Hackers Hid Malware in CCleaner for Nearly a Month?

According to this site and the linked blog (with more technical details), CCleaner and it's servers were compromised.

A little from their blog...

 

Fortunately it was only the 32 bit version that was infected, and not the 64 bit version I use and recommend, and I missed that infected version completely. I've updated to the current 5.34 64 bit edition.

Here is the apology, non-technical and technical explanation by Piriform:

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
https://www.piriform.com/news/blog/...eaner-cloud-v1073191-for-32-bit-windows-users

"PAUL YUNG - VP, Products

Dear CCleaner customers, users and supporters,

We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update.

In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."

Further technical info is included, worth checking out...

"Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update.

For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here. "

 

Lost my trust in them now I stick with versions before v5.33.6162 and no more. They sure have a way shoot themselves in the foot faster but can't seem to find a fix for those whom installed v5.33.6162 and have no way to know or how to get rid of it. That's what they should be doing instead of just deleting v5.33.6162 but we all know they won't so trust is lost now.

 

I'm not going to stop using their software. I don't use the 32 bit version so I didn't have the infection, do / did you?

The Avast! server given to CCleaner was the attack vector, and they have locked it down now.

I don't expect they will have another incursion, and I put the problem in the lap of Avast!, not the Piriform people / developers.

 

If you knew how many companies and software that is compromised without you ever finding out and live by your convictions you'd never use a computer again. Have you lost faith in Microsoft and sworn off windows? Windows is compromised on a daily basis because of M$ and their crappy programming.

 

If we live by grabbing for straws - I do wonder how we will ever live???

That's a stretch to long here. CCleaner is a small time program and M$ is a big target on their back. I can see the O/S intrusion but a cleaner program common give me a break. This tells me if they can't even protect a popular program then what else can Avast not protect when it's Supposedly to be Protecting your computer from Malware and Virus. *hint*

 

A big company with target, unlimited financial supply and practically unlimited programming teams is excusable. However the small guy that has supplied a great free tool for many years gets the big shove up the butt.. well good enough for you to keep using an old version but denounced, shamed and marked with the big red A on their chest now.. makes total sense...

 

Speaking of big companies...

http://news.softpedia.com/news/ccle...gle-more-in-industrial-espionage-517777.shtml

Makes for an interesting read and I'm sure there's still more to come.

 

The Talos article is worth reading in detail:

CCleaner Command and Control Causes Concern
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Another report on the overall situation:

THE CCLEANER MALWARE FIASCO TARGETED AT LEAST 20 SPECIFIC TECH FIRMS
https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/

"...On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected.

On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

"When we found this initially, we knew it had infected a lot of companies," says Williams. "Now we know this was being used as a dragnet to target these 20 companies worldwide...to get footholds in companies that have valuable things to steal, including Cisco unfortunately."

Talos EP 13:A Vast CCleanup, Strutting Your Stuff, and the Ex$ploit Economy Podcast...
http://blog.talosintelligence.com/2017/09/beers-with-talos-ep-13a-vast-ccleanup.html

Earlier Talos post:

CCleanup: A Vast Number of Machines at Risk
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

 

CCleaner Malware second payload discovered-Ghacks.net

 

I've checked my systems, even though I didn't have the 5.33 version 32 bit installer that was infected, and didn't find any registry traces.

CCleaner Command and Control Causes Concern
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Below are indicators of compromise associated with this attack.

Spoiler: Details...

Installer on the CC: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (GeeSetup_x86.dll)

64-bit trojanized binary: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (EFACli64.dll)

32-bit trojanized binary: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (TSMSISrv.dll)

DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Registry Keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Stage 2 Payload (SHA256):

dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

CCleaner Malware Infects Big Tech Companies With Second Backdoor
Wednesday, September 20, 2017 Mohit Kumar
http://thehackernews.com/2017/09/ccleaner-malware-hacking.html
Removing Malicious CCleaner Version would Not Help

Spoiler: Details

"Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server.

So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program.
"These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the researchers say.

For those who are unaware, the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware, and affected users should update the software to version 5.34 or higher."

