Avast fends off hacker who breached its internal network in copycat CCleaner attack

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Avast fends off hacker who breached its internal network in copycat CCleaner attack

In August 2017, the installer for the popular clean-up tool CCleaner was tampered with by hackers to contain a malicious backdoor, and downloaded by 2.27 million customers worldwide.

Now Czech anti-virus firm Avast, which distributes CCleaner, has revealed that hackers appear to have tried the same type of supply chain attack again.

In a blog post published on its website, Avast describes how it discovered on September 23rd that a hacker had gained access to its internal network after compromising a worker’s VPN credentials, and managing to escalate their privileges to give them admin rights for the domain.

Sign up to our free newsletter.
Security news, advice, and tips.

After a deeper analysis, Avast determined that the hacker had been attempting to gain access to its network since at last May 14th 2019.

In response, Avast says that it stopped issuing updates for CCleaner and began to check past releases to see if they had been tampered with. Fortunately, there was no evidence that any of the updates to CCleaner had been maliciously altered.

Keeping an admirably cool head, Avast decided it wanted to observe and track what the hacker was up to, and deliberately left open the compromised VPN profile until it was ready to take remediation actions.

Avast digitally re-signed a clean update to CCleaner and pushed it out to users on October 15th. Furthermore, the earlier digital certificate was revoked in case it had fallen into the wrong hands.

Jaya Baloo“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” wrote Jaya Baloo, Avast’s CISO, which will surely be a huge reassurance to its millions of users.

“It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile. At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases,” continued Baloo.

Avast has described the attack as “extremely sophisticated”, and says that it does not know if the hackers were the same as those who were behind the 2017 attack, and that “it is likely we will never know for sure.”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.