Skip to main content
banner image
venafi logo

The CCleaner Compromise: Was a Code Signing Certificate the Culprit?

The CCleaner Compromise: Was a Code Signing Certificate the Culprit?

Cleaner compromise and DevOps
September 20, 2017 | Emil Hanscom

Earlier this month, researchers at Cisco Talos discovered something distressing. Certain copies of CCleaner, a popular PC cleanup app, had been compromised with backdoors. The infected software could be downloaded directly from the developer’s website for nearly a month and was legitimately signed.

According to Piriform, the makers of CCleaner, the optimization tool is installed over five million times every week. Security researchers from Cisco Labs believe this download rate could spell trouble: “If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes.”

Piriform, recently purchased by Avast, is currently investigating who uploaded this compromise and why. In addition, they are taking immediate steps to stop users from downloading backdoored versions of their app. “[Piriform has] already made download sites remove CCleaner v5.33.6162,” writes security reporter Zeljka Zorz. “They pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, and automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214.

researchers from Cisco believe this discovery may be the tip of the iceberg: “The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new certificate, care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.”

There are a variety of ways that untrusted certificates can make their way into organizations. DevOps is a growing area of concern in this respect, especially given the speed with which DevOps generates new applications that require certificates. Unfortunately, the incident with CCleaner may be another example of the growing disparity between security protocols and DevOps.

DevOps tends to live outside the purview of standard security strategies, and according to a recent Venafi study: many organizations fail to enforce vital certificate security measures in their DevOps environments. For example, roughly two-thirds (62%) of organizations with mature DevOps programs consistently replace development and test certificates with production certificates when code rolls into production. However, in organizations that are just beginning to adopt DevOps practices, only a bit over one-third (36%) follow this critical best practice. 

Ultimately, developers value speed. Robust security protocols and measures may seem like a hindrance to an agile DevOps team. The situation with CCleaner is noteworthy—unless we bridge the gap between their security and DevOps teams, similar events may occur in the future.

Is your DevOps team following critical security practices with certificates?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more