Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Avast Blog_News: Avast fights off cyber-espionage attempt, Abiss
[Image: TVDumYE.png]

Avast deploys hardened self-defense and wider intelligence industry collaboration

Global software companies are increasingly being targeted for disruptive attacks, cyber-espionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years. At Avast, we constantly work hard to stay ahead of the bad guys and to fight off attacks on our users. It is therefore not so surprising that we ourselves could be a target.

On September 23, we identified suspicious behavior on our network and instigated an immediate, extensive investigation. This included collaborating with the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team to provide additional tooling to assist our efforts and verify the evidence that we were collecting.

The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive. The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider.

When analyzing the external IPs, we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year.

After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.

On Oct 4, we observed this activity again. Timestamps for the suspicious activity flagged by MS ATA are (all times GMT+2):

2:00 AM May 14, 2019

4:36 AM May 15, 2019

11:06 PM May 15, 2019

3:35 PM Jul 24, 2019

3:45 PM Jul 24, 2019

3:20 PM Sep 11, 2019

11:57 AM Oct 4, 2019

The logs further showed that the temporary profile had been used by multiple sets of user credentials, leading us to believe that they were subject to credential theft.

In order to track the actor, we left open the temporary VPN profile, continuing to monitor and investigate all access going through the profile until we were ready to conduct remediation actions.

In parallel with our monitoring and investigation, we planned and carried out proactive measures to protect our end users and ensure the integrity of both our product build environment as well as our release process.

Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions.

On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected.
Continue Reading

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
Zoom won't encrypt free calls so it can ...
Communications com...Toligo — 21:11
California blocks bill that could’ve led...
As images of polic...Toligo — 21:09
Pentagon intelligence employees raise co...
WASHINGTON — The g...Toligo — 21:07
[Giveaway] SoftOrbits Easy Photo Unblur...
Easy Photo Unblur v ...ismail — 17:57
TwistedBrush Pro Studio 22.03
TwistedBrush Pro Stu...ismail — 17:56

Today's Birthdays
avatar (42)BrantgoG
Upcoming Birthdays
avatar (43)rapedDow
avatar (38)Johnsonsyday
avatar (43)Groktus
avatar (35)efodo
avatar (33)Tedscolo
avatar (40)brakasig
avatar (39)JamesReshy
avatar (41)Francisemefe
avatar (34)leoniDup
avatar (33)Patrizaancem
avatar (45)smudloquask
avatar (40)benchJem
avatar (33)biobdam
avatar (36)zacforat
avatar (41)NemrokReks
avatar (32)Barrackleve
avatar (34)Julioagopy
avatar (42)vadimTob
avatar (32)leannauu4
avatar (34)storoBox
avatar (42)kinotHeemn
avatar (34)efynu

Online Staff
There are no staff members currently online.