Cybercriminals accessed the internal network of the Czech cybersecurity company Avast, likely aiming for a supply chain attack that targeted CCleaner–a utility that cleans unused files from a user’s computer. Following an investigation, Avast determined that the attacker was able to gain access using compromised credentials via a temporary VPN account. Avast’s CISO, Jaya Baloo, stated that the attack appears to be “an extremely sophisticated attempt.” The company refers to this attempt by the name ‘Abiss’ and says that the attacker behind it exercised extreme caution to avoid detection and hide their true intentions. The intruder connected from a public IP address in the U.K. and took advantage of a temporary VPN profile that should not have been active and was not protected with two-factor authentication (2FA). In a statement from Jaya Baloo, he stated that the company received an alert for “a malicious replication of directory services from an internal IP that belonged to our VPN address range.” The alert initially was dismissed as a false positive. However, the compromised user’s credentials did not have the permissions of a domain administrator, which indicates that the attacker was able to escalate their privileges. The logs indicate that the temporary VPN profile was used by multiple sets of user credentials, leading Avast to believe that they were subject to credential theft. Suspecting that CCleaner was the targeted asset, Avast stopped incoming software updates to check prior releases for malicious modification. The company tracked the intruder by keeping the VPN profile active and monitoring the access until mitigation actions could be deployed.
To ensure that there is no risk to its users, Avast re-signed an official CCleaner release and pushed it as an automatic update. The release, version 5.62, should benefit users with its “enhanced security and improved performance.” It is recommended that users of the CCleaner program verify that this update has been applied and if not, apply this update as soon as possible. Security teams at companies can learn from this event by noting the value of monitoring the activities of attackers using compromised accounts to fully understand the scope of an incident, identify all of the accounts being used, and understand the attacker’s intentions before performing remediation actions. Attempting to remediate too soon without gathering enough information risks losing visibility of the attacker while still permitting access through another account or a hidden backdoor program.