Czech antivirus service provider Avast has confirmed that hackers used stolen VPN credentials and exploited the lack of two-factor authentication to successfully access its internal network on seven occasions between May 14 and September 23 this year.
The covert use of stolen VPN credentials to access its internal network was discovered by Avast on September 23 this year when the company re-reviewed an internal alert concerning "a malicious replication of directory services from an internal IP".
As the replication of directory services was being carried out from an internal IP that belonged to Avast's own VPN address range, the alert was dismissed as a false positive on earlier occasions.
Hacker used stolen VPN credentials to successfully infiltrate Avast's internal network
However, on this occasion, the firm observed that the VPN account in question enjoyed domain admin privileges even though the user whose credentials were being used did not have domain admin privileges. The firm found that the hacker, who stole the credentials, carried out a successful privilege escalation while using a public IP hosted out of the UK.
"When analyzing the external IPs, we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year. After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.
"The logs further showed that the temporary profile had been used by multiple sets of user credentials, leading us to believe that they were subject to credential theft," Avast said, adding that it feared that the objective of the operation was to carry out a supply chain attack on CCleaner.
Avast's MS ATA (Microsoft Advanced Threat Analytics) flagged the suspicious activity once on May 14, twice on May 15, twice on July 24, once on September 11, and once on October 4 this year, but the company started investigating the activity only on September 23.
Avast fended off another possible supply chain attack on CCleaner
In September 2017, security researchers at Cisco Talos observed that a download server used by Avast to offer CCleaner version 5.33 to customers contained a multi-stage malware payload that could help hackers spy on millions of PC users who used CCleaner.
According to Piriform, the maker of CCleaner and a subsidiary of Avast, the affected version of CCleaner was used by up to 3% of its users and that the malware only affected customers with the 32-bit version of the software. The total number of such users could have been up to 4 million worldwide.
To protect CCleaner from being infected by hackers again, Avast said that it closed down the temporary VPN profile that was being used to infiltrate its internal network and on September 25, inspected existing versions of CCleaner to verify that no malicious alterations had been made, revoked existing certificates, and re-signed a clean update of the software which was pushed out to customers via an automatic update on October 15.
The company also reset off internal user credentials in order to ensure that hackers could no longer exploit existing credentials to setup new VPN profiles with domain admin privileges.
"It is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected.
"We are continuing with an extensive review of monitoring and visibility across our networks and systems to improve our detection and response times. Also, we will further investigate our logs to reveal the threat actor’s movements and modus operandi together with the wider security and law enforcement community," Avast added.