Avast Thwarts Cyber-spies in Suspected Second CCleaner Attack

Written by

Avast has fended off a sophisticated cyber-espionage attack with the help of Czech intelligence.

The global manufacturer of antivirus products announced today that its network had been breached, in what is thought to be an attempt to gain information regarding the company's CCleaner software.

Avast identified suspicious behavior on its network on September 23. Together with the Czech police's cybersecurity division and the Czech intelligence agency Security Information Service (BIS), the company launched what they describe as "an immediate, extensive investigation." 

Evidence gathered by Avast over the ensuing weeks, and verified by an external forensics team, pointed to an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to the company's VPN address range. 

The incident, which took place on October 1, was originally dismissed as a false positive. However, a review found that a threat actor had compromised the credentials of an Avast user who was associated with the internal IP. 

The hacker then managed to complete a successful privilege escalation to obtain domain admin privileges and access the company's internal network, in an attack Avast has dubbed 'Abiss.' 

Avast researchers wrote: "The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider."

Analysis of the external IPs revealed seven attempts to gain access to Avast's network had been made between May 14 and October 4, 2019. 

Avast researchers wrote: "Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions."

To track the actor, Avast left a temporary VPN profile open while they took action to protect their software and their end users, including disabling and resetting all internal user credentials.

"From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure," wrote Avast researchers.

What’s hot on Infosecurity Magazine?