Czech security software maker Avast has suffered another malicious intrusion into their networks, but the attackers didn’t accomplish what they apparently wanted: compromise releases of the popular CCleaner utility.
The discovery of the intrusion started with a security alert that flagged a malicious replication of directory services coming from an internal IP that belonged to the company’s VPN address range.
“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges,” Avast CISO Jaya Baloo explained.
“After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.”
They also discovered that the attacker:
Attempted to gain access to the company’s network through their VPN as far back as May 14, and repeated attempts in the following months
The temporary VPN profile had been used by multiple sets of user credentials, leading them to believe that they were subject to credential theft.
Avast decided not to terminate the temporary VPN profile until they had the chance to see what else the attacker managed to compromise.
“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions,” Baloo noted.
“On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preve ..