searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
October 21, 2019
Share

Avast breached by hackers who wanted to compromise CCleaner again

Czech security software maker Avast has suffered another malicious intrusion into their networks, but the attackers didn’t accomplish what they apparently wanted: compromise releases of the popular CCleaner utility.

Avast breach 2019

What happened?

The discovery of the intrusion started with a security alert that flagged a malicious replication of directory services coming from an internal IP that belonged to the company’s VPN address range.

“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges,” Avast CISO Jaya Baloo explained.

“After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.”

They also discovered that the attacker:

  • Attempted to gain access to the company’s network through their VPN as far back as May 14, and repeated attempts in the following months
  • The temporary VPN profile had been used by multiple sets of user credentials, leading them to believe that they were subject to credential theft.

Avast decided not to terminate the temporary VPN profile until they had the chance to see what else the attacker managed to compromise.

“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions,” Baloo noted.

“On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate.”

Once that was done, the temporary VPN profile was closed and they disabled and reset all internal user credentials and implemented additional scrutiny to all releases.

Baloo said that they may never know whether the threat actor was the same one as before.

Previous attacks

Avast acquired Piriform, the company developing CCleaner, in July 2017.

In September 2017, Avast confirmed that some versions of the extremely popular utility had been backdoored and offered for download on Piriform’s site in the wake of a successful compromise of Piriform’s servers. Some 2.27 million users downloaded the backdoored versions.

After this incident, Avast migrated the Piriform build environment to the Avast infrastructure and moved the entire Piriform staff onto the Avast internal IT system.

Shortly after, it was discovered that compromised CCleaner releases were a way to get access to computers at a number of huge tech companies like Intel, Microsoft, Linksys, Dlink, Google, Samsung and Cisco, telecoms such as O2 and Vodafone, and Gauselmann, a manufacturer of gaming machines. The attackers were apparently after valuable intellectual property.




More about
  • account hijacking
  • Avast
  • CCleaner
  • cybercrime
  • supply chain compromise
  • VPN
Share this

Featured news

  • Hijacking of popular ctx and phpass packages reveals open source security gaps
  • Sigstore: Signature verification for protection against supply chain attacks
  • Review: Hornetsecurity 365 Total Protection Enterprise Backup
Easily migrate to the cloud with CIS Hardened Images

What's new

New infosec products of the week: May 27, 2022

What is keeping automotive software developers up at night?

How to eliminate the weak link in public cloud-based multi-party computation

80% of consumers prefer ID verification when selecting online brands

Don't miss

How to eliminate the weak link in public cloud-based multi-party computation

GM, Zola customer accounts compromised through credential stuffing

Hijacking of popular ctx and phpass packages reveals open source security gaps

Sigstore: Signature verification for protection against supply chain attacks

Why are current cybersecurity incident response efforts failing?

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • Data centers on steel wheels: Can we trust the safety of the railway infrastructure?
  • Good end user passwords begin with a well-enforced password policy
  • Keep your digital banking safe: Tips for consumers and banks
  • Is cybersecurity talent shortage a myth?

(IN)SECURE Magazine ISSUE 71 (March 2022)

  • Why security strategies need a new perspective
  • The evolution of security analytics
  • Open-source code: How to stay secure while moving fast
Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise