The software supply chain is increasingly under threat by attackers who seek to turn legitimate software programs into Trojan horses that can compromise millions of computers.
On Monday, security-software firm Avast announced that its popular system-cleaning program CCleaner—developed by Piriform, a company acquired by Avast in July—had been compromised during development and infected users’ system with malicious code for almost a month.
Anyone who installed the then-current 32-bit Windows version of CCleaner and CCleaner Cloud between Aug. 15 and Sept. 12—more than 2.27 million users—effectively installed a backdoor onto their systems as well.
Underscoring the effectiveness of inserting code during development, only one of the 64 antivirus scanners run by VirusTotal detected the malicious behavior, in large part because the CCleaner binary had a legitimate digital signature, according to an investigation by enterprise-technology giant Cisco, which detected the attack before Avast’s Piriform publicly announced the incident.
“The fact of the matter is, when it comes down to supply chain attacks, if the attacker is in your build system already, you’ve lost,” Craig Williams, senior technical leader with Cisco’s Talos research group, told eWEEK. “Once the attacker has all the certificates and all the keys and all the passwords, there is not a lot you can do.”
The attack underscores advice stressed by many software-security professionals: The software development process needs to be better secured to stop potentially devastating attacks. Too many companies have not adequately secured their software supply chain.
In June, for example, after online attackers compromised Ukrainian MEDoc tax software firm’s update server to distribute NotPetya ransomware, the program infected many large companies, disrupting operations at businesses such as Danish shipper A.P. Moller-Maersk, U.S. pharmaceutical maker Merck, and the world’s largest advertising firm WPP of Britain.
“Whenever you have a supply chain problem, each consumer has to be able push back at any point in the chain and say, I need a process to make sure that I’m getting what I think I’m getting,” Chris Wysopal, chief technology officer and co-founder of security firm Veracode, told eWEEK.
Customers of MEDoc, for example, could not even do that, because the company did not sign its updates.
Take digital signing seriously
Yet, Avast’s Piriform did, highlighting that a digital signature is not proof against software supply-chain attacks. Digital signatures are only as good as the process they are verifying, Wysopal said.
In the CCleaner incident, the attacker was able to insert themselves into the build process, most likely on the server used to compile, link, and sign the software, Ondrej Vlcek, chief technology officer of Avast, told eWEEK. While Avast has a process in place to check the final code for security issues and potential compromise, Piriform did not yet have that infrastructure in place, he said.
As part of its response, Avast has expedited the move of Piriform’s development to Avast’s infrastructure.
“The key thing is to realize that the build environment is critical, especially the signing certificate,” Vlcek said. “The security industry gives so much trust to signatures that we need to make sure that the signing process is rigorous and the environment protected.”
Other companies also need to start taking the security of their developers’ systems and the development process more seriously, Veracode’s Wysopal said.
“We can do a check for malware and check our vendors, but we need to understand the integrity of the software vendors’ process; we need to get to that level of scrutiny,” he said. “I don’t think we are doing the right due diligence up front to make sure that the software we are installing on our machines is secure for the future.”
Dodging a bullet
Overall, any major damage from the CCleaner incident appears to have been averted. Avast worked with investigators to have the original command-and-control server shut down. Cisco quickly registered the 11 domains that would be generated by the malware as a backup line of communication.
From data sent to Avast’s Piriform during installation, the company knows that about 2.3 million systems installed the compromised version of the software. As of Sept. 19, only about 700,000 systems had not upgraded to the latest, clean version, Avast’s Vlcek said.
At this point, Avast is not sure who compromised the code, he said.
“We really don’t know who is behind it,” Vlcek said. “All the common options (insider or external attacker) are perfectly possible.”
Unfortunately, whether affected users need to be worried about any malware left behind after upgrading their CCleaner software is unclear. Based on data from the 30 percent of users that have both CCleaner and Avast’s security software installed, upgrading the software to the latest version removes the danger from the malicious code.
“Based on the analysis of this data, and also taking other data points into consideration, we believe that the second stage payload didn’t activate, therefore simply upgrading to the latest version of CCleaner takes care of the problem,” Avast’s Vlcek said.
Yet, Cisco argues that users should take care because parts of the malware may be left behind. Cisco’s Williams recommends that affected users delete and reinstall their systems from a backup. He pointed out that, for nearly a month, the compromised version of CCleaner was installed on millions of systems and during that time could have done anything.
“It is unfortunate that for 30 days, this was operating with no one watching,” he said. “No one knows what happened for that period.”