Attackers breached systems through unsecured VPN, says software maker

Avast has disclosed that attackers breached its internal network through a compromised VPN profile and stolen credentials.

The attack, which began in May and was identified on September 23, also resulted in the as-yet unidentified attackers cloning portions of Avast’s Active Directory installation.

This was only possibly after miscreants successfully elevated their privileges in order to carry out functions normally restricted to administrators.

The whole operation was likely a supply chain attack targeting CCleaner, a popular Windows system clean-up utility that’s owned by Avast.

The same tool was the of a high-profile attack back in 2017 that ultimately resulted in the contamination of official CCleaner downloads. Poisoned downloads were contaminated with a trojan, affecting millions, but second-stage payload delivery was pushed at only 40 machines at technology firms including Samsung, Sony, Asus, Intel, and VMWare, among others.

In this case, Avast was able to postpone a planned CCleaner release in late September in order to allow it to check prior releases.

It was able to confirm that no malicious alterations had been made but nonetheless re-signed a clean update of the product, pushed it out to users via an automatic update on October 15.

As an additional safeguard, it revoked the previous certificate.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Jaya Baloo said in a statement on its incident response.

Suspicious behavior

Avast worked together with the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team, in responding to the incident.

The breach investigation began on September 23 after it identified suspicious behavior on its network.

It found that its “internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA”.

Having discovered the source of the problem, the incident response team discovered that miscreants again attempted to enter its network through this route on October 4.

In order to track the activities of attackers, Avast temporarily left the compromised VPN profile open.

The compromised access was only closed on October 15, when Avast was ready to release a confirmed as clean version of CCleaner, signed with a new digital certificate.

This action would have, in any case, tipped off the attackers that their game was rumbled, as Avast notes.

Staring into the Abiss

In addition to closing the temporary VPN profile, the security software firm disabled and reset all internal user credentials as well as hardening its systems and applying tougher scrutiny to its software releases.

It’s currently unclear whether the attacker behind the latest thwarted attack (dubbed ‘Abiss’ by Avast) is the same as party behind the earlier (successful) attack against CCleaner.

Further attacks can’t be ruled out. Avast has pledged to improve its monitoring and visibility across its networks and systems in order to improve its detection and response times.

As a follow up, the security firm has promised to publish to share more details of the attackers tactics and modus operandi together with the wider security and law enforcement community.

Early reaction to Avast’s statement has largely been positive. The security software maker was praised by many for its transparency in disclosing the incident.

YOU MIGHT ALSO LIKE First cryptojacking worm to abuse containers arrives on Docker