The Czech-based security firm Avast reported its internal network had been accessed through a temporary and loosely protected VPN profile with compromised credentials .
The incident began on September 23 when the company noted suspicious behavior taking place on its network and started an investigation that included Czech national intelligence and cybersecurity assets. It was soon determined that Avast’s network had been accessed by a malicious actor, that the company refers to as Abiss, through a VPN that was mistakenly kept enabled and did not require multifactor authentication.
The initial discovery of suspicious activity pointed the investigators to an MS ATA/VPN where an internal Avast IP was discovered to be compromised, most likely through an employee whose credentials were stolen.
“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider,” Avast said in a blog describing the incident.
There were seven attempts to gain access to Avast stretching from May 14-October 4, 2019, according to the company’s logs. These also showed that multiple sets of user credentials were used in these attempts indicating more than one authorized person had their login information taken.
The VPN in question was left open to help the investigators track the attackers and this led Avast to believe the ultimate target of the operation was to penetrate CCleaner in much the same manner as had been done in 2017 when the company found a backdoor had been installed in the security tool allowing malware to be planted and then released to customers.
Once CCleaner was determined to be the target Avast halted any upcoming releases and then went back and check prior updates for any nefarious activity. None was found.
An update with a new security certificate was pushed out on October 15 and the old cert was revoked and all internal user credentials were reset. At this time, it was believed the attackers would have noticed they were spotted so the compromised VPN was disabled.
Avast is not certain if the attacker is the same one that pulled off the 2017 intrusion and does not believe a connection will ever be made.
“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected,” the company concluded.