Avast says hackers breached internal network through compromised VPN profile

Czech antivirus maker discloses second attack aimed at compromising CCleaner releases.

Avast

Image: Avast

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

Czech cyber-security software maker Avast disclosed today a security breach that impacted its internal network.

In a statement published today, the company said it believed the attack's purpose was to insert malware into the CCleaner software, similar to the infamous CCleaner 2017 incident.

Avast said the breach occurred because the attacker compromised an employee's VPN credentials, gaining access to an account that was not protected using a multi-factor authentication solution.

The intrusion was detected on September 23, but Avast said it found evidence of the attacker targeting its infrastructure going as far back as May 14, this year.

"The user, whose credentials were apparently compromised [...], did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges," said Jaya Baloo, Avast Chief Information Security Officer (CISO).

This sudden access rights elevation prompted the company to investigate, Baloo told ZDNet in an email today.

Staff eventually tracked down other security alerts inside Avast's ATA dashboard, alerts that engineers previously ignored, thinking they were false positives. ATA stands for Microsoft Advanced Threat Analytics, an on-premise network parsing engine and traffic analysis system that Microsoft sells to enterprises in order to protect internal networks from malicious attacks triggered from inside.

The alert showed that the compromised user account replicated Avast's Active Directory service, an effective digital map of the company's internal network.

Avast let hackers roam free for two weeks to track their intentions

Baloo said Avast intentionally left the compromised VPN profile active, with the purpose of tracking the attacker and observing their actions.

This lasted until October 15, when the company finished auditing previous CCleaner releases, and pushed out a new clean update.

At the same time, Avast also changed the digital certificate it was using to sign CCleaner updates. The new update was signed with a new digital certificate, and the company revoked the previous certificate used to sign older CCleaner releases. It did so to prevent attackers from using it to sign fake CCleaner updates, in case the hackers managed to get their hands on the old certificate during the recent intrusion.

The last step was to reset all employee credentials.

"Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected," Baloo said.

The antivirus maker said it's currently investigating the incident together with the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team.

Avast respectfully declined to provide additional details to other questions ZDNet sent the company today, citing the legal investigation. BIS also confirmed the investigation into the Avast hack today, claiming the attack was carried out by Chinese hackers.

Avast said there is no evidence at this time to suggest this attack was caused by the same Chinese hacker group who breached its infrastructure in 2017; however, the company pointed out that the intrusion was carried out by an experienced threat actor.

"From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected," Baloo said.

The investigation is ongoing and the company promised more updates.

Avast previously received praises for the openness it showed while investigating the 2017 CCleaner hack, publishing several updates on the incident, as it continued to learn more about the 2017 breach in the subsequent months [1, 2, 3, 4].

The 2017 CCleaner hack happened before Avast bought Piriform, the company behind CCleaner. Hackers breached  Piriform's network via a TeamViewer account and planted malware inside CCleaner. The attackers, believed to be a group of Chinese state-sponsored hackers, inserted malware that would only download a second-stage payload when CCleaner was installed on the network of a major company. The list of targets included Cisco, Microsoft, Google, NEC, and many other major companies. Avast said that 2.27 million users downloaded the tainted CCleaner software back in 2017; 1,646,536 computers were infected with the first-stage Floxif trojan that scanned for high-value targets; but only 40 computers received the second-stage trojan, a more powerful backdoor.

Avast told ZDNet it has no plans to discontinue CCleaner in light of the two attacks that targeted the app's infrastructure.