Hackers accessed the internal network of Czech cybersecurity company Avast, likely aiming for a supply chain attack targeting CCleaner. Detected on September 25, intrusion attempts started since May 14.

Following an investigation, the antivirus maker determined that the attacker was able to gain access using compromised credentials via a temporary VPN account.

Tiptoeing to higher privileges

From the information collected this far, the attack appears to be "an extremely sophisticated attempt," says Jaya Baloo, Avast Chief Information Security Officer (CISO).

Avast refers to this attempt by the name 'Abiss' and says that the threat actor behind it exercised extreme caution to avoid being detected and hide the traces of their intention.

Logs of the suspicious activity show entries on May 14 and 15, on July 24, on September 11, and on October 4.

The intruder connected from a public IP address in the U.K. and took advantage of a temporary VPN profile that should no longer have been active and was not protected with two-factor authentication (2FA).

In a statement today, Jaya Baloo says that the company received an alert for "a malicious replication of directory services from an internal IP that belonged to our VPN address range;" this had been dismissed as a false positive, though.

However, it turned out that the user whose credentials had been compromised did not have the permissions of a domain administrator, indicating that the attacker achieved privilege escalation.

The logs further showed that the temporary profile had been used by multiple sets of user credentials, leading us to believe that they were subject to credential theft.

CCleaner updates vetted for release

Suspecting CCleaner as the targeted asset, Avast on September 25 stopped the upcoming updates for the software and started to check prior releases for malicious modification.

To ensure that no risk comes to its users, the company re-signed an official CCleaner release and pushed it as an automatic update on October 15. That release updated users still on versions 5.57 through 5.62 of the product so they could benefit from "its enhanced security and improved performance."

Furthermore, the old certificate was revoked, says in a statement today Jaya Baloo, Avast Chief Information Security Officer (CISO).

"It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile. At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases." Jaya Baloo

It is unclear if this is the same threat actor responsible for the CCleaner supply chain attack disclosed in 2017. Chances are low for discovering a connection between these two incidents.

The company tracked the intruder by keeping the VPN profile active and monitoring the access going through it until mitigation actions could be deployed.

Law enforcement has been notified of the intrusion and an external forensics team assisted Avast's efforts to verify the collected data.

Avast will continue to review and monitor its networks for better detection and quicker response in the future.

Investigation in the actions of this threat actor will also continue, to gain intelligence on how they work. Some details, like the IP addresses used for the intrusion, have been shared with law enforcement and the cybersecurity community. The information is marked as TLP:RED, which means that it cannot be shared.

Update [10.21.2019]: When CCleaner 5.63 came out on October 15, BleepingComputer sought comments from Avast about the reason and benefits of the update since it was an unexpected move. The company delayed responding to our questions at the time.

CCleaner General Manager David Peterson explains in a blog post today that the reason for automatically updating all CCleaner installations since 5.57 to the current latest version was a preventative measure to ensure that all users run a genuine release.

"We took these steps preventatively as our investigation is continuing, but we wanted to eliminate the risk of fraudulent software being delivered to our users. Since we have indications that the attempts to infiltrate our systems began in May this year, we automatically updated users on builds released after this time to ensure their safety."