Avast: No plans to discontinue CCleaner following second hack in two years

[aum]

Czech intelligence agency: "Data analysis suggests that the attack came from China."

 

Ever since it bought Piriform in July 2017, the CCleaner software has brought only headaches to Czech cybersecurity firm Avast.

 

First, Chinese hackers breached Piriform's servers even before the Avast acquisition, inserting malware into official releases; and leaving the Czech antivirus maker to deal with the PR fallout all throughout 2017 and 2018.

 

Then, today, Avast discovered that hackers targeted CCleaner once again, this time compromising its main internal network in the process, and yet again, seeking to tamper with CCleaner releases.

 

However, despite being nothing but a source of problems, Avast says it has no plans to discontinue the CCleaner app for the foreseeable future.

 

"The CCleaner product is a thriving, best in class product and performs an important function for users," Avast told ZDNet today. "We intend for CCleaner to continue to thrive and to be used by current and new customers."

CCleaner's history and criticism

CCleaner is a Windows app that was launched in 2004. For most of its lifetime, the app has been managed by Piriform, a company that Avast acquired in July 2017.

 

The app started as a "registry cleaner," a type of app that removes old Windows Registry entries after users have uninstalled old apps, in an effort to cut down the Registry's size and improve Windows OS speed.

 

The app evolved across the years, and now supports a trove of other features, such as removing temporary or old files left behind by other apps, performing automatic updates for other apps, and even blocking ad trackers, among many other things.

 

Avast claims the app has been downloaded more than 2.5 billion times and has 435 million users across 68 countries.

 

This success came despite the fact that Microsoft and security experts have strongly recommended against using any registry cleaner apps, as most do more harm than good.

The 2017 hack

But it's exactly this success that brought hackers knocking on Piriform's door. Back in April 2017, even before the Avast acquisition, a group of Chinese state-sponsored hackers breached Piriform's network via a TeamViewer account, searched for CCleaner distribution servers, and then released a CCleaner update tainted with malware.

 

This malware, known under the name of Floxif, worked as a basic scanner, collecting info on infected hosts, and sending the info back to the Chinese hackers.

 

Hackers were looking for computers installed on the networks of several major tech companies, such as Cisco, Microsoft, Google, NEC, and others. These computers would receive a second more potent malware strain that worked as a backdoor into the compromised networks.

 

Avast said that 2.27 million users received the tainted CCleaner update back in 2017; 1,646,536 computers were infected with the first-stage Floxif trojan; but only 40 computers received the more powerful backdoor.

 

Avast handled the 2017 breach with grace, never using the excuse that "Piriform was hacked, not us," and kept users updated on their investigation at every step [1, 2, 3, 4] -- laying the ground for how many companies should handle security breaches.

The 2019 hack

But today, Avast disclosed a second hack. This time, the hackers breached Avast's own network, as the company migrated CCleaner to its infrastructure following the 2017 hack. Just like the last time, the hackers were looking to compromise CCleaner again.

 

Avast said hackers compromised an employee's VPN credentials to access a temporary VPN profile that was left active and without 2FA protection. This was their entry point inside Avast's network.

 

The company is still investigating this second breach but said that hackers weren't successful at pushing out a malicious CCleaner release today.

 

While Avast refrained from attributing the attack to any threat actor, the Czech Security Information Service (BIS), the country's intelligence service, said in a press release today that Chinese hackers were behind this attack, just like in the first.

More than a registry cleaner

In the light of this second hack, many users have expressed their opinions today, claiming that Avast should just retire CCleaner, as the app is only a magnet for state-sponsored hackers, and that the app has no real purpose (many consider registry cleaner apps as being useless or plain harmful).

 

However, as previously stated in this article, today, CCleaner is more than just a "useless" registry cleaner. The app now supports remote management features, hard drive defragmentation, email alerts, cloud-based management features, and many more. It's an all-in-one system administration toolkit, and one very good at its job, if we're to look at its download numbers.

 

The app's gigantic userbase makes CCleaner a perfect target for supply-chain attacks. However, this huge userbase is also the reason why Avast bought it in the first place.

 

Avast's plan of attack involves bolstering its security. As the company told ZDNet, the threats it's facing are no different than what its competitors are facing.

