An unknown attacker attempted to breach the systems of Czechia-based antivirus and virtual private network (VPN) product supplier Avast through its own virtual private network (VPN) in an attack that may echo a similar incident two years ago.
The attack was spotted on 23 September and caused an immediate and extensive investigation – which included assistance from Czechia’s Security Information Service (BIS) intelligence agency and external security forensics experts.
“Global software companies are increasingly being targeted for disruptive attacks, cyber-espionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years. At Avast, we constantly work hard to stay ahead of the bad guys and to fight off attacks on our users. It is therefore not so surprising that we ourselves could be a target,” said Avast CISO Jaya Baloo, writing in a blog post disclosing the attack.
Avast found evidence of activity when it retracted its footsteps to look again at a Microsoft Advanced Threat Analytics (ATA) alert of malicious activity that it had at first dismissed as a false positive.
It found the actor – who at face value connected from a public IP in the UK – had compromised the VPN credentials of an Avast employee (possibly more than one) and then obtained domain admin privileges through a successful privilege escalation. In this way they gained access to a temporary VPN profile that Avast had accidentally left active, and crucially, which did not have two-factor authentication enabled. Avast said it evidence of seven other occurrences of this activity dating back to 14 May.
It tracked the actor by leaving the VPN portal open as a honeypot and monitoring and investigating everything that came through it. At the same time it took new measures to protect end-users and shore-up the integrity of its product build environment and release processes, as well as resetting every employee credential.
“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions,” said Baloo.
Read more about VPN security
- IPsec VPNs and SSL VPNs both encrypt network data, but they do it differently. Learn about the differences and how to determine the right solution for your organisation.
- Organisations should not overlook the need to secure VPN connections because failure to do so could be fatal, but 2FA alone is not enough, warns a security expert.
- Nemertes analyst John Burke points CIOs to a new type of cloud security offering that combines the functions of VPN, cloud firewall, secure web gateway and cloud access security broker.
Avast halted upcoming CCleaner releases and rechecked old ones to make sure nobody had made any alterations to it. It also re-signed a clean update, which was pushed out on 15 October, and revoked the previous certificate.
“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” said Baloo.
“It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile,” she said. “At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases.”
Baloo said it was clear that the attack was an “extremely sophisticated” one carefully designed to leave no traces of the attacker or what they wanted. It was likely that Avast will never know if it was the same attacker behind the 2017 breach.