What type of data was compromised?
As per our September 18th blog post, we were aware at that time that the compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters). The server this data was transmitted to was shut down to eliminate risk.
What business users are affected?
All users with the 32-bit version of CCleaner v5.33.6162 and version 1.07.3191 of CCleaner Cloud were affected (if you are using CCleaner Cloud, the 32-bit version runs on 64-bit machines).
All CCleaner Cloud users have been automatically updated to the latest version and all CCleaner v5.33.6162 users should update to the latest version.
CCleaner Business Edition endpoints can be updated via the in-app auto-update mechanism or using group policy using the installer here. If you are using CCleaner Business edition via an integration with ConnectWise Automate (formerly LabTech or Kaseya), you can update all available clients using the CCleaner plugin.
We recommend you ensure that all endpoints running CCleaner are running the latest version.
I have a 64-bit machine so why is CCleaner still being flagged by antivirus?
CCleaner v5.33.6162 users, please note that the 32-bit and 64-bit versions of CCleaner are packaged as one installer. Most of the antiviruses can recognize the 32-bit version inside the installer and flag the whole installer as malware.
To resolve this, we recommend all endpoints are running the latest version of CCleaner.
I am using CCleaner Cloud to manage others (I’m an MSP). Does this affect my clients?
We recommend that you ensure all endpoints running CCleaner are updated to the latest version.
As we have gained new insights through our investigation, we can now say that the purpose of the attack was not to attack consumers and their data, but to gain access to corporate networks of select large enterprises.
Avast have been reaching out individually to the companies known to have been impacted to provide them with technical information and assist them. If your clients are known to have been affected, they will have been contacted directly.
Do you have file hashes for us to verify we have the official CCleaner v5.35 build?
Yes, here are the MD5 and SHA256 file hashes for each of the CCleaner v5.35 builds.
ccsetup535_be.exe - CCleaner Business Edition Installer
ccsetup535_be.msi - CCleaner Business Edition MSI Installer
ccsetup535_be_trial.exe - CCleaner Business Edition Trial Installer
ccsetup535_te.msi - CCleaner Technician Edition Installer
What does this compromise mean for affected business users?
Initially, it was unclear whether the compromise was directed at consumers or businesses, or both. As we have gained new insights through our investigation, we can now say that the purpose of the attack was not to attack consumers and their data, but to gain access to corporate networks of select large enterprises.
Avast have been reaching out individually to the companies known to have been impacted to provide them with technical information and assist them. If you are a business known to have been affected, you will have been contacted.