Avast internal network breached for the second time by sophisticated hackers

The popular security firm Avast disclosed today a security breach that impacted its internal network accessed via a compromised VPN profile.

The security firm Avast disclosed today a security breach that impacted its internal network, according to a statement published by the company, the intent of the hackers was to carry out a supply chain attack.

It seems that attackers attempted to inject malicious code in the CCleaner, an attack scenario similar to the one that impacted the company in 2017.

The attack was spotted on September 23, when the Avast experts noticed suspicious behavior on the internal network. The successive investigation involved the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team.

The hackers compromised a VPN account to access the internal network of the company. The account did not have domain admin privileges, but hackers successfully got privilege escalation.

Avast pointed out that hackers used compromised credentials through a temporary VPN profile that did not require 2FA.

“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider.” reads the statement published by Avast.

The analysis of the external IPs used by the attackers revealed that the threat actors had been attempting to gain access to the network through the VPN as early as May 14.

In an attempt to track the attackers, Avast did not close the temporary VPN profile and monitored any access to the internal network until October 15,

“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions.” continues the statement.

Avast adopted the following measured to mitigate the incident:

• On September 25, Avast halted upcoming CCleaner releases and began checking prior CCleaner releases.
• The company re-signed a clean update of the product and pushed it out to users via an automatic update on October 15.
• The company revoked the previous certificate.

At the time of writing, it is not possible to determine if this attack was linked to the one that occurred in 2017.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” concludes the statement.

“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.”

The company, along with law enforcement, is still investigating the incident.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Avast, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]