Corporate Cyberattacks Continue with CCleaner Hack

iStock-531422566.jpg

Last week, credit reporting agency Equifax endured a cyberattack compromising data of 143 million consumers. Following the attack, reports emerged that computer security application CCleaner has also seen criminal hackers create a backdoor threat. Owned by antivirus company Avast, CCleaner clears unused apps and monitors computer systems. The application boasts over 2 billion downloads with 5 million new downloads each week. Security intelligence and research organization Cisco Talos alerted the public after finding malicious activity running on a recent version of CCleaner on September 13, but it was discovered that the download server may have unknowingly hosted malware since September 11. Users who downloaded the malicious backdoor version of CCleaner would lose encrypted information, such as the name of the device and any installed and/or running software to the hackers. Hackers created a domain generation algorithm (DGA) in the malware that periodically generates a large number of domain names, making it hard for the malware to not function even if a hacker’s server is shut down.

Avast has found that 2.3 million users have already run the affected software. Paul Yung, Vice President of Product at Avast-owned Piriform reported that the issue is now resolved. “The threat has now been resolved in the sense that the rogue server is down,” Yung said. “Other potential servers are out of the control of the attacker. Users of CCleaner Cloud…have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”

Avast Chief Technology Officer Ondrej Vlcek expressed similar sentiment, saying that “to the best of our knowledge, the second-stage payload never activated. It was prep for something bigger, but it was stopped before the attacker got the chance.” Others are still skeptical that users are safe from the malware. “I have a feeling they are downplaying it,” said Martijn Grooten, editor of security publication Virus Bulletin. He feels that the backdoor threat “could have been used for other purposes.” As with any infected software, users are always advised to download released updates immediately and monitor their systems for any unusual activity.