Hackers gained access to Avast's internal network because an employee lacked A2F.

The Czech cybersecurity firm Avast Software, owner of the prominent antivirus software provider AVG Technologies NV, recently acknowledged in a statement that it had been hacked but that the assault had been mitigated.

Those behind the attack gained access by compromising the virtual private network credentials of an employee who was not secured by two-factor authentication. The hacker obtained domain administrator credentials after gaining access and attempted to introduce malware into the Avast network.

The hacker got domain administrator rights and raised an internal system warning on September 23, but Avast reported that the hacker had been attempting to gain access since May 14 and that the hacker was tracked from a public IP address in the United Kingdom.

However, the hacker was able to get domain administrator access after a successful privilege escalation. The connection was made from a public IP address located outside the United Kingdom, and they discovered that the attacker also utilized additional endpoints via the same VPN provider.

According to Avast, the hacker was especially targeting the "CCleaner" utility with malware that allowed those behind it to snoop on users.

This assault was designed to compromise CCleaner in the same way that it was previously hacked in 2017. in what is thought to be a state-sponsored hack targeting tech businesses.

The data we gathered indicated activity on MS ATA and VPN on October 1, when we re-reviewed an MS ATA alert of fraudulent directory service replication from an internal IP address range that belonged to our VPN address range, which had previously been ruled out as a false positive.

In an unexpected twist, after detecting the hacker on its network, Avast allowed the hacker to continue for weeks while blocking all potential targets and studying the hacker to try to discover the individual or organization behind the hack.

Hacked software is common, but Avast's cat-and-mouse battle with the hacker was exceptional. Avast halted delivering CCleaner updates on September 25 to ensure that none of your updates were compromised by checking that prior versions were also compromised.

Parallel to our monitoring and investigation, we plan and implement proactive actions to protect our end users and preserve the integrity of both our product development environment and our launch process.

Despite our belief that CCleaner would be the likely target of a supply chain attack, as was the case in a CCleaner breach in 2017, we launched a broader network as part of our remedial measures.

From that date until October 15th, Avast, I will perform your research. Following that, we began delivering updates from CCleaner with a re-signed security certificate (as of October 15), certain that your program was safe.

"It was clear that as soon as we released the new signed version of CCleaner, we would be targeting malicious actors, so at that point, we closed the temporary VPN profile," said Jaya Baloo, Avast's Chief Information Security Officer, in a blog post. "We also disable and reset all internal user credentials at the same time." Simultaneously, and with immediate effect, we have added further inspection to all versions.

Furthermore, he stated that the company continued to improve and defend its surroundings for commercial operations and the development of Avast products. A cybersecurity company that is being hacked does not have a favorable image, but its transparency is seen favorably.

Avast defends itself against a hacker who entered its internal network in a CCleaner-style attack.

In August 2017, hackers tampered with the installer for the popular cleaning application CCleaner, which was downloaded by 2.27 million clients worldwide.

Now, the Czech anti-virus company Avast, which distributes CCleaner, has reported that hackers appear to have attempted the same type of supply chain attack once more.

Avast reveals how, on September 23rd, it learned that a hacker had acquired access to its internal network after stealing a worker's VPN credentials and managing to raise their privileges to give them admin rights for the domain.

Following a thorough investigation, Avast discovered that the hacker had been attempting to obtain access to its network since May 14th, 2019.

Avast responded by discontinuing CCleaner updates and investigating previous releases to determine if they had been tampered with. Fortunately, there was no evidence that any of the CCleaner updates had been maliciously modified.

Avast kept an amazingly calm head and opted to observe and track what the hacker was up to, leaving the hacked VPN profile open until it was ready to begin repair activities.

On October 15th, Avast digitally re-signed a clean update to CCleaner and distributed it to users. Furthermore, the previous digital certificate was canceled in case it had fallen into the hands of the wrong people.

"Having taken all of these precautions, we are confident to say that our CCleaner users are protected and unaffected," wrote Jaya Baloo, Avast's CISO, which will undoubtedly provide reassurance to the company's millions of users.

"It was clear that releasing the newly signed build of CCleaner would give the malicious actors an advantage, so we closed the temporary VPN profile at that point." We also disabled and reset all internal user credentials at the same time. Simultaneously, and effective immediately, we have added additional scrutiny to all releases," Baloo stated.

According to Avast, the attack was "extremely sophisticated," and the company does not know if the hackers were the same as those behind the 2017 attack, and "it is likely we will never know for sure."