The Czech Cybersecurity Firm avast Software, owner of the popular antivirus software provider AVG Technologies NV, recently disclosed in a statement that it was hacked, but the company managed to combat the attack.
Those behind the attack managed to gain access by compromising credentials virtual private network from an employee who were not protected using two-factor authentication. After gaining access, the hacker managed to gain domain administrator privileges and tried to insert malware into the Avast network.
The attack was first detected on September 23, where the hacker obtained domain administrator privileges and triggered an internal system alert, although Avast noted that the hacker had been trying to gain access since May 14 and that the hacker was tracked from a public IP address in the UK.
However, Through a successful privilege escalation, the hacker managed to gain domain administrator privileges. The connection was made from a public IP hosted outside the UK and they determined that the attacker also used other endpoints through the same VPN provider.
Avast reported that the hacker was targeting their attacks specifically towards the “CCleaner” tool with malware that allowed those behind it to spy on users.
This attack was intended to breach CCleaner in a manner similar to the case where it was previously hacked in 2017. in what is believed to be a state-sponsored attack targeting tech companies.
The evidence we collected pointed to activity on MS ATA / VPN on October 1, when we re-reviewed an MS ATA alert of malicious directory services replication from an internal IP that belonged to our VPN address range, which originally it had been ruled out as a false positive.
In a surprising twist, having detected the hacker on its network, Avast allowed the hacker to try to proceed for weeks, meanwhile, blocking all potential targets and taking the opportunity to study the hacker as if to try to locate the person or group behind the hack. .
Hacked software is normal, but Avast's game of cat and mouse with the hacker was unusual. Avast stopped releasing updates for CCleaner on September 25 to make sure none of your updates were compromised by verifying that previous versions were compromised as well.
In parallel with our monitoring and investigation, we plan and carry out proactive measures to protect our end users and ensure the integrity of both our product creation environment and our launch process.
Although we believed that CCleaner was the likely target of a supply chain attack, as was the case in a CCleaner breach in 2017, we launched a wider network in our remediation actions.
From that date until October 15 Avast, I take the opportunity to conduct your research. Subsequently started sending updates (as of October 15) from CCleaner with a re-signed security certificate, confident that your software was safe.
"It was clear that as soon as we released the new signed version of CCleaner, we would be targeting malicious actors, so at that point, we closed the temporary VPN profile," said Jaya Baloo, Avast's Chief Information Security Officer. blog. “At the same time, we disable and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny for all versions «.
In addition, he said, the company continued to further strengthen and protect its surroundings.s for business operations and the creation of Avast products. A cybersecurity company that is being hacked is never a good image, but its transparency is considered good.
Finally, if you want to know more about it about the statement Avast gave about it, you can consult it the following link.