[BreachExchange] Avast Network Breached As Hackers Target CCleaner Again

Destry Winant destry at riskbasedsecurity.com
Wed Oct 23 10:07:21 EDT 2019


https://threatpost.com/avast-network-breached-as-hackers-target-ccleaner-again/149358/

Avast said it believes that threat actors are again looking to target
CCleaner in a supply chain attack.

Czech antivirus vendor Avast on Monday warned that hackers were able
to access its internal network using a temporary VPN account.

Avast said that it believes that the intrusion, first detected on
Sept. 25, was likely targeting its CCleaner business in a supply chain
attack. CCleaner, which is software that fights infections in PCs, was
previously infiltrated by attackers in 2017 and led to the compromise
of 2.27 million people’s systems.

“From the insights we have gathered so far, it is clear that this was
an extremely sophisticated attempt against us that had the intention
to leave no traces of the intruder or their purpose, and that the
actor was progressing with exceptional caution in order to not be
detected,” said Jaya Baloo, chief information security officer with
Avast in a post on Monday. “We do not know if this was the same actor
as before and it is likely we will never know for sure, so we have
named this attempt ‘Abiss’.”

Avast was first alerted to the intrusion via an alert from Microsoft
Advanced Threats Analytics (a Microsoft service that monitors for
potential suspicious activity) on Sept. 25. However, after observing
previous Microsoft Advanced Threats Analytics alerts, Avast found the
attackers had attempted to access its network at least seven times in
2019, with attempts first starting May 2019.

“In order to track the actor, we left open the temporary VPN profile,
continuing to monitor and investigate all access going through the
profile until we were ready to conduct remediation actions,” said
Avast.

The intruder was able to connect to a temporary VPN account, from a
public IP address in the U.K., using a compromised username and
password. Avast said the temporary VPN account had “erroneously been
kept enabled,” and did not require two-factor authentication – making
it easier for hackers to compromise.

The user of the temporary VPN did not have domain admin privileges.
However, through a successful privilege escalation attack, the actor
managed to obtain domain admin privileges, said Avast (Avast did not
provide further details about the privilege escalation attack).

Avast did not detail any further implications of the breach other than
to say that the Sept. 25 Microsoft Advanced Threats Analytics alert
warned of “a malicious replication of directory services from an
internal IP.”

The company also said that the temporary profile had been used by
multiple sets of user credentials – leading Avast to believe that its
users were subject to credential theft.

CCleaner Target

CCleaner, which was previously targeted in a 2017 attack, is believed
to be the intended target of this latest attack, said Avast.

Avast acquired Piriform, which owns the PC cleaning tool CCleaner
(formerly Crap Cleaner), in July 2017, months before a malware attack
on CCleaner was discovered.  In 2018, Avast said that further
investigations into the 2017 attack showed the threat actors were
planning to install a third round of ShadowPad malware on compromised
computers.

Avast said it does not know if this more recent attack was the same
actor as before. During this more recent attack, however, Avast said
it was able to bolster remediation efforts to limit damage. On Sept.
25, Avast halted upcoming CCleaner releases and began checking prior
CCleaner releases to verify that no malicious alterations had been
made. Avast also disabled and reset all internal user credentials.

“As two further preventative measures, we first re-signed a clean
update of the product, pushed it out to users via an automatic update
on October 15, and second, we revoked the previous certificate,” said
Avast. “Having taken all these precautions, we are confident to say
that our CCleaner users are protected and unaffected.”

Security experts like Kevin Beaumont praised Avast for its “incredible
transparency” around the hack.

Moving forward Avast said it will continue to monitor the threat
actor’s movements in coordination with the Czech intelligence agency
(Security Information Service), the local Czech police force
cybersecurity division, and an “external forensics team.”


More information about the BreachExchange mailing list