SECURITY OUTFIT firm Avast has become the victim of another attempted supply-chain attack targeting its internal network.
The disclosure comes two years after Avast admitted the compromise of CCleaner, a security tool the company had just acquired.
Avast claims that it picked up "suspicious network activity" on 23 September, which it tracked back to May 2019. It said that the attacks were mounted via a public IP address traced to the UK.
"The evidence we gathered pointed to activity on MS ATA/VPN [Microsoft Advanced Threat Analytics] on 1 October, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive," explained the company in a blog post.
"The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges."
Incredible transparency from AVAST (antivirus vendor) here. Somebody basically cloned their Active Directory and had access from at least May. Worth reading as many orgs have these kind of issues. https://t.co/ZsbdFGOKsi— Kevin Beaumont (@GossiTheDog) October 21, 2019
In other words, an unknown attacker had been trying to gain access to Avast's internal network via the VPN of a compromised user, presumably a staff member, and had successfully been able to up the account's privileges accordingly.
"After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA [two-factor authentication]," Avast has admitted.
Rather than close down the compromised accounts and VPN access, the company decided to monitor it and track the activity. Believing CCleaner was, once again, the target of the attackers' efforts, it halted upcoming releases and began a code-check to verify that no malicious alterations to the application's code had taken place.
The updated CCleaner was pushed out on 15 October. That move would indicate to the attackers that they had been rumbled, so Avast closed the compromised VPN profiles. "At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases.
"Moreover, we continued to harden and further secure our environments for Avast's business operations and product builds, including the resetting of all employee credentials, with further steps planned to improve overall business security at Avast."
However, Avast was able to glean few details about the attackers' intent and purpose, or who they might potentially be.
"It is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure."
The organisation has named the attempt ‘Abiss'. Avast collaborated with the Czech intelligence agency, the Security Information Service (BIS), the local Czech police force cyber security division, and an external forensics team in order to investigate the attack. µ
Hashes to hashes
Team Green cranks the Super GPU machine
Also, the moon on a stick