Attackers attempted to hack and inject malicious code into CCleaner

Attackers tried to hack CCleaner
Written by Valdis Koks

The Czech company Avast reported a cyberattack: attackers tried to hack and inject malicious code into the popular CCleaner utility.

On September 23, 2018, Avast specialists noticed suspicious activities on the corporate network and began an immediate investigation. Employees of the company teamed up with the Czech intelligence agency, the Information Security Service (BIS), the local branch of the cyber security of the Czech police and an external group of experts on cybercrime.

Analyzing external IP addresses, experts found that an unknown attacker was trying to gain access to the network via VPN as early as May 14 of this year.

It turned out that access to the internal network was carried out using compromised credentials through a temporary VPN profile, which was mistakenly left on and did not require two-factor authentication.

Jaya Baloo

Jaya Baloo

“The user whose credentials were clearly compromised and associated with the IP address did not have administrator privileges. However, thanks to the successful privilege escalation, the criminals managed to obtain domain administrator rights”, – said Avast Information Security Director Jaya Baloo.

Attention of specialists attracted escalation of priviledges. Then, Avast experts intentionally left the compromised VPN profile active in order to track the attacker and monitor his further actions.

On October 4, 2019, experts again noticed the same activity. Timestamps of suspicious activity tagged with MS ATA (GMT + 2 time zone):

  • 2:00 – May 14, 2019;
  • 4:36 – May 15, 2019;
  • 23:06 – May 15, 2019;
  • 3:35 – July 24, 2019;
  • 3:45 – July 24, 2019;
  • 15:20 – September 11, 2019;
  • 11:57 – October 4, 2019.

The company’s experts believe that the likely target of the attack was CCleaner, as in 2017.

On September 25 of this year, Avast employees stopped CCleaner and began to check previous versions of the utility. They made sure that no malicious changes were made to the code.

As a further preventive measure, the experts, firstly, created the CCleaner update and sent it to users using automatic updates on October 15, 2019, and secondly, they revoked the previous certificate for signing CCleaner updates. After all precautions, Avast declares with confidence that CCleaner users are protected and not affected by cybercriminals. After that, finally, the compromised employee credentials were reset.

From the information gathered by experts, it is clear that this was an extremely sophisticated hacking attempt. Hackers did everything possible to leave no traces, no information about themselves and their goals. It is still impossible to determine whether these were the same people as before (recalling that the government hack group Axiom is responsible for the previous attack).

Read also: Intel and Nvidia have addressed serious vulnerabilities in two gamer-oriented products

Avast experts continue to conduct detailed monitoring of networks and systems to minimize the time it takes to detect a threat and respond to it. In addition, researchers, together with third-party experts, plan to further study the logs to identify when and how hackers showed themselves. The IP addresses of attackers are already known. The investigation is ongoing.

Recall that in September 2017, a malicious code was detected in the popular CCleaner utility from Avast. The backdoor allowed attackers to download additional malware, such as ransomware or keyloggers. According to experts, the Chinese cyber group Axiom was involved in the attack.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment