Yesterday we reported that NordVPN confirmed that hackers gained access to its server by exploiting an insecure remote management system. Then, in a statement published later that day, cybersecurity software maker Avast also disclosed a breach.
Though these incidents may seem unrelated, according to Krebs on Security, they share a common cause:
“Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.”
In a blog post, Avast said the breach occurred because the attacker compromised an employee’s VPN credentials.
“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges.”
Even worse, although the intrusion was discovered on September 23, Avast found evidence that “the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year.”
In the same post, Jaya Baloo, Avast’ CISO writes that the company intentionally left the compromised VPN active to track and observe the attacker. In doing so, it learned that the attacker appeared to target users of its CCleaner application.
As a result, the company pushed back the release date for updates to the CCleaner software and “began checking prior CCleaner releases and verified that no malicious alterations had been made.”
Additionally, Avast took extra precautionary measures by changing the digital certificate it was using to sign CCleaner updates.
Jaya Baloo explained how it used a new release of CCleaner to prevent the attacker from accessing Avast’s internal network, saying:
“It was clear that as soon as we released the newly signed build of CCleaner, we would be tipping our hand to the malicious actors, so at that moment, we closed the temporary VPN profile. At the same time, we disabled and reset all internal user credentials. Simultaneously, effective immediately, we have implemented additional scrutiny to all releases.”
While Avast did point out that the attack was “extremely sophisticated,” the company assured users that it’s taking steps to strengthen its security.