Avast Suffered a Cyber Attack
Date: 22 – October – 2019
On a blogpost, Jaya Baloo is Avast’s Chief Information Security Officer, informed that they suffered a cyber-attack, on September 23 they identified suspicious behavior in their network and instigated an extensive investigation.
According to the post, “The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive. The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges.”
However, the attacker managed to obtain domain admin privileges, through a successful privilege escalation, the connection was made from a public IP hosted outside of the UK, and the earliest attempts to gain access to the network were made as early as May 14, 2019.
They believe that the objective of the attacker was a supply chain attack on CCleaner, that’s why on September 25, they halted upcoming CCleaner releases and checked the previous versions for any malicious alterations, and on October 15 they pushed an automatic update of a re-signed CCleaner and revoked the previous certificates. At the same time, they closed the temporary VPN used by the attackers, disabled and reset all internal user credentials.
Avast said that this was “an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected.” and named this attempt as ‘Abiss’.