Avast breached by hackers who wanted to compromise CCleaner again

Czech security software maker Avast has suffered another malicious intrusion into their networks, but the attackers didn’t accomplish what they apparently wanted: compromise releases of the popular CCleaner utility.

What happened?

The discovery of the intrusion started with a security alert that flagged a malicious replication of directory services coming from an internal IP that belonged to the company’s VPN address range.

“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges,” Avast CISO Jaya Baloo explained.

“After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.”

They also discovered that the attacker:

• Attempted to gain access to the company’s network through their VPN as far back as May 14, and repeated attempts in the following months
• The temporary VPN profile had been used by multiple sets of user credentials, leading them to believe that they were subject to credential theft.

Avast decided not to terminate the temporary VPN profile until they had the chance to see what else the attacker managed to compromise.

“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions,” Baloo noted.

“On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate.”

Once that was done, the temporary VPN profile was closed and they disabled and reset all internal user credentials and implemented additional scrutiny to all releases.

Baloo said that they may never know whether the threat actor was the same one as before.

Previous attacks

Avast acquired Piriform, the company developing CCleaner, in July 2017.

In September 2017, Avast confirmed that some versions of the extremely popular utility had been backdoored and offered for download on Piriform’s site in the wake of a successful compromise of Piriform’s servers. Some 2.27 million users downloaded the backdoored versions.

After this incident, Avast migrated the Piriform build environment to the Avast infrastructure and moved the entire Piriform staff onto the Avast internal IT system.

Shortly after, it was discovered that compromised CCleaner releases were a way to get access to computers at a number of huge tech companies like Intel, Microsoft, Linksys, Dlink, Google, Samsung and Cisco, telecoms such as O2 and Vodafone, and Gauselmann, a manufacturer of gaming machines. The attackers were apparently after valuable intellectual property.