Avast details how CCleaner attackers compromised developer workstation in security breach last year

Password re-use weakness enabled attackers to compromise developer's TeamViewer software

Avast has divulged more information about the attack last year that compromised CCleaner, a Windows application used by millions of users around the world.

In a blog post, the team's chief technology, Ondrej Vlcek, said that the company had discovered that the attackers had compromised TeamViewer on a developer workstation in order to distribute malware via the CCleaner installation file.

TeamViewer is proprietary software that can be used for remote control, desktop sharing, online meetings, Web conferencing and file transfer.

"Last September, we disclosed that CCleaner had been targeted by cybercriminals. The modified installation file was downloaded by 2.27 million CCleaner customers worldwide. Thereafter, our threat intelligence team has been investigating what happened," Vlcek explained.

"Since the update we gave at SAS last month, we have made further discoveries about how the attackers infiltrated the Piriform network [the maker of CCleaner] and the tactics they used to fly under the radar."

He added that as the team looked for similarities with other attacks, they also analysed older versions of ShadowPad, the cyber attack platform they had found on four Piriform computers.

"Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded [on] a computer, observing a money transfer."

To initiate the CCleaner attack, the threat actors first accessed Piriform's network on 11 March last year, four months before Avast acquired the company, using TeamViewer on a developer workstation to infiltrate.

Vlcek explained that the hackers successfully gained access with a single sign-in, which means they knew the login credentials.

"While we don't know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilised for another service, which may have been leaked, to access the TeamViewer account," he said.

According to the log files, TeamViewer was accessed at 5am local time, when the PC was unattended, but running. The attackers tried to install two malicious dlls, however, the attempts were unsuccessful due to lack of admin rights to the system. On the third try, the attackers succeeded to drop the payload, using VBScript, the scripting language developed by Microsoft.

Avast said there are two key takeaways from the CCleaner attack.

"First, M&A due diligence has to go beyond just legal and financial matters. Companies need to strongly focus on cybersecurity, and for us this has now become one of the key areas that require attention during an acquisition process," Vlcek admitted.

Second, he said that the supply chain hasn't been a key priority for businesses, but this needs to change.

"Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure," he added.