Connect with us

Hi, what are you looking for?



Avast Discloses New Supply-Chain Attack Attempt

An unknown threat actor managed to access Avast’s network in yet another supply chain compromise attempt, the security company announced on Monday.

An unknown threat actor managed to access Avast’s network in yet another supply chain compromise attempt, the security company announced on Monday.

Detected at the end of September, the intrusion involved the use of a temporary VPN profile that had been kept alive although it did not have two-factor authentication enabled. The attackers had been using the profile for unauthorized access to Avast’s network since May 14, 2019.

Avast says it first detected the suspicious behavior on its network on September 23, and that it engaged with the authorities and an external forensics team to investigate. The security firm kept the temporary VPN profile alive to be able to track the threat actor, and observed it accessing the network again on October 4.

The attackers, which Avast refers to as “Abiss,” managed to successfully access the security firm’s internal network seven times since May 14.

“The logs further showed that the temporary profile had been used by multiple sets of user credentials, leading us to believe that they were subject to credential theft,” Avast says.

According to Avast, the likely target of this attack was CCleaner, as was the case in 2017, when millions downloaded a compromised update file that eventually installed a backdoor on 40 machines out there, suggesting a highly targeted attack.

The hypothesis was further confirmed when a third-stage payload was identified, supposedly meant to be deployed on only a few of the 40 backdoored systems. Chinese hacking group Axiom (also known as APT17 or DeputyDog) is believed to have carried out the attack.

Advertisement. Scroll to continue reading.

To prevent an infection similar to the 2017 one, Avast halted upcoming CCleaner releases on September 25 and started checking prior CCleaner releases for malicious alterations. The company also re-signed a clean update and delivered it to users through the automatic update system on October 15, and then revoked the previous certificate.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast notes.

The company also closed the temporary VPN profile when releasing the clean update, and then disabled and reset internal user credentials. Avast says it has also implemented additional scrutiny to all releases and that it plans on resetting all employee credentials, in addition to taking further steps to improve overall business security at Avast.

“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’,” the security firm notes.

Related: Supply-Chain Attack Used to Install Backdoors on ASUS Computers

Related: Supply Chain Attacks Nearly Doubled in 2018: Symantec

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.