Avast published earlier today a post-mortem of the CCleaner malware incident, in the hopes to clarify some of the details surrounding the event that many of its users found troubling.
Below is a simplified timeline of events, based on Avast's recent statement.
In an email to Bleeping Computer yesterday, Avast CTO Ondřej Vlček said that telemetry data suggested that over 2.27 million computers were running the two compromised CCleaner versions.
In the updated statement released today, Avast CEO Vince Steckler and CTO Ondřej Vlček, say that number has now gone down to 730,000 as users removed or updated their CCleaner installations.
The company also wanted to stress that the compromise occurred before Avast bought Piriform, and following the incident, Avast migrated Piriform's build environment onto Avast's internal IT system.
In addition, the two Avast execs also wanted to make sure that incorrect media coverage did not cause any inconvenience to CCleaner users. The two stressed that customers don't need to reinstall or roll back machines to a date before August 15. Updating the two affected applications is enough, they said.
"We regret the inconvenience experienced by Piriform’s customers," Steckler and Vlček added. "To reiterate, we accept responsibility for the breach."
While Avast is correct in stating that removing the infection is as easy as updating to a new version that replaces the infected CCleaner executable with a non-malicious one, that does not mean that users should not be concerned. As the installed Floxif infection was sending information about your computer and had the ability to download and install other programs, victims should change their passwords and perform security scans on the computer.
I suggest that victims stop using the infected computer and then change their passwords from a computer or cell phone that did not have this version of CCleaner installed on it. This is because it is not known if other malware was installed by the Floxif infection and is currently running that may steal passwords and other information.
Once you have changed your passwords, you should perform scans using a antivirus application, if not multiple applications, to make sure that there are no other infections present on the computer. After this has been finished, and anything that may have been detected has been removed, you can begin using your computer again.
For those who want to be truly safe, the best course of action is to always reinstall Windows to be 100% safe. It goes without saying that this is not always feasible, so at a minimum, the suggested actions should be completed before you use the computer again.
The incident was a cause of alarm for the IT security industry, as many experts likened it to the M.E.Doc incident, where hackers compromised the software update process of a Ukrainian company and used it to launch the NotPetya ransomware outbreak.
"If that hadn't been found I believe that would have been a huge, very global incident," said Kevin Beaumont, a renowned malware researcher, on Twitter. "No attacker goes [through] that much effort for no reason."
"Supply chain hacks are real, happening and a genuine risk. Vendors need to lock down their build and update systems ASAP," Beaumont added.
In the meantime, Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, published a series of tweets and a blog post with helpful information on how companies could secure their software supply chain against similar events.
Oh hi infosec, I see you have all discovered supply-chain attacks, an in particular auto-updaters.— Scott Arciszewski (@CiPHPerCoder) September 19, 2017
Bleeping Computer also published a simple need-to-know guide on the CCleaner malware incident.