Czech antivirus vendor Avast on Monday warned that hackers were able to access its internal network using a temporary VPN account.
Avast said that it believes that the intrusion, first detected on Sept. 25, was likely targeting its CCleaner business in a supply chain attack. CCleaner, which is software that fights infections in PCs, was previously infiltrated by attackers in 2017 and led to the compromise of 2.27 million people’s systems.
“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected,” said Jaya Baloo, chief information security officer with Avast in a post on Monday. “We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.”
Avast was first alerted to the intrusion via an alert from Microsoft Advanced Threats Analytics (a Microsoft service that monitors for potential suspicious activity) on Sept. 25. However, after observing previous Microsoft Advanced Threats Analytics alerts, Avast found the attackers had attempted to access its network at least seven times in 2019, with attempts first starting May 2019.
“In order to track the actor, we left open the temporary VPN profile, continuing to monitor and investigate all access going through the profile until we were ready to conduct remediation actions,” said Avast.
The intruder was able to connect to a temporary VPN account, from a public IP address in the U.K., using a compromised username and password. Avast said the temporary VPN account had “erroneously been kept enabled,” and did not require two-factor authentication – making it easier for hackers to compromise.
The user of the temporary VPN did not have domain admin privileges. However, through a successful privilege escalation attack, the actor managed to obtain domain admin privileges, said Avast (Avast did not provide further details about the privilege escalation attack).
Avast did not detail any further implications of the breach other than to say that the Sept. 25 Microsoft Advanced Threats Analytics alert warned of “a malicious replication of directory services from an internal IP.”
The company also said that the temporary profile had been used by multiple sets of user credentials – leading Avast to believe that its users were subject to credential theft.
CCleaner, which was previously targeted in a 2017 attack, is believed to be the intended target of this latest attack, said Avast.
Avast acquired Piriform, which owns the PC cleaning tool CCleaner (formerly Crap Cleaner), in July 2017, months before a malware attack on CCleaner was discovered. In 2018, Avast said that further investigations into the 2017 attack showed the threat actors were planning to install a third round of ShadowPad malware on compromised computers.
Avast said it does not know if this more recent attack was the same actor as before. During this more recent attack, however, Avast said it was able to bolster remediation efforts to limit damage. On Sept. 25, Avast halted upcoming CCleaner releases and began checking prior CCleaner releases to verify that no malicious alterations had been made. Avast also disabled and reset all internal user credentials.
“As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate,” said Avast. “Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.”
Security experts like Kevin Beaumont praised Avast for its “incredible transparency” around the hack.
> Incredible transparency from AVAST (antivirus vendor) here. Somebody basically cloned their Active Directory and had access from at least May. Worth reading as many orgs have these kind of issues. <https://t.co/ZsbdFGOKsi> > > — Kevin Beaumont (@GossiTheDog) October 21, 2019
Moving forward Avast said it will continue to monitor the threat actor’s movements in coordination with the Czech intelligence agency (Security Information Service), the local Czech police force cybersecurity division, and an “external forensics team.”
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.