 

For example, TeamViewer, which offers an eponymously named product, also suffered a security breach at the hands of Chinese hackers back in 2016. As long as an app is good at its job, hackers are going to keep coming.

 

"We believe all global software companies, including both Microsoft and us at Avast, will need to continue to vigilantly protect our networks from attacks by those who seek to damage us and our users," Avast told us.

 

But Avast and TeamViewer aren't the only companies that have been targeted only to serve as a jumping point into the network of other companies.

 

Supply-chain attacks are today's top threat, and government agencies in the US and France have recently issued alerts about an ongoing campaign perpetrated by Chinese hackers. Such attacks are likely to continue for the coming years, especially as most companies migrate their infrastructure to centrally-managed cloud-based systems.

 

Source

[frankl1n]

This software is not worth the risk, hasn't been for a few years now. IMHO it should be removed from frontpaged softs.

[dMog]

so what is the recommended alternative to ccleaner

 

[Anceptus]

1 hour ago, dMog said:

so what is the recommended alternative to ccleaner

 

Wise Care 365 seems like a simple but legit alternative. I think registry cleaners are mostly useless, even considered dangerous, but if that's your cup of tea, you do you.

It's news to me that CCleaner was ever owned by Avast, in my mind it always was the scammy useless cleaning tool. I guess I only knew about it when it was already infected, lol. I've cleaned so many computers infected with it, and recently I've seen the rise of Segurazo, a fake antivirus malware. Stay safe, everyone. It doesn't take much to infect a computer, but boy oh boy does it take long to fully clean one.

[stylemessiah2]

Ive long advised people to avoid that crap, long before the hacks

 

Ive seen what CCleaner an do to a PC in the average users hands...hose it

 

My favourite in the past was people removing windows fonts with it, as in ALL windows faults, and then calling me to ask why Windows wouldnt boot

 

I saw so many PC's come in as victims of CCleaner that about a decade ago i told anyone bringing me a PC with CCleaner on it that needed fixing that i would fix it, but if they reinstalled that crud, and things went pear shaped again they could take it to someone else because i wouldnt be fixing it a 2nd time....

 

Anyone i fix things for knows the golden rules: No CCleaner, no "speedup ultiities", no "registry cleaners", no "driver updaters"....

 

I would second the use of registry cleaners as being dangerous too, and pointless

 

I wouldnt recommend ANY "all in one" utility because all your doing most of the time is adding programs that run in the background, adding cycles, and sapping more memory...its the opposite of what youre trying to achieve...i dont get why people dont see that, seems obvious to me...dont get me started on the alarmist messages in most of them about things being wrong with your PC, so you run it and the program looks like its doing something...often isnt

 

[dragons2020]

I have tried these programs.

 

CCleaner: Used many years. Never had a problem (YET)

AVG PC TuneUp: Tried to install. 5 minutes with message. (setting up PC for install). Canceled install. Several windows services started and a mess of files left behind. I had to manually remove everything

System Mechanic: Tried. Did not tell me what it wants to delete, so i uninstalled.

jv16 PowerTools: I like but i think not free anymore.

Wise Care 365: Did not like

BleachBit: Did not like.

System Ninja: Did not like.
Glary Utilities: Tried for about  an hour then uninstalled. For me was useless.
Advanced Systemcare: Used for many years and never had a problem. I used again because i got a promo key for PRO. Newest version very aggressive so i uninstalled.

Glary and ASC both flagged some "Security Vulnerabilities" and wanted to start windows update and download some windows updates. I unchecked everything i did not want. When i did a reboot windows had downloaded and installed those updates. When i checked my windows services 3 of my services went from Disabled to Started and Automatic. Shortly after my keyboard stopped working. New keyboard did not work. After an hour my keyboard worked. Went in to bios. Keyboard stopped working. waited an hour set my bios to boot from USB and wiped my drive and reinstalled. Everything is good now. I saw something on google about one of the updates affected the mouse and keyboards on some systems.

I WILL NEVER USE GLARY UTILITIES OR ADVANCED SYSTEMCARE AGAIN.

 

 

[mp68terr]

3 hours ago, dragons2020 said:

CCleaner: Used many years. Never had a problem

Same here, used ccleaner for several years to clean up after a fresh install. Never got into trouble.

If there are problems, it's maybe not solely about the software itself, it also depends on how the user is using it and what the settings are.

