Published Date: 2017-09-18
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving CCleaner happened in August and September [Article 63188]. 2. The incident started as early as July 3 [Article 63170]. 3. The compromised version of CCleaner software was released to customers on Aug. 15 [Article 63170]. |
| System | 1. CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows PCs [63126, 63170] 2. CCleaner Cloud version [63170] 3. Piriform's software development or distribution process [70306] 4. Avast's software development or distribution process [63126] 5. Avast's Piriform [63188] |
| Responsible Organization | 1. Hackers compromised the CCleaner software by inserting a backdoor into updates, leading to the software failure incident [70306, 63126, 63170, 63188]. |
| Impacted Organization | 1. Avast's Piriform company and its CCleaner software users were impacted by the software failure incident [70306, 63126, 63170, 63188]. |
| Software Causes | 1. The software failure incident was caused by hackers compromising the CCleaner software by inserting a backdoor into updates, leading to millions of computers being exposed to malware [70306, 63126, 63170, 63188]. 2. The compromised versions of CCleaner, specifically CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows PCs, were the specific software versions affected by the malware [63170, 63188]. 3. The attackers used remote administration tools in the tainted CCleaner versions to connect to unregistered web pages and potentially download additional unauthorized programs [63188]. |
| Non-software Causes | 1. Stolen credentials were used to log into a TeamViewer remote desktop account on a developer PC, allowing hackers to access Piriform's networks [70306]. 2. Attackers compromised the systems of Piriform by using a malware platform called ShadowPad, which was installed on compromised computers [70306]. 3. Hackers infiltrated Avast's software development or distribution process, allowing them to insert a backdoor into CCleaner updates [63126]. 4. The compromised version of CCleaner software was released to customers on August 15, potentially allowing hackers to control the devices of millions of users [63188]. |
| Impacts | 1. The compromised CCleaner software version was downloaded by 2.27 million users, exposing their computers to potential control by hackers [63188]. 2. The malware gathered sensitive information such as IP addresses, computer names, installed software lists, active software lists, and network adapter lists, sending them to a third-party server [63170]. 3. The compromised software targeted computers running 32-bit Windows 10 [63170]. 4. The attackers were able to infiltrate 11 companies through the 40 installs they targeted, impacting technology and IT enterprise targets [70306]. 5. The incident highlighted the threat of digital supply chain attacks, where trusted software is infected by malicious code, leading to a breach of consumer trust in software companies [63126]. |
| Preventions | 1. Implementing stronger security practices and protocols within the software development and distribution process to prevent unauthorized access and tampering [Article 70306, Article 63126]. 2. Conducting thorough due diligence, including cybersecurity assessments, during mergers and acquisitions to identify any potential security risks within the acquired company's systems [Article 70306]. 3. Enhancing supply chain security by verifying the integrity of software updates and installations through cryptographic signatures and other authentication mechanisms [Article 63126]. 4. Regularly monitoring and auditing the software supply chain for any signs of compromise or malicious activity [Article 63126]. 5. Educating users on how to identify and respond to potential security threats, such as suspicious software behavior or unexpected data transmissions [Article 63170]. |
| Fixes | 1. Implementing stronger security practices in the software development and distribution process to prevent hackers from infiltrating and inserting malware into legitimate software updates [63126, 63188]. 2. Conducting thorough due diligence, including cybersecurity assessments, during mergers and acquisitions to identify any potential breaches or vulnerabilities in the acquired company's systems [70306]. 3. Enhancing vetting processes for digital supply chain attacks to ensure the integrity of software updates and installations [63126]. 4. Regularly updating software versions to ensure users are protected from known vulnerabilities and malicious code [63170, 63188]. 5. Running antivirus scans on systems to detect and remove any potential malware left behind by the compromised software [63188]. | References | 1. Avast executive vice president and chief technology officer Ondrej Vlcek [70306] 2. Cisco Talos security researchers [70306, 63126, 63188] 3. Morphisec [70306, 63126, 63188] 4. Avast CEO Vince Steckler [63170] 5. Avast Consumer Business CTO and EVP Ondrej Vlcek [63170] 6. Talos researcher Craig Williams [63188] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The incident involving the compromise of CCleaner by hackers happened again within the same organization, Avast, which acquired Piriform, the company that created CCleaner [70306, 63126]. - Avast, the parent company of Piriform, discovered the compromise on September 12 and released a new, uncompromised version of CCleaner on the same day [63188]. - The compromised version of CCleaner was released to customers on August 15, affecting around 2.27 million computers [63170]. - Avast worked with law enforcement to shut down a server related to the attack on September 15 before any known harm was done [63188]. (b) The software failure incident having happened again at multiple_organization: - The incident involving the compromise of CCleaner is part of a larger trend of digital supply chain attacks, with other incidents reported in the past few months [63126]. - In June, a similar supply chain vulnerability was exploited to deliver the destructive software NotPetya through the update mechanism of an accounting software known as MeDoc [63126]. - Another supply chain attack called "Shadowpad" was discovered in which hackers smuggled a backdoor into software distributed by the South Korea-based firm