According to the company, the breach was first spotted on Sept. 25 and targeted CCleaner through a supply chain attack. “From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected,” said Jaya Baloo, chief information security officer with Avast in a post on Monday. “We do not know if this was the same actor as before. It is likely we will never know for sure, so we have named this attempt ‘Abiss’.” CCleaner is a registry cleaning tool that has previously been infiltrated. Microsoft Advanced Threats Analytics discovered the attack and warned Avast. By working with Microsoft’s threat monitoring service, the company found there had been previous attempts to attack CCleaner. In fact, at least seven attempts were made this year. “In order to track the actor, we left open the temporary VPN profile. Continuing to monitor and investigate all access going through the profile until we were ready to conduct remediation actions,” said Avast.
Attack
By using a temporary VPN account, the bad actor could gain domain admin privileges from a public IP address in the United Kingdom. Avast did not provide further details on how much access the attacker achieved. “As two further preventative measures, we first re-signed a clean update of the product. Pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate,” said Avast. “Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.” In September, Microsoft blacklisted CCleaner from its support forum. It is worth noting that this does not mean Windows users are banned from using CCleaner. Indeed, they can find and download the registry cleaner whenever they want. Instead, Microsoft’s ban means any links to CCleaner posted on Microsoft Support forums will be automatically censored. Interestingly, this is a relatively rare move from Microsoft. There are only 11 domain names currently on the censored list.
