searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
October 21, 2019
Share

Avast breached by hackers who wanted to compromise CCleaner again

Czech security software maker Avast has suffered another malicious intrusion into their networks, but the attackers didn’t accomplish what they apparently wanted: compromise releases of the popular CCleaner utility.

Avast breach 2019

What happened?

The discovery of the intrusion started with a security alert that flagged a malicious replication of directory services coming from an internal IP that belonged to the company’s VPN address range.

“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges,” Avast CISO Jaya Baloo explained.

“After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.”

They also discovered that the attacker:

  • Attempted to gain access to the company’s network through their VPN as far back as May 14, and repeated attempts in the following months
  • The temporary VPN profile had been used by multiple sets of user credentials, leading them to believe that they were subject to credential theft.

Avast decided not to terminate the temporary VPN profile until they had the chance to see what else the attacker managed to compromise.

“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions,” Baloo noted.

“On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate.”

Once that was done, the temporary VPN profile was closed and they disabled and reset all internal user credentials and implemented additional scrutiny to all releases.

Baloo said that they may never know whether the threat actor was the same one as before.

Previous attacks

Avast acquired Piriform, the company developing CCleaner, in July 2017.

In September 2017, Avast confirmed that some versions of the extremely popular utility had been backdoored and offered for download on Piriform’s site in the wake of a successful compromise of Piriform’s servers. Some 2.27 million users downloaded the backdoored versions.

After this incident, Avast migrated the Piriform build environment to the Avast infrastructure and moved the entire Piriform staff onto the Avast internal IT system.

Shortly after, it was discovered that compromised CCleaner releases were a way to get access to computers at a number of huge tech companies like Intel, Microsoft, Linksys, Dlink, Google, Samsung and Cisco, telecoms such as O2 and Vodafone, and Gauselmann, a manufacturer of gaming machines. The attackers were apparently after valuable intellectual property.

More about
  • account hijacking
  • Avast
  • CCleaner
  • cybercrime
  • supply chain compromise
  • VPN
Share this

Featured news

  • Enhance security while lowering IT overhead in times of recession
  • Why you should treat ChatGPT like any other vendor service
  • 2022 witnessed a drop in exploited zero-days
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Enhance security while lowering IT overhead in times of recession

Why you should treat ChatGPT like any other vendor service

2022 witnessed a drop in exploited zero-days

5 rules to make security user-friendly

The impact of AI on the future of ID verification

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us