- Avast claimed that the intrusion was detected on September 23.
- The attackers had compromised an employee’s VPN credentials to gain access to an account that was not protected using a multi-factor authentication solution.
Cybercriminals had succeeded in gaining access to Avast’s internal networks in a new security breach. The company says the latest attack is similar to the infamous CCleaner 2017 incident.
When was it discovered?
In a notification, Avast claimed that the intrusion was detected on September 23. They had managed to do so with the help of the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team.
How was it discovered?
The intrusion was detected when a Microsoft security tool displayed an alert due to ‘malicious replication of directory services from an internal IP.’ This internal IP belonged to Avast’s VPN address range.
What had happened?
According to Avast, the attackers had compromised an employee’s VPN credentials to gain access to an account that was not protected using a multi-factor authentication solution.
Although discovered recently, Avast believes that the attackers had been attempting to gain access to the network through the compromised VPN as early as May 14 of this year.
“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider,” explained Jaya Baloo, Avast Chief Information Security Officer.
How did the company respond?
In order to track the activities of the actors, Avast had left open the temporary VPN profile. The investigation lasted on October 15 after which the company had pushed out a new clean update.
At the same time, Avast also changed the digital certificate it was using to sign CCleaner updates. This prevents attackers from using older certificates to sign fake CCleaner updates.
It is still unclear if the attack was caused by the same group that breached its infrastructure in 2017.