| Recurring |
one_organization |
(a) The software failure incident having happened again at one_organization:
The article mentions a similar incident where a compromised version of BitTorrent client Transmission spread ransomware on Macs in March 2016. This incident involved malware being distributed through a trusted software application, similar to the CCleaner incident. This shows a history of software failure incidents within the same organization or with its products and services [63151].
(b) The software failure incident having happened again at multiple_organization:
The article does not provide specific information about similar incidents happening at other organizations or with their products and services. Therefore, it is unknown if this particular type of software failure has occurred at multiple organizations [63151]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase: The incident with CCleaner was due to a hack where malware was inserted into the software during the development phase. The developer confirmed that their download servers were compromised between the release of version v5.33.6162 of the software and the update on September 12th. This breach resulted in a trojan being loaded into the download package, leading to a data leak and the installation of a second stage payload on affected computers [63151].
(b) The software failure incident related to the operation phase: The operation failure in this case was due to the misuse of the compromised software by users who unknowingly installed the infected version of CCleaner. The malware included a trojan that sent data from infected users' computers to a server in the US. This operation failure resulted in the potential exposure of non-sensitive data and the installation of a second stage payload on affected computers [63151]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident involving CCleaner was due to contributing factors that originated from within the system. The incident occurred when a trojan was loaded into the download package of CCleaner, which sent data from infected users' computers back to a server located in the US. Additionally, a "second stage payload" malware was also installed on affected computers [63151].
(b) outside_system: The software failure incident was also influenced by contributing factors that originated from outside the system. The breach involved compromising downloads to trusted software, which is a common method used by malware authors to infect devices. This method, known as a "supply chain" attack, exploits the trust relationship between a manufacturer or supplier and a customer [63151]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in Article 63151 occurred due to non-human actions. The failure was a result of the software being hacked to include malware in the download package, which was loaded onto users' computers without their knowledge. The trojan sent data back to a server and also attempted to install a second stage payload, although the latter was not executed. This incident highlights how software can be compromised through supply chain attacks, where attackers exploit the trust relationship between software developers and users [63151].
(b) The software failure incident in Article 63151 was not directly caused by human actions. However, it is important to note that the breach occurred due to a vulnerability in the software's download servers, which could have been prevented or mitigated through stronger security measures implemented by the developers. Additionally, the response to the incident, such as the investigation and remediation efforts, involved human actions by the company and security researchers [63151]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in Article 63151 was primarily due to contributing factors originating in software. The incident involved a hack where the CCleaner software was compromised by malware inserted into the download package. This malware sent data from infected users' computers to a server and also attempted to install a second stage payload on affected computers. The breach was discovered by Cisco's Talos Intelligence research team, indicating that the failure originated in the software itself rather than hardware [63151]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident related to the CCleaner hack was malicious in nature. The incident involved a version of CCleaner being hacked to include malware, specifically a trojan that sent data from infected users' computers to a server in the US. Additionally, a "second stage payload" of malware was also installed on affected computers. The attack was described as unauthorized, and the company did not want to speculate on how the unauthorized code appeared in the software or who was behind it [63151]. |
| Intent (Poor/Accidental Decisions) |
unknown |
(a) The intent of the software failure incident:
The incident involving the CCleaner software was not due to poor decisions but rather a deliberate hack. The software was compromised when hackers inserted malware into the download package, affecting over 2 million users. The attack involved a trojan that sent data from infected computers to a server in the US. Additionally, a "second stage payload" was installed on affected computers, although it was not executed. The company behind CCleaner, Piriform, stated that they did not want to speculate on how the unauthorized code appeared in the software or who was behind the attack [63151]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the compromised version of CCleaner that was hacked to include malware. The incident occurred due to a breach in the developer's download servers between the release of version v5.33.6162 and the subsequent update. The trojan loaded into the download package resulted in a data leak and the installation of a second stage payload on affected computers. The company's vice president mentioned that they did not want to speculate on how the unauthorized code appeared in the software or where the attack originated from, indicating a lack of understanding of the breach's root cause [63151].
(b) The accidental aspect of the software failure incident is seen in the unintentional inclusion of malware in the CCleaner software. The developer, Piriform, confirmed that their download servers were compromised, leading to the distribution of the infected version of the software to over 2 million users. The company stated that they believe the affected users are now safe after disarming the threat, indicating that the inclusion of malware was not intentional but rather a result of the breach in their servers [63151]. |
| Duration |
temporary |
(a) The software failure incident related to the CCleaner hack was temporary. The incident occurred between 15 August, when the compromised version v5.33.6162 was released, and 12 September when the servers were updated with a new version [63151]. During this period, the trojan was loaded into the download package, leading to the infection of 2.27 million users. However, Piriform was able to disarm the threat by taking down the "command and control" server, preventing further harm [63151].
(b) The software failure incident was not permanent as the compromised version of CCleaner was only active for a limited period between the release of the infected version and the update to the clean version. The incident was not a permanent failure as the malware was detected and mitigated within a specific timeframe, indicating a temporary nature of the software failure [63151]. |
| Behaviour |
other |
(a) crash: The software failure incident related to the CCleaner hack did not result in a crash where the system loses state and does not perform any of its intended functions. The malware inserted into the software did not render the software completely non-functional; instead, it collected data and attempted to install additional malware [63151].
(b) omission: The incident did not involve the system omitting to perform its intended functions at an instance(s). The malware inserted into CCleaner did not prevent the software from running; rather, it operated in the background while still allowing the software to function as intended [63151].
(c) timing: The software failure incident was not related to the system performing its intended functions correctly but too late or too early. The malware inserted into CCleaner did not affect the timing of the software's operations; it primarily focused on data collection and potential installation of additional malware [63151].
(d) value: The failure was not due to the system performing its intended functions incorrectly. The primary impact of the incident was data collection and potential installation of additional malware, rather than the software executing its functions incorrectly [63151].
(e) byzantine: The software failure incident did not exhibit behavior characteristic of a byzantine failure, where the system behaves erroneously with inconsistent responses and interactions. The malware inserted into CCleaner had a specific purpose of data collection and potential further infection, rather than causing erratic or inconsistent behavior within the software [63151].
(f) other: The behavior of the software failure incident could be categorized as a security breach resulting from a supply chain attack. The attackers compromised the download servers of CCleaner to distribute malware-infected versions of the software to users, exploiting the trust relationship between the software supplier and customers. This method of attack, known as a "supply chain" attack, is a significant concern in cybersecurity [63151]. |