On Monday, security biz Avast said it believes some of its credentials were stolen and abused in an unsuccessful attempt to subvert CCleaner, a file cleanup utility that it acquired in 2017.
Jaya Baloo, CISO at Avast Software, said in a blog post that the security shop spotted suspicious behavior on its network last month and began working with outside security groups, including the Czech intelligence agency, Security Information Service (BIS), to investigate the incident.
Following its acquisition of CCleaner two years ago, Avast acknowledged that it had distributed a compromised version of the software that contained nefarious code. Back then, the malware was believed to have infected about 2.27 million PCs.
This time, the vandalism attempt appears to have been thwarted. Forensic data drew attention to malicious activity by someone using an internal IP address that resides within the company's VPN address range.
"The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges," said Baloo. "However, through a successful privilege escalation, the actor managed to obtain domain admin privileges."
Avast urges devs to secure toolchains after hacked build box led to CCleaner disasterREAD MORE
Further analysis revealed the attacker, connecting from a public IP address hosted in the UK, had made multiple attempts to access Avast's network since at least May 14 this year. The attack was able to use compromised credentials through a temporary VPN profile that had been activated by mistake and didn't have two-factor authentication enabled.
Avast left that VPN profile in place to gather further data as its investigation proceeded. While planning mitigation measures, the company also worked on shoring up its product build environment and release system.
According to Baloo, the company suspended all CCleaner releases to review current and past versions of the software for malicious code and re-signed a scrubbed version of the software as an automatic update on October 15 while revoking the previous signing certificate and resetting all internal credentials.
Baloo described the attack as "extremely sophisticated" and said the attacker was acting cautiously to avoid detection. "We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt 'Abiss,'" said Baloo. ®