santiago silver - Fotolia
CCleaner malware: How dangerous is it to enterprises?
A watering hole attack led to CCleaner malware being installed on millions of systems. Nick Lewis explains how the attack worked and why it should concern enterprises.
The CCleaner malware, which placed a backdoor in the widely used system maintenance tool, appears to be more serious than was thought. Why is the CCleaner malware so dangerous? Should enterprises shy away from using tools like CCleaner?
Software and supply chain security are critical parts of an enterprise's information security program. One common security recommendation is to know what software or systems your enterprise is using so that you know what needs to be secured. Some software may be managed by the enterprise, some may be used by the help desk to fix systems, and some may be used by employees without the knowledge or approval of the enterprise IT department.
Sometimes, the help desk will use tools to investigate an endpoint that may have been infected with malware, and one of those tools is CCleaner. CCleaner software is usually only installed on a few endpoints in an enterprise, but the organization could lose track of the software. Given that CCleaner is used so widely, it's a target for a watering hole attack.
A recent watering hole attack was disclosed in detail by Avast Software, Morphisec and Cisco, and it described how an attacker was able to gain access to Piriform Software Ltd.'s software development environment to add malware to the legitimate CCleaner software -- Avast acquired Piriform last summer. Morphisec notified Avast of suspicious connections from CCleaner, prompting an investigation.
Any time an enterprise is notified of an attack that it didn't internally detect, it is a bit concerning, but not surprising. From the nearly 2.27 million systems that installed the impacted CCleaner, only 40 systems were infected, and most of the systems that installed the impacted CCleaner got an auto-update from Avast that removed the malicious version -- showing one perk of auto-updates.
However, enterprises that didn't have the software auto-updated needed to manually remove it from the impacted systems. In addition to being installed on more than 2 million systems, the CCleaner malware is dangerous because it can place a backdoor on infected systems that appears legitimate because it is signed with one of Piriform's own digital certificates.
The CCleaner malware is also concerning as it demonstrates the complex relationship between software security and downstream impact. Enterprises need to understand that any piece of software -- or any update -- could be the source of an attack on their system. This calls for a careful evaluation of software security best practices, such as the software build and distribution methods, for any piece of software installed on their systems.
Furthermore, enterprises should be wary of vendors that do not share certification or get certified for their software development lifecycle, and they should carefully assess any software installed in their environment.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Threats and vulnerabilities
Related Q&A from Nick Lewis
What are port scan attacks and how can they be prevented?
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Explore benefits and challenges of cloud penetration testing
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
What are the best criteria to use to evaluate cloud service providers?
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading