In August 2017, the installer for the popular clean-up tool CCleaner was tampered with by hackers to contain a malicious backdoor, and downloaded by 2.27 million customers worldwide.
Now Czech anti-virus firm Avast, which distributes CCleaner, has revealed that hackers appear to have tried the same type of supply chain attack again.
In a blog post published on its website, Avast describes how it discovered on September 23rd that a hacker had gained access to its internal network after compromising a worker’s VPN credentials, and managing to escalate their privileges to give them admin rights for the domain.
After a deeper analysis, Avast determined that the hacker had been attempting to gain access to its network since at last May 14th 2019.
In response, Avast says that it stopped issuing updates for CCleaner and began to check past releases to see if they had been tampered with. Fortunately, there was no evidence that any of the updates to CCleaner had been maliciously altered.
Keeping an admirably cool head, Avast decided it wanted to observe and track what the hacker was up to, and deliberately left open the compromised VPN profile until it was ready to take remediation actions.
Avast digitally re-signed a clean update to CCleaner and pushed it out to users on October 15th. Furthermore, the earlier digital certificate was revoked in case it had fallen into the wrong hands.
“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” wrote Jaya Baloo, Avast’s CISO, which will surely be a huge reassurance to its millions of users.
“It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile. At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases,” continued Baloo.
Avast has described the attack as “extremely sophisticated”, and says that it does not know if the hackers were the same as those who were behind the 2017 attack, and that “it is likely we will never know for sure.”
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.