A few years ago CCleaner fell victim to cybercriminals and it appears as if the application is still a tempting hack.
That’s because Avast has disclosed a hack of its own network in which criminals attempted to compromise CCleaner between May and October of this year.
A report by ZDNet reveals that an Avast employee’s VPN credentials were used to access a temporary VPN profile that was still active and compromised. The profile did not have two-factor authentication enabled.
“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider,” Avast explained in an alert.
Perhaps most alarming is that Avast says that account had been used by multiple users, leading it to believe the credentials had likely been spread through the darker halls of the internet.
To Avast’s credit it has acted quickly on this matter. On 25th September it halted CCleaner releases and inspected the application to insure no malicious alterations were made.
“As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” said CCleaner.
Avast has been working with the Czech intelligence agency, Security Information Service (BIS) to gather evidence. That agency believes the attack came from China with the intent of capturing CCleaner and compromising customers.
Despite CCleaner likely being the target of the attack, Avast has battened down the hatches and is toughening up its security as a whole.
“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’,” Avast concluded.
While a breach is never good news, Avast has handled this matter like champions. The disclosure is clear as day and not obfuscated by tricky language that an ordinary person who doesn’t work in cybersecurity can understand.
If you use CCleaner we recommend updating your application to insure Avast’s latest safety measures are in place.
[Image – CC 0 Pixabay]