The Czech-based security firm Avast reported its internal network had been accessed through a temporary and loosely protected VPN profile with compromised credentials .
The incident began on September 23 when the company noted suspicious behavior taking place on its network and started an investigation that included Czech national intelligence and cybersecurity assets. It was soon determined that Avast’s network had been accessed by a malicious actor, that the company refers to as Abiss, through a VPN that was mistakenly kept enabled and did not require multifactor authentication.
The initial discovery of suspicious activity pointed the investigators to an MS ATA/VPN where an internal Avast IP was discovered to be compromised, most likely through an employee whose credentials were stolen.
“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider,” Avast said in a blog describing the avast network penetrated ccleaner targeted again media
