Cyber Security Center

Avast’s internal network breached by attackers


Czech cybersecurity company Avast revealed to have had their internal network accessed in what is believed to be an attempt to perform a supply chain attack that targets CCleaner.

 

Screenshot (96)

According to Avast, they identified suspicious behaviour on their network on September 23, and an investigation was launched in collaboration with the Czech intelligence agency, Security Information Service and a forensics team.

Avast had received a Microsoft alert for a “malicious replication of directory services from an internal IP” that belonged to their VPN address range, which they had initially dismissed as a false positive. The user credentials associated with the IP did not have domain admin privileges, but the malicious actor performed a successful privilege escalation, which allowed them to obtain domain admin privileges.

In what is described as an extremely sophisticated attempt, the attacker was able to successfully access the internal network by using compromised credentials via a temporary VPN account. Referred to as “Abiss”, the attack was performed by connecting to the network from a public IP address in the UK using an unprotected temporary VPN profile that should no longer have been active. After analyzing external IPs, Avast was able to determine that attempts to gain access to the network via the their VPN were made on numerous occasions, starting May 14, twice on May 14 and July 24, then September, 11 and finally October 4. The logs also showed that the temporary profile had been used by multiple sets of user credentials, which likely means that they were subject to credential theft.

CCleaner was the likely target

The threat actor is said to have been extremely cautious when avoiding detection and hiding the purpose of the attack. It is not yet clear what exactly the hackers were hoping to achieve but Avast believes that cleaning utility CCleaner was the likely target.

In order to determine what exactly the attacker was trying do, Avast left the temporary VPN profile open until October 15 when a clean CCleaner update was released. Proactive measures were carried out at the same time in order to protect end users. As a precaution, Avast stopped upcoming CCleaner releases and checked previous ones for malicious modifications.

As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Chief Information Security Officer Jaya Baloo said.

The investigation into the attack is still ongoing. It is also unclear whether the attack is related to the one carried out against CCleaner in 2017.