Piriform Notifications

Thursday, September 21, 2017
Update to the CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 Security Notification
http://www.piriform.com/news/blog/2...ccleaner-cloud-v1073191-security-notification

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
https://forum.piriform.com/index.php?showtopic=48868

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
http://www.piriform.com/news/blog/2...eaner-cloud-v1073191-for-32-bit-windows-users

CCleaner v5.35
http://www.piriform.com/news/release-announcements/2017/9/20/ccleaner-v535

Avast Notifications

Progress on CCleaner Investigation
https://blog.avast.com/progress-on-ccleaner-investigation

Update to the CCleaner 5.33.6162 Security Incident
https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

 

Friday, September 22, 2017
CCleaner Malware Attack Was Aimed At Critical Internet Infrastructure Vendors Like Google And Microsoft-Hothardware.com

"The real target of this attack is now thought to have been major tech firms like Microsoft, Google, Samsung, Sony, Intel and others according to the Talos threat intelligence team form Cisco. Ironically, Cisco was on that list of major tech firms that the hackers now appear to have been actually aiming for. The big take away here is that many of the companies that are believed to be targets are companies that help make the internet work. Let that sink in for a bit, the CCleaner hack could be much more serious than originally thought."

 

This make is more reason to not use CCleaner anymore since once hacked they most likely got the "sources code" and now can infect more CCleaner.

 

But, but CCleaner’s mother is Avast now J/K
I’m sure they will take the right steps if needed. Loosing money will force changes.

 

Where did you read that the ccleaner source code was accessed / compromised?

As far as I have read this hack is injection into the installer on the distribution server, not requiring access to the development "source code" server.

The server compromised was the one provided by Avast to newly acquired Piriform on their "merged" network that was outward facing (visible on the internet) for product distribution.

Installer build software is easily available and can be used to pull apart a distribution and put it back together with the malware payload, but that process doesn't require the product source code, in fact this method is used when they don't have access to the product source code.

In this kind of hack the outward facing distribution server(s) are the ones compromised and a payload injected installer is used to replace the company developed installer.

Usually this happens at some 3rd party distribution site(s), not an official company distribution server, but in this case the Avast hosted server serving as the official Piriform distribution server was the one hacked.

Product source code access isn't necessary in most malware payload hacks.

 

Easy since it arrived as part of the program itself that was why.

And you think they will really tell you how. I doubt they will tell the real deal and how it happened. To inject a code means there was more or less reverse engineering of the software to find the weak point regardless of where it was stored. To think otherwise is very narrow view point. As they where forced to announce the breach because someone posted it shows they were trying to hide it as long as they could - if only they came upfront I think most would accept that as being proactive but they were reactive after it made news. That to me signals very bad mindset thinking not known nothing harmed. With all the breaches we heard so far most if many don't admitted til the news makes the Web and only then do they say yes 13 month ago we where breached but your safe? How you waited this long hopping know one hear about it is what they wanted. Just like Equaifax they admitted only when news came out about 140+millions American lost their private data or more but we will never know will we. They sat on this information know full well what would happen but instead of fixed blame another website for it-yea I believe that like BS hits the fan.

 

So the answer to my question is "No, I never saw anything that suggested that the hacker used the ccleaner source code."

Narrow views, limited to the factual information at hand, with decades of experience tracking such problems, is exactly what you want in these situations. Uninformed musings will get you into trouble, panicking people needlessly.

These hacks are usually the installer injection at the distribution point. The server hacked was a new distribution server given to Piriform by Avast on Avast's external internet, that "narrow view" is what we call "fact based".

When more facts come to light we can expand that view, but until then unwarranted speculation isn't a wider view, it's an unsubstantiated view.

CCleaner: 2m users install computer cleaning program … that contains malware
Tool now owned by security firm Avast was hacked via a supply chain attack, an increasingly common method of infection
https://www.theguardian.com/technol...ogram-security-avast-supply-chain-attack-hack

"Piriform, the developer of CCleaner now owned by security firm Avast, says that its download servers were compromised at some point between 15 August, when it released version v5.33.6162 of the software, and 12 September, when it updated the servers with a new version.

In that period, a trojan was loaded into the download package which sent “non-sensitive data” from infected users’ computers back to a server located in the US. "

 

Additional information regarding the recent CCleaner APT security incident
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

"New analysis from the Avast Threat Labs

We would like to update our customers and the general public on the latest findings regarding the investigation of the recent CCleaner security incident. As published in our previous blog posts (here and here), analysis of the CnC server showed that the incident was in fact an Advanced Persistent Threat (APT) attack, targeting specific high-tech and telecommunications companies. That is, despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data; instead, the CCleaner customers were used to gain access to corporate networks of select large enterprises.