Netsarang, affecting hundreds of banks, energy, and drug companies [63126]. - These incidents highlight the increasing trend of supply chain attacks targeting software companies and their products [63126]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the development phases: - The CCleaner software was compromised by hackers who infiltrated Avast's software development or distribution process, allowing them to insert a backdoor into the updates of the application [63126]. - The compromised version of CCleaner software was released to customers on August 15, and around 2.27 million computers were affected by the tainted software [63170]. - The attackers managed to slip a malicious program into the legitimate CCleaner software, which included remote administration tools that tried to connect to unregistered web pages to download additional unauthorized programs [63188]. (b) The software failure incident related to the operation phases: - The compromised CCleaner software gathered information from infected computers, such as IP addresses, computer names, lists of installed software, active software, and network adapters, sending this data to a third-party server [63170]. - The attackers behind the CCleaner compromise were able to control the devices of millions of users who downloaded the tainted versions of the software, directing the computers to get instructions from servers under the hackers' control [63188]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident involving CCleaner was primarily due to contributing factors that originated from within the system. The hackers compromised the systems of Piriform, the company that created CCleaner, by using stolen credentials to log into a TeamViewer remote desktop account on a developer PC [70306]. This internal compromise allowed the attackers to install malware called ShadowPad on the compromised computers, leading to the contamination of CCleaner downloads with a backdoor [70306]. Additionally, the compromised version of CCleaner included remote administration tools that tried to connect to unregistered web pages to download additional unauthorized programs, indicating an internal infiltration of the software [63188]. (b) outside_system: The software failure incident also involved contributing factors that originated from outside the system. Hackers exploited the digital supply chain to plant tainted code in CCleaner updates, which were distributed to millions of personal computers [63126]. The attack betrayed basic consumer trust in CCleaner-developer Avast and software firms more broadly by lacing a legitimate program with malware, highlighting the vulnerability of trusted channels in the software supply chain [63126]. The attackers used the compromised software distribution process to push out malware to consumers, indicating an external infiltration of the software supply chain [63126]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident involving CCleaner was due to hackers compromising the software and inserting a backdoor into updates, leading to millions of computers being exposed to malware [Article 70306]. - Hackers infiltrated Avast's software development or distribution process, allowing them to push out malware disguised as legitimate CCleaner updates to consumers [Article 63126]. - The compromised version of CCleaner was released to customers, affecting around 2.27 million computers, without any known harm being done before the server was shut down [Article 63170]. - More than 2 million people downloaded tainted versions of CCleaner, which directed their computers to get instructions from servers under the hacker's control [Article 63188]. (b) The software failure incident occurring due to human actions: - The attackers initially gained access to Piriform's networks by using stolen credentials to log into a TeamViewer remote desktop account on a developer PC, highlighting a human factor in the breach [Article 70306]. - The compromised version of CCleaner was released to customers after hackers infiltrated Avast's software development or distribution process, indicating a human element in the attack [Article 63126]. - The compromise to the system may have started as early as July 3, prior to Avast buying Piriform, suggesting a potential human oversight in the security of the software [Article 63170]. - The malicious program was slipped into legitimate software, CCleaner, by hackers, indicating a human-driven action to introduce the malware into the software [Article 63188]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - The software failure incident involving CCleaner was not due to hardware issues but rather due to hackers compromising the software by inserting malware into the updates [63126]. - The compromised version of CCleaner included remote administration tools that tried to connect to unregistered web pages to download additional unauthorized programs, indicating a software-based attack rather than a hardware issue [63188]. (b) The software failure incident occurring due to software: - The software failure incident involving CCleaner was primarily due to software issues, specifically hackers inserting malware into the software updates [63126]. - The compromised versions of CCleaner contained malware that gathered information from users' computers and sent it to third-party servers, showcasing a software-based failure [63170]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident related to the CCleaner compromise was malicious in nature. Hackers compromised the CCleaner software by inserting a backdoor into updates, leading to millions of computers being exposed to malware [70306, 63126, 63170, 63188]. The attackers infiltrated Avast's software development or distribution process, essentially putting their stamp of approval on malware and distributing it to consumers [63126]. The compromised version of CCleaner gathered sensitive information from users' computers and sent it to a third-party server [63170]. The attack was sophisticated and penetrated an established and trusted supplier, similar to the NotPetya attack on Ukrainian accounting software [63188]. (b) The software failure incident was non-malicious in the sense that the compromised software was distributed unknowingly to users who trusted