Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Thanks, stapp. I have never seen such detailed transparency released on an attack. To some degree, it is surprising. Usually there is an apology and a promise to do better next time, and that's all. It is in their best interest, of course, but that has always been the case with such attacks, yet this level of transparency is seldom achieved.

 

A times like these I'm happy I went with PrivaZer instead.

 

As far as i can tell they weren't very transparent to begin with.

 

Wouldn't put all my eggs in that basket, none in CC.

 

A continuation of the CCleaner breach if you missed it.
Starts at around 49:00 and info has pretty much been already reported on the web.

https://twit.tv/shows/security-now (episode 630)

 

Exactly my point, and it seems like CCleaner doesn't even offer auto-update, so why on earth would you give outbound access to it? On my system, only 10 apps and 1 system process has outbound access, all others are auto-blocked. So if malware wants to connect out, it needs to hijack one of these processes with direct code injection or process hollowing. But this particular attack was quite easy to block.

I'm a bit surprised that so little security companies blogged about this attack. It seems like a nice opportunity to promote your next gen AV/EDR system. And if Cylance's and Invincea's AI is really that good, it should have been able to detect this rogue CCleaner version. BTW, Cisco AMP looks interesting, they even went this far to make a comparison with other solutions:

https://www.cisco.com/c/m/en_us/pro...alware-protection/competitive-comparison.html

 

Thought that was rather obvious.

None would be able to detect it. The "Achilles heel" for the Next Gen/AI solutions is they don't monitor network connections from trusted apps. They concentrate on an external based attack modifying internal processes; no different than conventional security software does. The only difference is they use behavior versus signature detection criteria in evaluating the external process activity.

 

Exactly. I never give Internet access to any trusted app unless is strictly needed.

Blocking ccleaner.exe from Internet access saved me, I must admit. Malware couldn't download 2nd stage payload.

 

That's what I'm afraid of, if they don't monitor this, then they are basically jokes, so it's hard to believe. Apps should never be fully trusted, that's what I've been saying for years. That's why I always disable trust/auto-allow mode in HIPS. Would be cool if someone could test the rogue version of CCleaner against popular NG-AV and EDR solutions. But MRG already said it's a pain to set them up, too bad.

 

So the lesson is don't update CCleaner or just use slim?

 

No, the lesson is stop installing software you don't need. Everything you install is something extra you need to trust.

Use the built in disk cleanup utility which works fine.

 

The same was for me. The golden rule, for firewall and HIPS, is always: deny for default and allow for except.

 

Also not to be forgotten is this "infamous" instance where Cylance let a .exe run unabated that established a remote C&C server connection:
https://www.blackhillsinfosec.com/bypassing-cylance-part-1-using-vsagent-exe/
https://www.blackhillsinfosec.com/bypassing-cylance-part-2-using-dnscat2/
https://www.blackhillsinfosec.com/bypassing-cylance-part-3-netcat-nishang-icmp-c2-channel/

No backdoor needed.

 

No, the lesson is to auto-block outbound access, and to not rely on auto-update, just download new versions manually.

I don't get all of these comments, there's nothing wrong with cleaning tools like CCleaner, and this attack can happen to any software company.

To be fair, part 5 does clear things up. I wonder if Cylance now does offer white-listing and process control. But yes, weird that it remained quit on most security companies blogs about this attack.

https://www.blackhillsinfosec.com/bypassing-cylance-part-5-looking-forward/

 

Neither do I. Perhaps "smartydude" could enlighten us a bit, mortals and retarded ones.

 

Researchers Link CCleaner Attack to State-sponsored Chinese

http://www.securityweek.com/researchers-link-ccleaner-attack-state-sponsored-chinese-hackers

 

You made my point. This attack CAN happen to any software company, so why would you waste time trusting a "system cleaner" when the in built one works fine. It's just as bad as the people installing "RAM defragmenter" and "gaming speedup" software.

Every extra thing you install increases your exposure.

 

Some third party cleaning software can clean a lot more junk than Windows does. Personally, I prefer to clean more junk and take the very small risk the software may become compromised, than stick to just the built in disk cleanup.

 

+1. You can't compare both.

 

I think everyone has a point .

Some like minimalistic setups, which I'm sure would be safer (as well as using clean installs for any recovery), but there would be little fun then, in my case. Maybe in future I will keep such a setup, with my personal data, and another machine just for 'playing'.

But the CCleaner hack is a 'horror' as @cruelsister has described it ... I was thinking something like Dropbox is also a potential target, widely used.

 

I agree. Dropbox in one of those zillion updates per week can deliver a hacked one to users.

How about Google Chrome, Internet Download Manager, Opera, Firefox, Google Drive Backup and Sync and a long etcetera.

This is indeed and deeply scary.

 

Somewhat forgotten since these recent attacks involved hacked update servers is this is not the only way you can receive a hacked app update. Any app that downloads using HTTP versus HTTPS can also be easily intercepted via external MITM and modified. Manual updating and download hash verification will ensure what was asked for was what was actually received.

 

I know this. Not really forgotten.

As I do every time.

Of course, only when there's no digital signature available.

 

CCleaner free offers you to check for updates automatically.
If there's a newer version available, you will be notified and given the option to download
it manually.

If you're using CCleaner Professional you can set it to automatically check for, and apply
updates. Just check - Enable silent background updates.

NOTE: You MUST be registered to receive automatic updates.

I WOULDN'T recommend checking enable silent background updates in CCleaner Pro.

 

I fear for browsers' extensions automatic updates download.