CCleaner: A Tale of Two Attacks

CCleaner has been the target of hackers twice in the last three years. Here are several lessons that you can learn from these attacks.

CCleaner — a popular app designed to clean up unused data, unnecessary settings, and other leftovers that can make computers run slower — was the target of hackers once again. In 2017, when Avast was in the process of acquiring CCleaner’s developer, Piriform, cybercriminals breached Piriform servers and inserted a backdoor into the app during the build process. Neither the breach nor the backdoor was discovered at that time, so two versions of the utility (the 32-bit and cloud versions) were released with the malware in it. Avast cleaned up the mess, but not without taking a serious hit to its reputation given that it is a cybersecurity firm.

In September 2019, Avast discovered that cybercriminals once again breached company servers in an attempt to insert malicious code into CCleaner. This time, though, the intrusion was detected and thwarted before hackers could insert any code.

How the 2019 Attack Occurred

To provide transparency and to let others learn from its experiences, Avast shared what happened in the 2019 attack. On September 23, 2019, the company noticed suspicious behavior in its network, so it started an investigation. The investigators found that the hackers accessed the company’s network by stealing an employee’s virtual private network (VPN) credentials for a temporary VPN profile that was mistakenly left active. Two-factor authentication (aka two-step verification) was not required to log into the VPN, so the hackers were able to get inside the network using the stolen credentials. Although the VPN account had limited privileges, the cybercriminals used privilege escalation to obtain domain admin rights.

Fortunately, Avast discovered the intrusion before the hackers were able to do any damage. To protect against future attacks, Avast has since implemented numerous security measures, including resetting all employee credentials.

Lessons Learned

There are several lessons that you can learn from Avast’s experiences. For starters, its experiences show that using only passwords — even strong, unique ones — is often not enough. Cybercriminals are frequently able to steal passwords or trick employees into revealing them. So, besides using unique, strong passwords, businesses should use two-factor authentication for business accounts. It adds an extra layer of protection that can prevent unauthorized access to your business’s online accounts. A 2019 research study by Google found that it prevents 90% of targeted attacks.

Another lesson learned is that even apps from reputable software providers can contain malware or security vulnerabilities. For this reason, it is a good idea to keep the number of software programs installed on your business’s computers to a minimum. Each app you use increases your company’s attack surface, especially if you do not patch or update it regularly.

Finally, Avast’s experiences highlight the fact that cybercriminals like to launch new attacks on companies that have been successfully hacked in the past. A 2019 report substantiated that companies that have been breached once are much more likely to be targeted again. That’s why you always need to be vigilant about securing your company’s IT environment. We can help by assessing your business to identify any weaknesses.