View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 21, 2019

Avast Hacked: Intruder Gained Domain Admin Privileges

Temporary VPN profile without 2FA enabled used to escalate privileges

By CBR Staff Writer

Avast hacked in May. Intruder left almost no trace. Security firm ramps up security for its product build and release environments.

Avast, the cybersecurity company with over 400 million users, today admitted its internal systems had been breached by a hacker who used an employee’s compromised VPN profile to obtain domain admin privileges. 

New Avast CISO Jaya Baloo – who joined the Czech Republic-based firm in July from the Netherlands’ largest telecommunications carrier KPN – said that the attack had initially been flagged as a false positive, after unusual activity was identified on Microsoft’s Advanced Threat Analytics tool.

The company has involved the Czech intelligence services, police and third-party external forensics teams to try to trace the attackers’ moves.

Avast Hacked

The attack, first flagged in May 2019, was made via a staff member’s temporary VPN profile that had erroneously been kept enabled and which did not require 2FA, Baloo said. She cited likely credential theft, noting “the temporary profile had been used by multiple sets of user credentials.”

Baloo, an award-winning network architecture specialist who was brought in to boost internal security, described the attack as “an extremely sophisticated attempt against us that had the intention to leave no traces.”

The company believes the attack targeted its CCleaner product, which was also compromised in 2017 in an attack first identified by Cisco Talos. In that incident, hackers used their access to push malware through the tool, but then also used compromise to specifically target at least 20 key companies, including Cisco itself, through delivery of a second-stage loader.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Baloo said: “We [have] re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.”

Cybersecurity companies are increasingly targets of malicious actors and Avast is not the only firm to have suffered such an attack recently. In May Trend Micro also admitted unauthorised access to testing lab network.

Avast CISO Jala Baloo said: “From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.

She added: “We are continuing with an extensive review of monitoring and visibility across our networks and systems to improve our detection and response times. Also, we will further investigate our logs to reveal the threat actor’s movements and modus operandi together with the wider security and law enforcement community; we have already shared more detailed indications with them, including the actor’s IPs, under confidential disclosure to aid in the investigation (TLP RED).” 

See also: Trend Micro Admits it Was Hacked, Symantec Denies Claims of “Fxmsp” Breach

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.