Avast: Stolen VPN Credentials Led to CCleaner Attack ReduxAvast Says CCleaner Versions Are Malware-Free
Avast's CCleaner utility is popular - with attackers.
For the second time in two years, the company says it believes CCleaner was the intended targeted of a carefully plotted intrusion executed between May and October.
The previous attack in 2017 created a trojanized version of CCleaner to deliver a backdoor that targeted big name companies such as Akamai, D-Link Google, HTC, Intel, Linksys, Microsoft, Samsung, Sony, VMware and Cisco (see: Trojanized Avast CCleaner Attack Targeted Major Tech Firms). This type of manipulation is often referred to as a supply chain attack, allowing an intruder to piggyback on a widely installed program that most believe is safe.
Writing about the latest attack, Jaya Baloo, Avast's CISO, notes: "From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt 'Abiss'."
Avast's detailed description of the latest incident drew praise, including from U.K. security researcher Kevin Beaumont, who tweeted that other organizations can learn from the situation.
Incredible transparency from AVAST (antivirus vendor) here. Somebody basically cloned their Active Directory and had access from at least May. Worth reading as many orgs have these kind of issues. https://t.co/ZsbdFGOKsi— Kevin Beaumont (@GossiTheDog) October 21, 2019
Malicious Replication Attempt
CCleaner has long been a popular free utility for Microsoft Windows that can be used to tidy hard drives by removing temporary files and cruft left behind by uninstalled applications.
Avast acquired CCleaner from the U.K. company Piriform in July 2017. At the time of the acquisition, Avast said CCleaner had an install base of 130 million machines worldwide.
" Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected."
—Jaya Baloo, Avast
The latest attack was thwarted, Avast says. The company says it has since scanned previous versions of CCleaner for tampering, and they've come up clean. It also generated a new version of CCleaner and delivered it as an update on Oct. 15.
"Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected," Baloo writes.
Avast caught onto the latest attempt after an alert from Microsoft's Advanced Threat Analytics platform. The investigation also involved Czech intelligence and the country's Security Information Service, Baloo writes.
The alert pointed to "a malicious replication of directory services from an internal IP that belong to our VPN address range, which had originally been dismissed as a false positive," Baloo writes.
One of its employee's VPN credentials appeared to be compromised. The attacker was able to escalate privileges to gain domain admin access. The activity started as early as May 14 and continued through Oct. 4.
"After further analysis, we found that the internal network was successfully accessed with the compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA," Baloo writes.
That temporary profile was used with several sets of credentials, "leading us to believe that they were subject to credential theft," she writes.
Avast left the temporary VPN profile active for a while in order to monitor it. Baloo writes that the company halted upcoming releases on Sept. 25 to check for tampering.
"It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile," Baloo writes. "At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases."
Supply Chain Risks
The attack against CCleaner in 2017 showed the risks of supply-chain tampering efforts. Hackers infiltrated a server that hosted copies of CCleaner and substituted it for a malicious one, which had been signed with a legitimate digital certificate.
The attack proved breathtakingly successful. The trojanized CCleaner landed on 700,000 systems, according to Cisco's Talos unit.