On September 23, Avast identified suspicious behaviour on its network targeting its CCleaner utility. Attackers used an older VPN profile to get entry into Avast’s network.
CCleaner has suffered a supply-chain attack in 2017 where the hackers compromised the company’s servers for more than a month and replaced the original version of the software with a malicious one.
CCleaner is a windows app launched in 2004, designed to delete unwanted files from a computer. Piriform, a company that Avast acquired in July 2017, manage the app. Avast claims the app had been downloaded more than 2.5 billion times and has 435 million users across 68 countries.
This software is used to shed off temporary files that gulp up disk space and invalid Windows registry keys. Malicious files buried in the system is deleted, during the cleanup.
On September 25, Avast got an alert from Microsoft Advanced Threats Analytics regarding suspicious activity.
On further investigation with the help of Czech intelligence agency, Security Information Service (BIS), and an external forensics team, avast discovered that hackers have been attempting to gain access to its network several times this year.
“An unidentified attacker used stolen credentials to gain high-level privileges on the network of Czech software security vendor Avast,” the company said.
The hackers gained entry point inside Avast’s network by compromised VPN credentials that used an old profile not requiring two-factor authentication. The hackers were unsuccessful at pushing out a malicious CCleaner.
“From the insights, we have gathered so far; it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution not to be detected. We do not know if this was the same actor as before, and it is likely we will never know for sure,” wrote Avast researchers.
Avast put forward two preventive measures, the first they re-signed a clean update of the product and pushed it out to users via automatic update on October 15. The second, they revoked the previous precautions. They also have disabled and reset all internal user credentials.
You may be interested in reading: Click2Mail Suffers Data Breach