Avast hacked in May. Intruder left almost no trace. Security firm ramps up security for its product build and release environments.
Avast, the cybersecurity company with over 400 million users, today admitted its internal systems had been breached by a hacker who used an employee’s compromised VPN profile to obtain domain admin privileges.
New Avast CISO Jaya Baloo – who joined the Czech Republic-based firm in July from the Netherlands’ largest telecommunications carrier KPN – said that the attack had initially been flagged as a false positive, after unusual activity was identified on Microsoft’s Advanced Threat Analytics tool.
The company has involved the Czech intelligence services, police and third-party external forensics teams to try to trace the attackers’ moves.
The attack, first flagged in May 2019, was made via a staff member’s temporary VPN profile that had erroneously been kept enabled and which did not require 2FA, Baloo said. She cited likely credential theft, noting “the temporary profile had been used by multiple sets of user credentials.”
Baloo, an award-winning network architecture specialist who was brought in to boost internal security, described the attack as “an extremely sophisticated attempt against us that had the intention to leave no traces.”
The company believes the attack targeted its CCleaner product, which was also compromised in 2017 in an attack first identified by Cisco Talos. In that incident, hackers used their access to push malware through the tool, but then also used compromise to specifically target at least 20 key companies, including Cisco itself, through delivery of a second-stage loader.
Baloo said: “We [have] re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.”
Cybersecurity companies are increasingly targets of malicious actors and Avast is not the only firm to have suffered such an attack recently. In May Trend Micro also admitted unauthorised access to testing lab network.
Avast CISO Jala Baloo said: “From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.
She added: “We are continuing with an extensive review of monitoring and visibility across our networks and systems to improve our detection and response times. Also, we will further investigate our logs to reveal the threat actor’s movements and modus operandi together with the wider security and law enforcement community; we have already shared more detailed indications with them, including the actor’s IPs, under confidential disclosure to aid in the investigation (TLP RED).”