The company made the admission in a blog post on Monday, with spokesperson Jaya Baloo saying that suspicious activity had been noticed on 23 September and an investigation launched thereafter. It was found that the attacker in question had been inside the network since 14 May.
Avast's CCleaner was used to spread malware by a malicious attacker two years ago, with researchers from Cisco's Talos Intelligence Group noticing this and informing Avast about it.
"The evidence we gathered pointed to activity on MS ATA/VPN [Microsoft Advanced Threat Analytics] on 1 October, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive," Baloo wrote.
Baloo said after further analysis, it was found that the internal network had been successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.
She said the company had then halted upcoming CCleaner releases and checked prior updates to see it any malware had been infiltrated into the popular software.
The compromised VPN account was left open for a while to see if there would be any further attempts at infiltration but as soon as the new versions of CCleaner were ready for release, the account was shut down, Baloo said.
"We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt 'Abiss'," she wrote.