Through the use of compromised credentials via a temporary VPN account, Hackers were able to access the internal network of the cybersecurity company Avast where they likely intended to launch a supply chain attack targeting CCleaner.
According to the firm's CISO, Jaya Baloo who published a blog post with more information about the incident, the attack appears to be an “extremely sophisticated attempt”
Avast is referring to this attempt by the name “Abiss” and the company says that the threat actor behind it was extremely cautious in an attempt to avoid being detected while hiding their true intentions.
Logs of suspicious activity show that the hackers tried to access its internal network on May 14 and 15, July 24, September 11 and again on October 4. The intruder connected from a public IP address in the UK and utilized a temporary VPN profile which should no longer have been active and was not protected with two-factor authentication.
- Business VPN flaws exploited by hackers
- Fake VPN website delivers malware
- Avast: Why IoT security should be your number one security worry
Additionally, the user whose credentials had been compromised did not have the permissions of a domain administrator and this indicates that the attacker was able to achieve privilege escalation. The logs also showed that the temporary profile had been used by multiple sets of user credentials and this could mean that the user had fallen victim to credential theft.
Targeting CCleaner
Since Avast suspected that the attacker was targeting CCleaner, the company stopped all upcoming updates for the software on September 25 and began to check prior releases to see if they had been maliciously modified.
Avast re-signed an official CCleaner release and pushed it as an automatic update on October 15 to help ensure that no risk came to its users and the old certificate was also revoked.
Jaya Baloo explained how it used a new release of CCleaner to prevent the attacker from accessing Avast's internal network, saying:
"It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile. At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases."
Avast then tracked the intruder by keeping the VPN profile active and monitoring access going through it until its mitigation actions could be successfully deployed.
The company has notified law enforcement regarding the security breach and an external forensic team was employed to help verify the collected data.
- Also check out our complete list of the best VPN services of 2019