[Guest]

What about other products under Piriform (now bought by Avast), such as Defraggler, Recuva and Speecy upon hearing CCleaner's recent hack? Sounds like suffering the same fate too.

[mp68terr]

No problem with the other 'piriform' products either. Been using them years ago, no crash, no weird things noticed at that time. Clearly if an app got hacked, better not to use it, older are likely available.

[steven36]

Half of All Attacks Aim at Supply Chain

https://threatpost.com/half-all-attacks-supply-chain/143391/

 

Most malware  is spread via power-shell and you you dont see people leaving Windows ,  The reason CC cleaner is a problem  is because people let  it access the internet instead of blocking it with a firewall . Most pirates  that use the  PRO version keep it blocked . It's legit users  and noobs that dont know how to use firewall that are subject to attack . But Windows calls home 24/7  even on  Windows 8.1 Windows updates call home even if you turn them off and  Windows 10 is much worse. any software that calls home  is subject to supply chain attacks .  Antivirus programs  that you give root access are very risky  But it really funny when it happens to apps that can be totally blocked .In order to be attacked by a app it must have internet access or it can't do nothing .    

 

When  it's M$ or Google cloud crap apps are being breached  you want hardly see a comment on this forum but  its talked about a lot on other sites.  Just like Google and Microsoft  when it happens you have the fans defending it  .  When it happen to Linux Mint i stop using it and I stop using Windows 10 over a year ago  and Windows 8.1 that i hardly use i keep  blocked down like fort knocks . You can uninstall CCleaner  they will just attack some other app you use  that  require or dont require internet that  cal home . As long you connect to the internet they will be a chance your going to be attacked  and thats life baby .

 

The problem is closed source apps like CCleaner  call home for no good reason just like many other apps do . They use the internet to check for updates witch should not be mandatory . Also because you can register the free version they use it to check your key just like most  shareware do . They very little apps that not foss  that dont be collecting data . Cc Cleaner have always use 3rd party gifts in there Official installer  you have to wait weeks to get a clean installer .  There free as in freeware  and most of is ad or data supported . There's lots of shareware  out there that is no better, you pay to get your data harvested even .

 

The pita is browsers all of them are used for malware attacks . Even the open source versions harvest some user data . They use a different type license than Foss apps do. Only thing is because it open source you can fork it and remove all that stuff legally because the code is open.  And even Palemoon a Fork of Firefox that never updated there code for all that data harvesting and remove Googles still it was supply chain attacked  and they have a very small user base .  Apps that call home are great for hackers to exploit . And if they find a hole they going to use it.

[steven36]

7 hours ago, mp68terr said:

Same here, used ccleaner for several years to clean up after a fresh install. Never got into trouble.

If there are problems, it's maybe not solely about the software itself, it also depends on how the user is using it and what the settings are.

It never was hacked again no way and  the   OP  news  is a month old  what happen was someone   gained access to Avast through there vpn  and they think was after Cc Cleaner but there not sure .

 

When analyzing the external IPs, we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year.

 

 

On Oct 4, we observed this activity again. Timestamps for the suspicious activity flagged by MS ATA are (all times GMT+2):

2:00 AM May 14, 2019

4:36 AM May 15, 2019

11:06 PM May 15, 2019

3:35 PM Jul 24, 2019

3:45 PM Jul 24, 2019

3:20 PM Sep 11, 2019

11:57 AM Oct 4, 2019

 

The logs further showed that the temporary profile had been used by multiple sets of user credentials, leading us to believe that they were subject to credential theft.

 

 

Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions.

 

On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.

 

More info here

https://blog.avast.com/ccleaner-fights-off-cyberespionage-attempt-abiss

[frankl1n]

OK had to link to this... https://www.nsaneforums.com/topic/359719-mozilla-removes-all-avast-firefox-extensions/ 😏

 

[steven36]

9 hours ago, frankl1n said:

OK had to link to this... https://www.nsaneforums.com/topic/359719-mozilla-removes-all-avast-firefox-extensions/ 😏

 

Why dont  they remove Google Safe Browsing  while they at it ? I tell you why they get paid millions a dollars from Google  and preach privacy and sold out to a ad company all Avast have to do is slide  Firefox a little money and they will partner with them.