Today, we are going to disclose new facts about the incident that we received since the last public update."

Please click the link above to go to the site and read the entire article.

Updated with the entire blog post article:

"Introduction
As we already know, the CnC server contained important evidence in terms of the exact list of hosts with which the CnC server communicated, and the list of hosts to which it actually sent the 2nd stage payload (i.e. which actually became compromised in the sense that they could execute malicious code sent by the attacker). The problem was that due to a crash of the database, there were only about 3.5 days’ worth of data. Our hypothesis was that this occurred because of the server running out of disk space on September 10, leading the operator to a full rebuild of the database.

However, further investigation revealed that the attackers backed up the data from the crashed CnC server to another server before rebuilding the database. Thanks to the continued work of the Avast Threat Labs team and the help from US law enforcement personnel. The server’s IP address was 216.126.225.163, it featured the same self-signed SSL certificate (issued for speccy.piriform.com) and stack-wise, had a typical “LAMP” configuration: CentOS release 6.9 with Apache 2.2.15, PHP 5.3.3, but most importantly, a MySql database that turned out to contain data going back to August 18. Access to this backup server allowed us to assemble what we believe is the complete database (the only missing piece is a 40-hour window between 2017-09-10 19:03:18 and 2017-09-12 9:58:47 UTC, i.e. between the crash of the original CnC DB and the creation of the new one; it is not clear how the CnC server behaved in that period).

The main findings from the complete database are as follows:

• The total number of connections to the CnC server was 5,686,677.
• The total number of unique PCs (unique MAC addresses) that communicated with the CnC server was 1,646,536.
• The total number of unique PCs that received the 2nd stage payload was 40.

PCs and Companies that received the 2nd stage payload
The most important piece of information is the content of the “OK” table in the database, which lists the machines that successfully received the 2nd stage payload and were therefore really “infected” with potentially malicious code (although we haven’t been able to isolate that code yet, as it probably came from additional layers which are still the focus of additional investigation).

Here is the complete list of companies / domains affected, together with the number of impacted PCs:



We have reached out to all these companies, with the aim of providing them with detailed information about the incident, list of impacted computers, and additional IOCs that can be used to detect the infection and take corrective actions.

Worth noting is that about 40 PCs out of 2.27M had the compromised version of CCleaner product installed, i.e. 0.0018% of the total -- a truly targeted attack.

The list of companies (domains) evolved over time, and the detailed logs found on the SQL database server suggest that the bad actors were trying to identify suitable hosts not just by a pre-determined list, but also by looking into what kind of PC hosts have actually been available to them in the sense that they had PCs with CCleaner connecting to the CnC. Following is a list of targets that were of potential interest, but were not attacked by the 2nd stage payload:



Clearly, the logs also indicate that the attackers were looking for additional high-profile companies to target, some of them potentially leading to additional supply-chain attacks (Carriers / ISPs, server hosting companies and domain registrars).

Interestingly enough, the two corporations with the highest number of impacted PCs (cht.com.tw and nsl.ad.nec.co.jp) were actually missing in the list of targeted domains on the CnC server at the time it was taken down. This suggests that the attackers actively removed these companies from the list after the payload had been delivered.

Origin of the attacker
In the previous post, we talked about the fact that there were multiple clues suggesting that the attack may be originating from China, including multiple instances of PHP code found on the CnC server, the myPhpAdmin logs, and the similarity of certain code snippets to a previous APT attack attributed to China.

The problem with all these indications is that they are all very easy to forge: they might have been added simply to make investigation more difficult and to hide the true origin.

So, during our investigation, we tried to take a slightly different approach. We noticed that there have been a relatively large number of operator connections to the CnC server; the server apparently required a lot of manual maintenance work. In total, the operator connected to the server 83 times (plus 17 more times to the backup server), to do various things from installing and setting up the systems to monitoring it and resolving respective issues, such as to fix the crashed database. Which made us think that this was in fact someone’s ‘day job’. The hypothesis was further supported by the fact that there were many fewer connections to the server on Saturdays, and almost no connections on Sundays.

Now, with that hypothesis in place, the obvious thing to do was to plot the operator connections to the server in a chart and try to determine the time zone in which the attacker resided.

