Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Avast lobs intruders into the 'Abiss': Miscreants tried to tamper with CCleaner after sneaking into network via VPN

Software used by millions not compromised this time, says biz

On Monday, security biz Avast said it believes some of its credentials were stolen and abused in an unsuccessful attempt to subvert CCleaner, a file cleanup utility that it acquired in 2017.

Jaya Baloo, CISO at Avast Software, said in a blog post that the security shop spotted suspicious behavior on its network last month and began working with outside security groups, including the Czech intelligence agency, Security Information Service (BIS), to investigate the incident.

Following its acquisition of CCleaner two years ago, Avast acknowledged that it had distributed a compromised version of the software that contained nefarious code. Back then, the malware was believed to have infected about 2.27 million PCs.

This time, the vandalism attempt appears to have been thwarted. Forensic data drew attention to malicious activity by someone using an internal IP address that resides within the company's VPN address range.

"The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges," said Baloo. "However, through a successful privilege escalation, the actor managed to obtain domain admin privileges."

PHP, image via Shutterstock

Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster

READ MORE

Further analysis revealed the attacker, connecting from a public IP address hosted in the UK, had made multiple attempts to access Avast's network since at least May 14 this year. The attack was able to use compromised credentials through a temporary VPN profile that had been activated by mistake and didn't have two-factor authentication enabled.

Avast left that VPN profile in place to gather further data as its investigation proceeded. While planning mitigation measures, the company also worked on shoring up its product build environment and release system.

According to Baloo, the company suspended all CCleaner releases to review current and past versions of the software for malicious code and re-signed a scrubbed version of the software as an automatic update on October 15 while revoking the previous signing certificate and resetting all internal credentials.

Baloo described the attack as "extremely sophisticated" and said the attacker was acting cautiously to avoid detection. "We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt 'Abiss,'" said Baloo. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like