- A hacker accessed Avast’s internal network, but apparently, the software company realized it in time.
- The entry point was a compromised VPN account, which they left open for monitoring and tracking.
- The hackers tried to carry out a supply chain attack and to compromise CCleaner.
Avast, the renown Czech anti-virus and security software maker has announced a security incident on their official blog today. As they report, they first noticed suspicious activity on their network on September 23, alerting the Czech intelligence agency (BIS) and the local police (cybersecurity division) to help them investigate. The evidence pointed them to their VPN, as they found a malicious replication of the directory services from an internal IP that belonged to their VPN address range. Obviously, someone’s credentials had been compromised, allowing the actors to perform privilege escalation and gain admin rights in the corporate network.
Upon further investigation, Avast realized that the malicious actor was actively trying to access their internal network through their VPN since May 14, 2019. Avast’s IT team decided to leave the exploited VPN profile open in order to track the hacker, who tried one final time on October 4, 2019. At the same time, the company secured its end users by taking the proper protective steps. As it became apparent, the actors were after establishing a supply chain compromise through CCleaner. This is a popular PC cleaner and Windows optimizer developed by Piriform, a subsidiary of Avast.
As soon as Avast realized what was actually going on, they closed the exploited VPN profile and reset all internal user credentials. No newly signed builds of CCleaner went public either, so the users of the particular tool have nothing to worry about, according to the software company. However, this was definitely a wake-up call for Avast. As they told the public, this was an extraordinarily sophisticated attempt against them, which would leave no traces and would be very hard to detect if they weren’t scrutinizing all internal network activities routinely.
Right now, they want to continue the internal investigation in order to try and make their monitoring, detection, and response times even better. At the same time, the police already have the actor’s IP in their hands, so the hackers will most probably have a rough period ahead of them. Supply chain attacks are considered grave offenses, as they can compromise many thousands, if not millions of users at once. If the police arrest the individuals behind these attacks, they will undoubtedly face pretty harsh penalties on the court.