Avast hacked in May. Intruder left almost no trace.
Avast, the cybersecurity company with over 400 million users, today admitted its internal systems had been breached by a hacker who used an employee’s compromised VPN profile to obtain domain admin privileges.
Now security firm ramps up security for its product build and release environments.
The attack, first flagged in May 2019, was made via a staff member’s temporary VPN profile that had erroneously been kept enabled and which did not require 2FA, Baloo said. She cited likely credential theft, noting “the temporary profile had been used by multiple sets of user credentials.”
The company believes the attack targeted its CCleaner product, which was also compromised in 2017 in an attack first identified by Cisco Talos. In that incident, hackers used their access to push malware through the tool, but then also used compromise to specifically target at least 20 key companies, including Cisco itself, through the delivery of a second-stage loader.
Baloo said: “We [have] re-signed a clean update of the product, pushed it out to users via automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.”
Cybersecurity companies are increasingly targets of malicious actors and Avast is not the only firm to have suffered such an attack recently. In May Trend Micro also admitted unauthorized access to testing lab networks.
Avast CISO Jala Baloo said: “From the insights, we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.
She added: “We are continuing with an extensive review of monitoring and visibility across our networks and systems to improve our detection and response times. Also, we will further investigate our logs to reveal the threat actor’s movements and modus operandi together with the wider security and law enforcement community; we have already shared more detailed indications with them, including the actor’s IPs, under confidential disclosure to aid in the investigation (TLP RED).”
Now security firm ramps up security for its product build and release environments.
The attack, first flagged in May 2019, was made via a staff member’s temporary VPN profile that had erroneously been kept enabled and which did not require 2FA, Baloo said. She cited likely credential theft, noting “the temporary profile had been used by multiple sets of user credentials.”
The company believes the attack targeted its CCleaner product, which was also compromised in 2017 in an attack first identified by Cisco Talos. In that incident, hackers used their access to push malware through the tool, but then also used compromise to specifically target at least 20 key companies, including Cisco itself, through the delivery of a second-stage loader.
Baloo said: “We [have] re-signed a clean update of the product, pushed it out to users via automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.”
Cybersecurity companies are increasingly targets of malicious actors and Avast is not the only firm to have suffered such an attack recently. In May Trend Micro also admitted unauthorized access to testing lab networks.
Avast CISO Jala Baloo said: “From the insights, we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.
She added: “We are continuing with an extensive review of monitoring and visibility across our networks and systems to improve our detection and response times. Also, we will further investigate our logs to reveal the threat actor’s movements and modus operandi together with the wider security and law enforcement community; we have already shared more detailed indications with them, including the actor’s IPs, under confidential disclosure to aid in the investigation (TLP RED).”
Comments
Post a Comment