An unknown threat actor managed to access Avast’s network in yet another supply chain compromise attempt, the security company announced on Monday.
Detected at the end of September, the intrusion involved the use of a temporary VPN profile that had been kept alive although it did not have two-factor authentication enabled. The attackers had been using the profile for unauthorized access to Avast’s network since May 14, 2019.
Avast says it first detected the suspicious behavior on its network on September 23, and that it engaged with the authorities and an external forensics team to investigate. The security firm kept the temporary VPN profile alive to be able to track the threat actor, and observed it accessing the network again on October 4.
The attackers, which Avast refers to as “Abiss,” managed to successfully access the security firm’s internal network seven times since May 14.
“The logs further showed that the temporary profile had been used by multiple sets of user credentials, leading us to believe that they were subject to credential theft,” Avast says.
According to Avast, the likely target of this attack was CCleaner, as was the case in 2017, when millions downloaded a compromised update file that eventually installed a backdoor on 40 machines out there, suggesting a highly targeted attack.
The hypothesis was further confirmed when a third-stage payload was identified, supposedly meant to be deployed on only a few of the 40 backdoored systems. Chinese hacking group Axiom (also known as APT17 or DeputyDog) is believed to have carried out the attack.
To prevent an infection similar to the 2017 one, Avast halted upcoming CCleaner releases on September 25 and started checking prior CCleaner releases for malicious alterations. The company also re-signed a clean update and delivered it to users through the automatic update system on October 15, and then revoked the previous certificate.
“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast notes.
The company also closed the temporary VPN profile when releasing the clean update, and then disabled and reset internal user credentials. Avast says it has also implemented additional scrutiny to all releases and that it plans on resetting all employee credentials, in addition to taking further steps to improve overall business security at Avast.
“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’,” the security firm notes.
Related: Supply-Chain Attack Used to Install Backdoors on ASUS Computers
Related: Supply Chain Attacks Nearly Doubled in 2018: Symantec