Avast internal networks were hacked. Did attackers install backdoors in CCleaner? Is it secure to use this tool?

Even security companies are exposed to cyberattacks. IT system audit specialists report that security software developer Avast has become victim of an attack on their internal networks. Through a statement, the Czech-based company mentioned that hackers most likely tried to inject malware into the CCleaner tool code, similar to the incident occurred a couple of years ago.

Apparently, the intrusion occurred because the threat actors compromised the virtual private network (VPN) credentials of one of Avast employees, gaining access to an account without additional layers of security, such as multi-authentication factor.

The company’s IT system audit teams mentioned that internal networks showed signs of suspicious activity since at least four months ago; however, the intrusion was confirmed until  September 23. “Even though the targeted user did not have administrator privileges, the hackers performed a privilege escalation to gain broad access to the domain,” Avast Information Security director, Jaya Baloo said.

Avast teams are also tracking new security alerts in their Microsoft Advanced Threat Analytics (ATA) dashboard, a tool for analyzing local network and traffic to prevent external attacks. Avast IT system audit experts even left the targeted user’s VPN profile active, with the intention of tracking the source of malicious activity.

Subsequently, on October 15, the company finished performing security analysis on previous versions of CCleaner, in addition to releasing a new update, no longer the errors present in previous deployments.

Another security measure implemented by Avast was changing the digital certificate used to sign CCleaner updates, so the latest update has a completely new certificate, while old certificates have been revoked. “This way, hackers will no longer be able to use these certificates to sign fake updates,” the company added.

Finally, the company reset the VPN credentials of all its employees. “We are confident that these measures will be enough to ensure the safety of all CCleaner users,” Jaya Baloo added. Avast timely notified BIS, the Czech Intelligence Service, in a timely manner; the Czech Police Cybersecurity Department was also notified.

Although it is not possible to reveal further details about the incident due to the ongoing investigation, Avast stated that so far there is no evidence to suggest that the same group that hacked CCleaner a couple of years ago is responsible for this incident as well.

In 2017, IT system audit specialists from the International Institute of Cyber Security (IICS) reported that Piriform, former CCleaner developer, was hacked. A group of hackers managed to access the company’s networks using a compromised TeamViewer account. Once inside Piriform’s networks, threat actors injected a dangerous malware variant into CCleaner code. The attack was attributed to hacker groups backed by Chinese government.