the software vendor. Users who installed the compromised version of CCleaner did not notice any unusual behavior, as the software had a proper digital certificate, making it appear trustworthy [63188]. The compromised software versions were identified, and users were advised to download new, uncompromised versions to mitigate the risk [63188]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident was due to poor decisions made by the attackers who compromised the CCleaner software. The attackers infiltrated Avast's software development or distribution process, allowing them to insert a backdoor into the CCleaner updates, essentially putting Avast's stamp of approval on malware and distributing it to consumers [63126]. The attackers used a supply-chain vulnerability to deliver the malware, betraying consumer trust in Avast and software firms by lacing a legitimate program with malware [63126]. (b) The software failure incident was not due to accidental decisions or unintended mistakes. It was a deliberate and sophisticated attack by hackers who strategically compromised the CCleaner software to gather information from users' computers and potentially control their devices [63188]. The attack was well-planned and executed, penetrating an established and trusted supplier in a manner similar to previous attacks on software companies [63188]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The incident involving CCleaner being compromised by hackers was a result of a sophisticated attack that penetrated an established and trusted supplier, Piriform, in a manner similar to previous attacks like "NotPetya" [Article 63188]. - The compromised version of CCleaner included remote administration tools that tried to connect to unregistered web pages to download additional unauthorized programs, indicating a level of sophistication in the attack [Article 63188]. (b) The software failure incident occurring accidentally: - The compromised version of CCleaner was released to customers on August 15, and it was discovered that around 2.27 million computers had used the infected software [Article 63170]. - Avast, the parent company of Piriform, uncovered the attacks on September 12 and released a new, uncompromised version of CCleaner the same day, indicating that the compromise was accidental and not immediately detected [Article 63188]. |
| Duration | temporary | (a) The software failure incident related to the CCleaner compromise was temporary. The compromised version of CCleaner was released in August and September, affecting around 2.27 million computers running 32-bit Windows 10 [63170]. The issue was detected, and a new, uncompromised version of CCleaner was released on September 12, with the clean version of CCleaner Cloud released on September 15 [63188]. The server directing traffic to the malicious server was shut down on September 15 before any known harm was done [63170]. The incident was resolved by taking down the malicious server and releasing clean versions of the software, indicating a temporary nature of the failure. |
| Behaviour | crash, omission, timing, value, other | (a) crash: The software failure incident related to the CCleaner compromise can be categorized as a crash. The compromised CCleaner version led to a crash in the sense that it was not performing its intended functions but instead had a malware backdoor that allowed hackers to control the devices of millions of users [63188]. (b) omission: The software failure incident can also be categorized as an omission. The compromised CCleaner version omitted to perform its intended functions of cleaning up junk programs and advertising cookies to speed up devices, instead gathering information like IP addresses, computer names, and lists of installed software on users' computers [63170]. (c) timing: The software failure incident can be categorized as a timing issue. The compromised CCleaner version performed its intended functions incorrectly by sending gathered information to a third-party server, but this action was detected and shut down before any known harm was done [63170]. (d) value: The software failure incident can be categorized as a value issue. The compromised CCleaner version performed its intended functions incorrectly by sending sensitive information like IP addresses, computer names, and lists of installed software to a third-party server, potentially compromising user data [63170]. (e) byzantine: The software failure incident does not align with a byzantine behavior as described in the articles. (f) other: The software failure incident can be categorized as a failure due to a security breach. The compromised CCleaner version was tainted with malware, leading to a breach in the software's security and trustworthiness, allowing hackers to control users' devices and gather sensitive information [70306, 63126, 63170, 63188]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving CCleaner resulted in hackers compromising the software and infecting it with malware. This malware gathered information such as IP addresses, computer names, lists of installed software, active software, and network adapters from users' computers, sending this data to a third-party server [Article 63170]. Additionally, the compromised version of CCleaner was downloaded by around 2.27 million computers, potentially allowing hackers to control these devices [Article 63188]. This indicates a significant impact on users' data and potentially their devices due to the software failure incident. |
| Domain | information, knowledge | (a) The software failure incident affected the information industry as it involved compromised computer cleanup tool CCleaner, which is widely used for optimizing computer performance and cleaning up junk programs and advertising cookies [63188]. (i) The incident also impacted the knowledge industry as CCleaner is a tool used by individuals and organizations for computer optimization and maintenance, which are essential for various knowledge-related activities such as research, education, and general computing tasks [63188]. (m) The software failure incident is not directly related to any other specific industry mentioned in the options provided. |
Article ID: 70306
Article ID: 63126
Article ID: 63170
Article ID: 63188