the market's trust. We can't be sure there isn't an undiscovered vulnerability in the most recent build.
I'm confused - is CCleaner itself at fault? or was their network breached and an infected version compiled from source that was then hosted on their website? or even more simply - the website was hacked an infected version uploaded there?
"...investigation found the CCleaner download server was hosting the backdoored app as far back as September 11."
It's Piriform / Avast at fault, no question there. The exact source of the breach is not released, but Avast got compromised, didn't find the breach, and failed at basic security principles for downloads that all combined to make this a huge fail on their part. This will certainly affect Avast more generally. How can we trust Avast / Piriform after this, not because they were breached, but because of how they have handled it?
-
Wow, Avast are definitely off of the "ever do business with them, ever" list for sure...
"From Avast's EVP and CTO, Ondřej Vlček
"On September 12, we determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. No other Piriform or Avast products were affected whatsoever. We resolved this quickly by September 15, and believe no harm was done to any of the CCleaner business users or consumers. We are continuing to investigate how this compromise happened, who did it, and why. We are also working with U.S. law enforcement in their investigation.
This is a serious incident and we sincerely apologize to our users. Our users’ security is of utmost importance to us, and we are taking increased security measures to make sure something like this cannot happen again. This was a Piriform CCleaner incident which started before Avast acquired the company and the Piriform team has immediately posted on their site explaining it to their customers:
http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v533...
http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner...
There is some false and misleading information from a Cisco Talos report we want to correct.
Cisco boasts a large number of downloads from CCleaner which is irrelevant. Regardless of the number of historical CCleaner downloads, the total number of users who used the software that was affected by this incident was 2.27M. Due to our immediate action to update the user base, this number is now down to 730k and is rapidly decreasing as we continue with the migration process. The incident only affected users of version 5.33.6162 running on 32-bit version of Windows. In addition to that, we believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.
Cisco claims you need to restore your system to remove the threat. This is incorrect. Updating to CCleaner 5.34 removes the malware which can no longer do harm because the server was shut down by Avast and no malicious payload was delivered from it before it was shut down. In the case of CCleaner Cloud, the software was automatically updated.
The Cisco blog claims that they were the source identifying the threat. This is incorrect. Cisco was not the source of information about this threat. We knew about the threat when they contacted us on Sept 14th and had already taken action to stop it. The threat was first discovered and reported to us by researchers in a security company called Morphisec. Suspicious activity was reported to us on September 12, 2017, and we immediately started an investigation process. We also immediately contacted U.S. law enforcement and worked with them on resolving the issue. Cisco informed us on September 14, 2017 about this issue after our investigation was underway. At the request of law enforcement authorities, we asked Cisco to delay publicizing the breach until we were successful in bringing down the server.
As a security company, you can imagine how critical it is for us to keep our customers safe. We have worked around the clock in the last 6 days to resolve the issue and minimize the impact on our customers. As part of this, we needed to make sure no information was made publicly available before taking down the CnC server as that may have triggered delivery of the second stage payload -- something we absolutely wanted to avoid. On the other hand, we believe in transparency and so we went out with the story the next working day (the server was taken down on Friday and the story was published on Monday morning)."
-Ondřej Vlček
EVP & CTO, Avast" -
Talk about bullshit... full of lies and excuses. Bottom line here is that they tried to cover this up, Cisco busted them, and now they will claim anything to downplay the seriousness of the breach and their botched handling of it after the fact.
-