Hackers entered the internal network of Czech cybersecurity company Avast & tried to attack CCleaner. The attempt was detected on September 25, but the attempt to infiltrate had started from May 14, explained Avast.
Following an investigation, the antivirus maker determined that the attacker could gain access using compromised credentials via a temporary VPN account.
Here’s Avast’s version:
On September 23, we identified suspicious behavior on our network and instigated an immediate, extensive investigation. This included collaborating with the Czech intelligence agency, Security Information Service (BIS), and an external forensics team to provide additional tooling to assist our efforts and verify the evidence that we were collecting.
The evidence we gathered pointed to activity on MS ATA/VPN on October 1, when we re-reviewed an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to our VPN address range, which had originally been dismissed as a false positive. The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider.
When analyzing the external IPs, we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year.
After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA.
On Oct 4, we observed this activity again. Timestamps for the suspicious activity flagged by MS ATA are…..
To read the rest, click here.
