In September, security researchers at Cisco Talos and Morphisec made a worst nightmare-type disclosure: the ubiquitous computer cleanup tool CCleaner had been compromised[1] by hackers for more than a month. The software updates users were downloading from CCleaner owner Avast—a security company itself—had been tainted with a malware backdoor. The incident exposed millions of computers and reinforced the threat of so-called digital supply chain attacks[2], situations where trusted, widely distributed software is actually infected by malicious code.
At the RSA security conference in San Francisco on Tuesday, Avast executive vice president and chief technology officer Ondrej Vlcek walked through a post-mortem of the attack, which ultimately led to 2.27 million downloads of the corrupt CCleaner version.
On March 11 of last year, attackers compromised the systems Piriform, the company that created CCleaner. That June, Avast acquired Piriform. By September, it knew it had a massive security crisis on its hands. Vlcek says that Avast's quick response and existing goodwill toward CCleaner—which has a sometimes cultish online following—has allowed Avast to learn from the incident and better protect its users. But the specter of supply chain attacks is difficult to shake.
"This thing was a bit, shall we say, black. It was an unexpected surprise gift we got as part of the acquisition," Vlcek told WIRED ahead of his talk at RSA. "As a threat research organization we do analysis like this on a daily basis, it's right in our core competency, so it was sort of ironic to suddenly be in the business of forensically analyzing our own attack."
Hackers initially got onto Piriform’s London networks by using stolen credentials to log into a TeamViewer remote desktop account on a developer PC. From there, the attackers moved laterally to a second computer, always