Full Report
On 18 September 2017, Piriform, a software company, announced that its CCleaner utility, which is designed to optimize the operation of Windows, had been hacked.
Analysis Summary
# Incident Report: CCleaner Supply Chain Attack (Floxif Malware)
## Executive Summary
In September 2017, Piriform’s CCleaner utility was compromised in a sophisticated supply-chain attack where malicious code (Floxif) was embedded into official software releases. The malware targeted 32-bit Windows users, collecting system metadata and sending it to a command-and-control (C2) server. Approximately 2.27 million users were affected, including critical infrastructure and industrial control systems (ICS) globally.
## Incident Details
- **Discovery Date:** September 2017 (Publicly announced September 18, 2017)
- **Incident Date:** Approximately August 15, 2017 – September 15, 2017
- **Affected Organization:** Piriform (owned by Avast)
- **Sector:** Software Development / Utility Tools
- **Geography:** Global (significant impact in industrial systems across multiple countries)
## Timeline of Events
### Initial Access
- **Date/Time:** August 2017
- **Vector:** Supply Chain Compromise
- **Details:** Attackers gained access to the Piriform build environment and injected the "Floxif" malware into the CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 binary files before they were digitally signed.
### Lateral Movement
- **Details:** The article focuses on the distribution phase; however, the malware was designed to reside within the trusted CCleaner process to gather reconnaissance data from the internal networks of infected users.
### Data Exfiltration/Impact
- **Details:** The Floxif malware collected computer names, IP addresses, lists of installed/active programs, and network adapter details. This metadata was exfiltrated to a C2 server located in the United States.
### Detection & Response
- **How it was discovered:** Internal observation and/or external security researcher notification (Avast/Piriform identified the breach in mid-September).
- **Response actions taken:** Piriform released clean updates (v5.34 and Cloud v1.07.3214). US law enforcement seized and shut down the malicious C2 server on September 15, 2017.
## Attack Methodology
- **Initial Access:** Compromise of the software vendor’s development or build environment.
- **Persistence:** Executed automatically whenever the compromised CCleaner utility was run.
- **Privilege Escalation:** Not explicitly detailed in this report, but run with the permissions of the user installing the utility.
- **Defense Evasion:** Use of a **valid digital certificate** and distribution via **trusted official domains** ([www]piriform[.]com).
- **Discovery:** Collected system information (OS version, installed software, network configurations).
- **Exfiltration:** Data sent via HTTP to a hardcoded IP/domain.
- **Impact:** System reconnaissance and unauthorized data collection, potentially serving as a downloader for a secondary payload.
## Impact Assessment
- **Financial:** Massive remediation costs for Piriform/Avast; potential loss of stock value.
- **Data Breach:** Metadata of 2.27 million systems compromised.
- **Operational:** Nearly 500 industrial control system (ICS) environments were infected, posing a risk to critical infrastructure.
- **Reputational:** Significant damage to user trust in Piriform and the safety of software updates.
## Indicators of Compromise
- **Network Indicators:**
- C2 Server (IP/Domain) located in the US (Shut down by law enforcement).
- **File Indicators:**
- CCleaner v5.33.6162 (32-bit)
- CCleaner Cloud v1.07.3191
- Malware Family: Floxif
- **Behavioral Indicators:**
- CCleaner.exe establishing unauthorized outbound connections to unknown third-party IP addresses.
## Response Actions
- **Containment:** Collaboration with law enforcement to seize the C2 infrastructure.
- **Eradication:** Versions v5.33.6162 and Cloud v1.07.3191 were pulled/deprecated.
- **Recovery:** Users were urged to update to CCleaner v5.34 or higher. Antivirus providers (e.g., Kaspersky) updated signatures to "cure" or delete the malicious body from infected files.
## Lessons Learned
- **Supply Chain Vulnerability:** Even digitally signed software from trusted vendors can be a vector for malware.
- **Build Integrity:** Build environments require the same, if not more, security rigor as production environments.
- **Scanning Signed Binaries:** Organizations cannot rely solely on digital signatures for trust; behavioral analysis is necessary.
## Recommendations
- **Binary Integrity:** Implement automated integrity checks at every stage of the software build pipeline.
- **Network Segmentation:** Use strict egress filtering to prevent unauthorized data exfiltration from sensitive environments (especially ICS).
- **Multi-Factor Authentication (MFA):** Secure all developer and build-server accounts with MFA to prevent initial environment compromise.
- **EDR Adoption:** Deploy Endpoint Detection and Response (EDR) tools to identify suspicious behavior in trusted applications.