Earlier this month, researchers at Cisco Talos discovered something distressing. Certain copies of CCleaner, a popular PC cleanup app, had been compromised with backdoors. The infected software could be downloaded directly from the developer’s website for nearly a month and was legitimately signed.
According to Piriform, the makers of CCleaner, the optimization tool is installed over five million times every week. Security researchers from Cisco Labs believe this download rate could spell trouble: “If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes.”
Piriform, recently purchased by Avast, is currently investigating who uploaded this compromise and why. In addition, they are taking immediate steps to stop users from downloading backdoored versions of their app. “[Piriform has] already made download sites remove CCleaner v5.33.6162,” writes security reporter Zeljka Zorz. “They pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, and automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214.
researchers from Cisco believe this discovery may be the tip of the iceberg: “The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new certificate, care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.”
There are a variety of ways that untrusted certificates can make their way into organizations. DevOps is a growing area of concern in this respect, especially given the speed with which DevOps generates new applications that require certificates. Unfortunately, the incident with CCleaner may be another example of the growing disparity between security protocols and DevOps.
DevOps tends to live outside the purview of standard security strategies, and according to a recent Venafi study: many organizations fail to enforce vital certificate security measures in their DevOps environments. For example, roughly two-thirds (62%) of organizations with mature DevOps programs consistently replace development and test certificates with production certificates when code rolls into production. However, in organizations that are just beginning to adopt DevOps practices, only a bit over one-third (36%) follow this critical best practice.
Ultimately, developers value speed. Robust security protocols and measures may seem like a hindrance to an agile DevOps team. The situation with CCleaner is noteworthy—unless we bridge the gap between their security and DevOps teams, similar events may occur in the future.
Is your DevOps team following critical security practices with certificates?