Attackers Attempted To Compromise Avast's CCleaner Again

(Image credit: Shutterstock)

Avast, the maker of the popular antivirus program with the same name, announced that it detected an unauthorized intrusion into its network on September 23. According to the company, the attacker attempted to compromise the company’s CCleaner update servers, similar to what happened two years ago when either the same or other attackers successfully infiltrated those servers.

Avast said that its internal network has been successfully accessed through a compromised internal VPN profile that shouldn’t have been enabled and did not require two-factor authentication. 

The company also learned that the attacker has been attempting to gain access to the company’s network since 2014 via Avast’s VPN. Once it learned about these attempts, the company kept the VPN profile enabled to see what the attacker would be able to compromise.

On September 25, the company halted CCleaner updates, as it believed the program was the attacker’s target. It then verified previous CCleaner updates to ensure that they hadn’t already already experienced malicious modifications. It then pushed a clean automatic update to its users on October 15 and it also revoked the previous certificate. 

Once this was done, Avast disabled the compromised VPN profile and reset all internal credentials. The company also implemented additional scrutiny of its CCleaner updates.

Two years ago, mere months after Avast had purchased Piriform, the maker of PC utilities such as CCleaner, Defragler, and others, researchers discovered that the update servers for CCleaner had been compromised by malicious actors. The attackers installed backdoors in an update file of CCleaner that compromised 2.27 million users.

At the time, Avast hadn’t been able to migrate the Piriform applications to its own infrastructure. After the incident, Avast moved both the Piriform build tools as well as the Piriform staff to using its own internal systems.

After the incident happened, it was discovered that malicious actors were able to get access to computers in the internal networks of companies such as Intel, Microsoft, Linksys, Dlink, Google, Samsung and Cisco, telecoms such as O2 and Vodafone, and Gauselmann, a manufacturer of gaming machines, in an attempt to extract valuable intellectual property.

Avast recommended regular users to update to the latest clean version of CCleaner at the time (v.5.35), but corporate users may have had to further investigate how the installation of the backdoored CCleaner application affected their networks.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.