The makers of CCleaner came clean themselves this morning: "Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner."
Translation: 3% of users means about 2.27 million. And "compromised in a sophisticated manner" means a back door was installed in a version of the software before its release, and that version was then unknowingly pushed out and downloaded by users for several weeks.
This includes a version of CCleaner Cloud often used by businesses and those at the enterprise level to clean and optimize multiple Windows machines across networks.
Paul Young, VP of Products, explained technical details of the CCleaner compromise in a statement: "An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems."
He also said the company believes it caught this before any actual harm was done, and that the company worked with law enforcement to track and shut down the third-party server which was receiving information from the compromised versions.
This also raises a serious question: Was this a case of the insider threat come to life? Or did someone from the outside hack into the development process?
Said the company: "At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared, and who stood behind it."
