Cybercriminals accessed the internal network of the Czech cybersecurity company Avast, likely aiming for a supply chain attack that targeted CCleaner–a utility that cleans unused files from a user’s computer. Following an investigation, Avast determined that the attacker was able to gain access using compromised credentials via a temporary VPN account. Avast’s CISO, Jaya Baloo, stated that the attack appears to be “an extremely sophisticated attempt.” The company refers to this attempt by the name ‘Abiss’ and says that the attacker behind it exercised extreme caution to avoid detection and hide their true intentions. The intruder connected from a public IP address in the U.K. and took advantage of a temporary VPN profile that should not have been active and was not protected with two-factor authentication (2FA). In a statement from Jaya Baloo, he stated that the company received an alert for “a malicious replication of directory services from an internal IP that belonged to our VPN address range.” The alert initially was dismissed as a false positive. However, the compromised user’s credentials did not have the permissions of a domain administrator, which indicates that the attacker was able to escalate their privileges. The logs indicate that the temporary VPN profile was used by multiple sets of user credentials, leading Avast to believe that they were subject to credential theft. Suspecting that CCleaner was the targeted asset, Avast stopped incoming software updates to check prior releases for malicious modification. The company tracked the intruder by keeping the VPN profile active and monitoring the access until mitigation actions could be deployed.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased