Avast Claims Hackers have Infiltrated the Internal Etwork with a Compromised VPN profile


Czech antivirus maker announces second attack aimed at jeopardizing CCleaner launches.

Czech cyber security technology manufacturer Avast today revealed a security violation involving his internal network.

In a statement published today the company claimed the attack was aimed at injecting malware, similar to the notorious CCleaner 2017 incident, into CCleaner code.

Avast said the infringement occurred because the assailant abused VPN credentials of an employee and gained access to an account which was not secured by a multi-factor authentication solution.

The intrusion was discovered on 23 September, but Avast said he had found evidence that the hacker had been targeting his network until 14 May this year.

“Domain admin privileges were not applicable to the client whose credentials had evidently been compromised and linked to IP. But, by successfully increasing privileges, the actor was able to obtain domain admin privileges” said Jaya Baloo, Avast Chief Information Security Officer (CISO).

Baloo said that Avast deliberately left active the compromised VPN profile in order to track and observe the attacker’s actions.

It lasted until 15 October, when the company finished testing the previous versions of CCleaner and updated it cleanly.

Avast also updated its electronic certification for signing CCleaner updates at the same time. A new digital certificate was issued and the company revoked the previous certification used to register older CCleaner releases. This did so in order to stop attackers from using bogus CCleaner updates if during the recent intrusion the hackers managed to get their hands on the old certificate.

“We are sure, after taking all these measures, that our CCleaner users are safe and unaffected,” Baloo said.

The anti-virus contractor has confirmed that the incident has now been investigated together with the Czech intelligence agency, the Security Information Service, the local Czech police, and an independent forensic team.

At the moment Avast said there is no proof that the assault was triggered by the same party that abused its infrastructure in 2017; however, it said that the intrusion was done by an established threatening individual.

“From our observations to date it is clear that this was a very sophisticated attempt against us which had no intention of laying any trace of the intruder or his intentions, and that the actor advanced extremely carefully in order not to be detected,” says Baloo.

The investigation is ongoing and further updates have been planned.

In an investigation into the CCleaner hack of 2017 Avast previously received praise for the transparency displayed, reporting multiple reports on the case, as he discovered more about the breach[ 1, 2, 3, 4].

Until Avast acquired Piriform, the company behind CCleaner, the 2017 CCleaner hack occurred. Hackers penetrated the network of Piriform through a TeamViewer account and planted CCleaner malware. According to an attacker team of Chinese state-sponsored hackers, malware was introduced which would be downloaded only when CCleaner was installed on a major company’s network. Cisco, Microsoft, Google, NEC and many other major companies were included in the target list. According to Avast 2,27 million users had downloaded corrupted CCleaner code in 2017; 1,646,536 computers infected with Floxif Trojan first-stage scanning high-value targets; only 40 computers were supplied with the second-stage Trojan, which is a more powerful backdoor.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.