Hackers penetrated the internal network of a Czech Cybersecurity Company called Avast, intending for a supply chain attack targeting CCleaner. It was discovered on September 25. The break-in attempts began on May 14.
After an examination, the antivirus maker found out that the attacker was able to penetrate by making use of compromised credentials through a temporary VPN account.
Avast Chief Information Security Officer (CISO), Jaya Baloo, said from the report assembled so far, the attack seems to be “a remarkably complex attempt.” Avast regards this endeavor by the name ‘Abiss’. He also affirmed that the threat player behind it applied utmost caution to evade detection and masks the trails of their intention.
Records of the questionable activity show entries on May 14 and 15, on July 24, on September 11, and on October 4.
The intruder made the connection from a public IP address in the U.K., after which he/she used a temporary VPN account. The account was also not protected with two-factor authentication (2FA).
Jaya Baloo affirmed that “a malicious replication of directory services from an internal IP that belonged to our VPN address range.”
After they suspected CCleaner as the target, Avast on September 25, stopped the future updates for the software and started to review earlier versions for malicious modification.
To guarantee that no danger reaches its users, the company re-signed an official CCleaner version and launched it as an automatic update on October 15.
The company traced the invader by having the VPN profile active. And it continued to observe the access running through it until mitigation steps could be deployed. Law enforcement has been informed of the intrusion. And an external forensics team, aided Avast’s efforts to validate the obtained data.
Avast will continue to evaluate and observe its networks for better detection and swifter response in the tomorrow.
Some information, such as the IP addresses that were used for the intrusion, has been shared with law enforcement. And the cybersecurity community was not left out of the case.
David Peterson, the CCleaner General Manager, said in a blog post today, that there is a cause for automatically updating all CCleaner installations from 5.57 to the current newest version. This was a preventative means to guarantee that all users run a genuine release.
“We took these moves preventatively as our research is ongoing, but we wanted to cancel the risk of fraudulent software delivery to our users. After we had the observation that the attempts to infiltrate our systems started in May 2019, we swiftly moved to automatically updated users. Their users were updated on builds released after this time to guarantee their safety.