For years I’ve been singing the praises of CCleaner, a nicely packaged program from the British software utilities’ company Piriform (now owned by the Czech cybersecurity giant, Avast), which can be used to detect and delete unwanted files and other junk from personal computers. It’s been around since 2003, quietly doing its job, a well-regarded if unspectacular tool known to most advanced PC users. So imagine the surprise and dismay felt by many when news emerged that the app had been compromised in recent weeks by unknown malicious actors, as reported by the Verge:
Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner.
CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. 2.27 million users have been affected by the attack…
This is not the first breach in so-called “supply-chain” security that we have witnessed this year but it is certainly the highest profile one. According to Wired:
Three times in the last three months, hackers have exploited the digital supply chain to plant tainted code that hides in software companies’ own systems of installation and updates, hijacking those trusted channels to stealthily spread their malicious code.
…hackers used a similar supply-chain vulnerability to deliver a massively damaging outbreak of destructive software known as NotPetya to hundreds of targets focused in Ukraine, but also branching out other European countries and the US.
Once again, the watchword of internet users must be: consumers beware!
Thanks for the post. I just received an email from the FIXMESTICK to run a scan because Kedi, A Remote Access Trojan (RAT), is using gmail accounts to transmit information to hackers. Sigh…
It’s the next big thing. A Trojan via trusted software and an obvious line of attack. I remember incidences down through the years but never with major corporation, or at least where the hacker has taken corporate software and rewritten or added to it in their own download servers.
Always a battle…