The result looked like this:



There is a clear pattern, which is in fact quite typical for IT workers: an 8-hour working day, followed by 4-5 hours of inactivity in the afternoon/evening and then additional connections during a 5-hour block in the evenings.

Given the typical working day starts at 8AM or 9AM, this leads us to the most likely location of the attacker in the time zone UTC + 4 or UTC + 5, leading us to Russia or the eastern part of Middle East / Central Asia and India. Furthermore, given the clear lack of traffic on Saturdays and Sundays, it would indicate that it wasn’t an Arabic country.



Another possible explanation is that there were multiple people involved in the operation, each working from a different time zone.

It is worth noting that, despite there being a large number of tech / telco companies in China, Russia and India, there are no companies from these countries on the list of companies targeted by this attack.

Investigation process and next steps
We are continuing our investigation of the incident: working with law enforcement, partner companies and a professional firm specializing in incident response operations to move quickly in the right direction. Our security team has reached out to all companies proven to be part of the 2nd stage, and we’re committed to working with them to resolve the issue fully. Obviously, the fact that the 2nd stage payload has been delivered to a computer connected to a company network doesn’t mean that the company network has been compromised. However, proper investigation is in order and necessary to fully understand the impact and take remediation actions. From our side, we continue working on getting access and analyzing the additional stages of the payload (post stage 2). We will post an update as soon as we learn more.

IOCs
The following is an updated list of IOCs.

Files
1st stage
04bed8e35483d50a25ad8cf203e6f157e0f2fe39a762f5fbacd672a3495d6a11 - CCleaner - installer (v5.33.0.6162)
0564718b3778d91efd7a9972e11852e29f88103a10cb8862c285b924bc412013 - CCleaner - installer (v5.33.0.6162)
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff - CCleaner - installer (v5.33.0.6162)
276936c38bd8ae2f26aab14abff115ea04f33f262a04609d77b0874965ef7012 - CCleaner - installer (v5.33.0.6162)
2fe8cfeeb601f779209925f83c6248fb4f3bfb3113ac43a3b2633ec9494dcee0 - CCleaner - installer (v5.33.0.6162)
3c0bc541ec149e29afb24720abc4916906f6a0fa89a83f5cb23aed8f7f1146c3 - CCleaner - installer (v5.33.0.6162)
4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a - CCleaner - installer (v5.33.0.6162)
7bc0eaf33627b1a9e4ff9f6dd1fa9ca655a98363b69441efd3d4ed503317804d - CCleaner - installer (v5.33.0.6162)
a013538e96cd5d71dd5642d7fdce053bb63d3134962e2305f47ce4932a0e54af - CCleaner - installer (v5.33.0.6162)
bd1c9d48c3d8a199a33d0b11795ff7346edf9d0305a666caa5323d7f43bdcfe9 - CCleaner - installer (v5.33.0.6162)
c92acb88d618c55e865ab29caafb991e0a131a676773ef2da71dc03cc6b8953e - CCleaner - installer (v5.33.0.6162)
e338c420d9edc219b45a81fe0ccf077ef8d62a4ba8330a327c183e4069954ce1 - CCleaner - installer (v5.33.0.6162)
36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 - CCleaner.exe (32-bit v5.33.0.6162)
6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 - CCleaner.exe (32-bit v5.33.0.6162)
a3e619cd619ab8e557c7d1c18fc7ea56ec3dfd13889e3a9919345b78336efdb2 - CCleanerCloud - installer (32-bit v1.7.0.3191)
0d4f12f4790d2dfef2d6f3b3be74062aad3214cb619071306e98a813a334d7b8 - CCleanerCloudAgent.exe (32-bit v1.7.0.3191)
9c205ec7da1ff84d5aa0a96a0a77b092239c2bb94bcb05db41680a9a718a01eb - CCleanerCloudAgentHealtCheck.exe (32-bit v1.7.0.3191)
bea487b2b0370189677850a9d3f41ba308d0dbd2504ced1e8957308c43ae4913 - CCleanerCloudTray.exe (32-bit v1.7.0.3191)
3a34207ba2368e41c051a9c075465b1966118058f9b8cdedd80c19ef1b5709fe - 1st stage payload DLL found in CCleaner
19865df98aba6838dcc192fbb85e5e0d705ade04a371f2ac4853460456a02ee3 - 1st stage payload DLL found in CCleanerCloud

