In a statement, Avast revealed that it believed attackers aimed to insert malware into the CCleaner software.
Detected on September 24, Avast discovered that the attacker had compromised an employee’s VPN credentials, thus giving them access to an unprotected account.
The company conducted an extensive investigation almost immediately working alongside the Czech Intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team.
“The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive. The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges,” said Jaya Baloo, Avast Chief Information Security Officer.
However, through a successful privilege escalation, the attacker was able to obtain domain admin privileges. From a public IP hosted outside of the UK a connection was made, therefore determining that the attacker also used other endpoints through the same VPN provider.
Following an analysis into the external IPs, it was discovered that the attacker had been attempting to gain access to the network as early as May 14, 2019.
To track the attacker and observe their actions, the company intentionally left open the temporary VPN profile.
“In parallel with our monitoring and investigation, we planned and carried out proactive measures to protect our end users and ensure the integrity of both our product build environment as well as our release process.”
It is believed that CCleaner was the target, however on September 25 Avast halted upcoming CCleaner releases, and following thorough checks it was verified that no malicious alterations had been made.
Subsequently, Avast pushed out an update of the product, and revoked the previous certificate. As the new build of the CCleaner was released, the temporary VPN profile was closed, and all internal credentials were reset.
“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.” said Baloo.
The post #Privacy: Avast discloses security breach impacting its internal network appeared first on PrivSec Report.