An unidentified attacker used stolen credentials to gain high-level privileges on the network of Czech software security vendor Avast, the company said Monday. The target of the persistent attack was likely Avast’s software-cleaning tool, CCleaner — the same product that was infiltrated in an infamous 2017 supply-chain attack breach that affected over 2 million computers.
Worried that the attackers would manipulate CCleaner again, Avast said it halted an upcoming release of the product, revoked its previous security certificate, and put out a security update to users. Those measures, Avast CISO Jaya Baloo assured customers, were enough to ensure that CCleaner users were unaffected by the attack. Avast, which boasts of 400 million users of its products around the world, said it will study its network logs to learn more about the intrusion.
“[I]t is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose,” Baloo wrote in a blog post.
“We do not know if this was the same actor as before and it is likely we will never know for sure,” she wrote.
The 2017 breach of CCleaner is often cited by security experts to illustrate the threat of wide-ranging supply-chain hacks. In the 2017 hack, the attackers signed their malware with a legitimate Avast certificate, a technique that is the hallmark of a clever supply-chain breach. The goal of the operation, which analysts believe was the work of a Chinese state-sponsored group, was reportedly to steal intellectual property from CCleaner customers.
The more recent attack on CCleaner was also persistent. The hacker or hackers had been trying to get into Avast’s network since May, but the company did not notice something was amiss until Sept. 23. It launched an investigation with Czech intelligence officials and police that included quietly monitoring the attacker’s activity rather than immediately evicting it from the network.