Avast says CCleaner was targeted by hackers… again

Avast breached by hackers who wanted to compromise CCleaner again

Avast breached by hackers who wanted to compromise CCleaner again

"It is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their goal, and that the actor was progressing with exceptional caution in order to not be detected".

The attack was able to use compromised credentials through a temporary VPN profile that had been activated by mistake and didn't have two-factor authentication enabled.

Although the company first noticed the breach on September 23, evidence shows the hackers may have first breached Avast's network as far back as May 14.

The company says: "The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive".

Additionally, the user whose credentials had been compromised did not have the permissions of a domain administrator and this indicates that the attacker was able to achieve privilege escalation. The intruder connected from a public IP address in the United Kingdom and utilized a temporary VPN profile which should no longer have been active and was not protected with two-factor authentication. The findings show the scammers likely stole multiple employee login credentials for a temporary VPN profile the company had created but forgot to take offline.

Suspecting CCleaner as the targeted asset, Avast on September 25 stopped the upcoming updates for the software and started to check prior releases for malicious modification.

Baloo said that they may never know whether the threat actor was the same one as before. At the same time, it pushed out a "clean update" to CCleaner that was signed with a new digital certificate.

Steam Halloween, Autumn and Winter sale dates have leaked
Just a few weeks later, the Winter Sale will kick off on the 19th of December and end on the 2nd of January. As a result, Steam Sale dates have leaked for several years now.

Avast has disclosed that attackers breached its internal network through a compromised VPN profile and stolen credentials.

"Moreover, we continued to harden and further secure our environments for Avast's business operations and product builds, including the resetting of all employee credentials, with further steps planned to improve overall business security at Avast". The company also says that with immediate effect it has "implemented additional scrutiny" to all releases.

Logo of CCleaner, developed by Piriform which was acquired by Avast in 2017.

Having discovered the source of the problem, the incident response team discovered that miscreants again attempted to enter its network through this route on October 4.

The company tracked the intruder by keeping the VPN profile active and monitoring the access going through it until mitigation actions could be deployed.

Law enforcement has been notified of the intrusion and an external forensics team assisted Avast's efforts to verify the collected data. The investigation will continue. The information is marked as TLP:RED, which means that it can not be shared.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.