CCleaner had been targeted in such an attack in 2017 and led to Piriform unknowingly distributing malware with the installer for the better part of a month. Attackers had successfully breached the development environment and made malicious modifications before distribution.
Avast has confirmed that it has prevented a similar incident from occurring. It has detailed "Abiss" in a blog post; a suspected supply chain attack on the CCleaner product. The most important detail is that the attempt was unsuccessful and no users of the product were exposed to malware as a result.
The clues that something was amiss started with a false positive in the form of a MS ATA alert of a malicious replication of directory services from an internal IP belonged to Avast's VPN address range. Further analysis found the attacker was attempting to gain access to the network through the VPN as early as May 14, 2019.
The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, the attacker managed to gain domain admin privileges through a successful privilege investigation.
Avast determined that its internal network was accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled. It didn't require two-factor authentication. According to the logs, the temporary profile had been used by multiple sets of user credentials. Avast believes that they were all subject to credential theft.
Instead of shutting down the temporary VPN profile, Avast left it open so it could monitor the actor's activities. It was working with Security Information Services (BIS), which is the Czech intelligence service, and also an external forensics team. While it kept an eye on the malicious activity, it halted upcoming CCleaner releases on September 25 and verified no malicious alterations were made to previous updates.
To be safe, it re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and then revoked the previous certificate. It then closed the temporary VPN profile as the newly signed build of CCleaner would alert the attacker.
"From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected," Jaya Baloo writes on the Avast blog.
"We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt 'Abiss'.!"
Read the full post at blog.avast.com
Written by: James Delahunty @ 23 Oct 2019 0:27