[German]Unknown actory probably had access to the AVAST network for about 6 months. The aim was supposedly a new supply chain attac attempt to compromise of the CCleaner software build environment. AVAST claims to have fight off the attack.
What happened at AVAST?
On 23 September 2019, AVAST noticed suspicious activities in its corporate network, which led to an investigation. The Czech Intelligence Service (BIS) and an external forensic team were involved.
(Source: Pexels Josh Sorenson)
On October 1, 2019, access to the network via VPN (MS ATA/VPN) was detected. An alarm had been triggered because there had been a malicious replication of directory services. This had been initiated via an internal IP address that belonged to the VPN addresses assigned by AVAST. The user actually had no admin permissions for the domain, so he could not have initiated the replication of the directory services. Apparently the user’s account was compromised and the attackers had successfully extended permissions to access the directory services.
An analysis of the process revealed that the access had only been classified as False Positive. The VPN connection was made over an IP hosted in the UK, with the attacker also using other endpoints over the same VPN provider. Analysis of the external IPs revealed that the attacker had been attempting to access the AVAST network via compromised VPN access (which did not use 2FA) since 14 May 2019. Apparently, the accesses were also successful.
The next activity took place on October 4, 2019. In the blog post, AVAST lists the accesses to its own network. It is assumed that stolen access data was used for a temporary profile. AVAST, according to its own information, immediately initiated measures to protect its product build environment.
Assumption: CCleaner build infrastructure as goal
AVAST assumes that the attack was another attempt to compromise the CCleaner build environment as part of a supply chain attack. This had already happened in the summer of 2017. Therefore, according to AVAST, the releases for CCleaner builds were already put on ice on September 25, 2019. The releases Avast reviewed was clean, but on October 15, 2019 Avast released a newly signed product update and distributed it to CCleaner users. At the same time, old certificates used to sign older versions were revoked. Also the the VPN access was closed and all internal access data was reset. AVAST is confident that no customers have been compromised by compromised software.
AVAST writes that it was a very sophisticated attempt, in which the attackers tried not to leave any traces. Whether it was the attackers from 2017 is not known. AVAST called the attack attempt ‘Abiss’, which is derived from the English Abyss. The process once again shows how shaky the whole thing has become. Techcrunch reports here that NordVPN admitted a hack in a data center in 2018. The NordVPN statement is here.