author photo
By Bruce Sussman
Tue | Oct 22, 2019 | 9:25 AM PDT

The Chief Information Security Officer at cybersecurity vendor Avast just revealed a fascinating tale of a cyberattack on the company that at first was dismissed as a false positive.

You may remember that the maker of CCleaner was the victim of a targeted supply chain attack a couple of years ago where an attacker inserted malicious code into a CCleaner release. Read about that case here.  

In this case, the company temporarily halted CCleaner production in response to the attack, as you will see.

Cyberattack on a cybersecurity company: how it started

Now, let's get to the fascinating details of this network breach as told by Avast CISO Jaya Baloo. We'll let her tell most of the story, in her own words.

In late September 2019, the company knew something was up and the security team started investigating. Says Baloo:

"The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive."

Cybersecurity vendor attack: privilege escalation 

Instead of a false positive, it turned out to be an attacker who had compromised a vendor employee's credentials and then worked their way in and up through the Avast network.

"The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider."

This hacker worked on the cyber scheme for several months, first trying to gain access in May 2019. All known access attempts to the company network were through its VPN.

Which is where Avast discovered the kind of tiny misstep in security that a sophisticated attacker will exploit.

"After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA."

It was that one... single... profile.

This reminds us of something CISOs have told us for years at our SecureWorld cybersecurity conferences: security teams have to be right all the time; attackers only have to be right once. Case in point.

Cyberattack in progress: leaving the door open for the hacker

And here's an interesting twist. After discovering what was going on, the company decided to leave the vulnerability open:

"In order to track the actor, we left open the temporary VPN profile, continuing to monitor and investigate all access going through the profile until we were ready to conduct remediation actions."

Cybersecurity company investigates integrity of core product

At this point, you might call Avast once bitten and twice shy. Because it remembered the sting of its 2017 CCleaner attack and had reason to believe that CCleaner could be the target again in this case.

Baloo explains what the organization did as a result.

"On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected."

However, Baloo notes, pushing out that new CCleaner release and revoking the old version's certificate would have a direct impact on the ongoing investigation into the cyberattack against the company:

"It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile. At the same time, we disabled and reset all internal user credentials."

And just like that, the hacker was cut off from its target. 

Criminal investigation into the cyberattack continues

Baloo says the company has revealed greater details of the attack to law enforcement and that extensive log analysis is underway internally.

And there is one more thing. She is convinced the attacker was proceeding slowly, over months, on purpose:

"From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure...."

But thankfully, in this case, we do know that CCleaner stayed clean.

[RESOURCE: The SecureWorld Sessions podcast. Listen to the episode featuring Bruce Schneier: The Market = (In)security]