Avast targeted in suspected new supply-chain attack
Avast reveals details of new attempted supply-chain attack just two years after CCleaner compromise
Security firm Avast has disclosed another attempted supply-chain attack targeting its internal network. The disclosure comes two years after Avast admitted the compromise of CCleaner, a security tool the company had just acquired.
Avast claims that it picked up what it describes as suspicious network activity on 23rd September this year, tracking the suspicious activity back to May 2019. It added that the attacks were mounted via a public IP address traced to the UK.
This was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose
"The evidence we gathered pointed to activity on MS ATA/VPN [Microsoft Advanced Threat Analytics] on 1st October, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive," explained the company in a blog post published today.
It continued: "The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges."
In other words, an unknown attacker had been trying to gain access to Avast's internal network via the VPN of a compromised user, presumably an Avast staff member, and had successfully been able to up the account's privileges accordingly.
"After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA [two-factor authentication]," Avast has admitted.
Through a successful privilege escalation, the actor managed to obtain domain admin privileges
Rather than close down the compromised accounts and VPN access, the company decided to monitor it and track the activity. Believing CCleaner was, once again, the target of the attackers' efforts, it halted upcoming releases and began a code-check to verify that no malicious alterations to the application's code had taken place.
The updated CCleaner was pushed out on 15 October. That move would indicate to the attackers that they had been rumbled, so Avast closed the compromised VPN profiles. "At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases.
"Moreover, we continued to harden and further secure our environments for Avast's business operations and product builds, including the resetting of all employee credentials, with further steps planned to improve overall business security at Avast."
However, Avast was able to glean few details about the attackers' intent and purpose, or who they might potentially be.
"It is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure."
The organisation has named the attempt ‘Abiss'.
Avast collaborated with the Czech intelligence agency, the Security Information Service (BIS), the local Czech police force cyber security division, and an external forensics team in order to investigate the attack.