2nd stage
dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 - 2nd stage payload DLL (GeeSetup_x86.dll)
a414815b5898ee1aa67e5b2487a11c11378948fcd3c099198e0f9c6203120b15 - loader of the 2nd stage payload (64-bit)
7ac3c87e27b16f85618da876926b3b23151975af569c2c5e4b0ee13619ab2538 - loader of the 2nd stage payload (32-bit)
4ae8f4b41dcc5e8e931c432aa603eae3b39e9df36bf71c767edb630406566b17 - inner DLL of the 2nd stage payload (64-bit)
b3badc7f2b89fe08fdee9b1ea78b3906c89338ed5f4033f21f7406e60b98709e - inner DLL of the 2nd stage payload (32-bit)
a6c36335e764b5aae0e56a79f5d438ca5c42421cae49672b79dbd111f884ecb5 - inner DLL of the 2nd stage payload (32-bit)


CnC
IPs
216.126.225.148 - CnC of the 1st stage payload
216.126.225.163 - backup server of CnC 216.126.225.148

URLs (all used for obtaining IP address of the 2nd stage CnC)
get.adoble[.]com
https://github[.]com/search?q=joinlur&type=Users&u=✓
https://en.search.wordpress[.]com/?src=organic&q=keepost

DGA (used by the 1st stage payload)
ab8cee60c2d.com - valid for 2017-08
ab1145b758c30.com - valid for 2017-09
ab890e964c34.com - valid for 2017-10
ab3d685a0c37.com - valid for 2017-11
ab70a139cc3a.com - valid for 2017-12
ab3c2b0d28ba6.com - valid for 2018-01
ab99c24c0ba9.com - valid for 2018-02
ab2e1b782bad.com - valid for 2018-03
ab253af862bb0.com - valid for 2018-04
ab2d02b02bb3.com - valid for 2018-05
ab1b0eaa24bb6.com - valid for 2018-06
abf09fc5abba.com - valid for 2018-07
abce85a51bbd.com - valid for 2018-08
abccc097dbc0.com - valid for 2018-09
ab33b8aa69bc4.com - valid for 2018-10
ab693f4c0bc7.com - valid for 2018-11
ab23660730bca.com - valid for 2018-12

Windows Registry
HKLM\SOFTWARE\Piriform\Agomo\MUID - used by the 1st stage payload
HKLM\SOFTWARE\Piriform\Agomo\NID - used by the 1st stage payload
HKLM\SOFTWARE\Piriform\Agomo\TCID - used by the 1st stage payload
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP - used by the 2nd stage payload
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 - used by the 2nd stage payload
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 - used by the 2nd stage payload
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 - used by the 2nd stage payload
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 - used by the 2nd stage payload "

 

Remember the infected version of CCleaner? 2.27 million downloads, but only 40 got the royal treatment-Askwoody.com

 

If you had followed the link in my last post in September you would have seen all of the data was known and shared way back then.

Wired didn't add anything new, and their article and your post are wasted time, necro reviving a dead event.

Everytime I don't include the entire text of an article, someone who is too lazy to follow the link comes to the wrong conclusion, and either goes away with the wrong impression, or posts based on that wrong impression.

That's why I try to always post the entire article.

Please go back to my previous post and read the expanded text, the whole article from their blog post.

Here is Woody's note and pointer to Wired's article - which you were too lazy to include in your post, with the point of interest, clearly already known back in September and posted in their blog, now included in my post for those too lazy to not follow the link and read it:

" Remember the infected version of CCleaner? 2.27 million downloads, but only 40 got the royal treatment
Posted on April 22nd, 2018 at 10:49 woody Comment on the AskWoody Lounge
If you remember the widely-publicized CCleaner attack, you may be surprised to discover that of the 2.27 million infected downloads, the attackers only gave the full treatment to 40 machines. Says Lily Hay Newman at Wired:

The hackers were apparently launching a targeted attack, looking for a few needles in the massive haystack of 2.27 million “successful” malicious downloads. Of those, about 1.65 million copies of the CCleaner malware phoned home to the attackers, and they only targeted 40 with a second stage of the attack: installing ShadowPad. All of these were technology and IT enterprise targets (most CCleaner users are individuals and home users), and the attackers were able to infiltrate 11 companies through the 40 installs they picked out.

Fascinating story."

 

I thought CCleaner was attacked again!

 

Exactly, necro at it's finest.