Avast says CCleaner was targeted by hackers... again

Security firm Avast has revealed that it detected and intercepted suspicious activity on its network. The malicious attack is believed to have been instigated by hackers seeking to target the CCleaner software.

This is not the first time Avast and CCleaner have been targeted, and the company has revealed that an attacker had been trying to gain access to its network through its VPN as long ago as mid-May. The attacks -- dubbed "Abiss" -- continued until the beginning of this month.

See also:

• Microsoft bans CCleaner from its support forums
• DoorDash hacked!
• Avast bundles buggy preview web browser with CCleaner, leading to predictable nightmarish results

Avast first detected this round of attacks back in September, and the Czech company worked with local police, the Czech intelligence agency, Security Information Service (BIS), and forensic teams to determine what was going on.

The company says: "The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive. The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider".

Further analysis revealed several attempts using the same technique, and Avast took the decision to leave the temporary VPN profile active to allow for monitoring. Avast determined that its software was the target of the attacks, just as was the case two years ago:

Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions.

On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.

In response to what it describes as an "extremely sophisticated attempt", Avast reset all internal user credentials. The company also says that with immediate effect it has "implemented additional scrutiny" to all releases.

Avast does not know if all of the attacks were carried out by the same person or group, and it also does not reveal if it has any suspicions about who might be responsible. The investigation will continue.

Image credit: chanpipat / Shutterstock