On September 23, 2018, Avast specialists noticed suspicious activities on the corporate network and began an immediate investigation. Employees of the company teamed up with the Czech intelligence agency, the Information Security Service (BIS), the local branch of the cyber security of the Czech police and an external group of experts on cybercrime.
Analyzing external IP addresses, experts found that an unknown attacker was trying to gain access to the network via VPN as early as May 14 of this year.
It turned out that access to the internal network was carried out using compromised credentials through a temporary VPN profile, which was mistakenly left on and did not require two-factor authentication.
Although the user whose credentials were compromised did not have domain administrator privileges, due to the successful elevation of privileges, the attacker eventually managed to obtain domain administrator rights. This is what attracted the attention of experts. Then, Avast experts intentionally left the compromised VPN profile active in order to track the attacker and monitor his further actions.
On October 4, 2019, experts again noticed the same activity. Timestamps of suspicious activity tagged with MS ATA (GMT + 2 time zone):
- 2:00 – May 14, 2019;
- 4:36 – May 15, 2019;
- 23:06 – May 15, 2019;
- 3:35 – July 24, 2019;
- 3:45 – July 24, 2019;
- 15:20 – September 11, 2019;
- 11:57 – October 4, 2019.
The company's experts believe that the likely target of the attack was CCleaner, as in 2017.
On September 25 of this year, Avast employees stopped CCleaner and began to check previous versions of the utility. They made sure that no malicious changes were made to the code.
As a further preventive measure, the experts, firstly, created the CCleaner update and sent it to users using automatic updates on October 15, 2019, and secondly, they revoked the previous certificate for signing CCleaner updates. After all precautions, Avast declares with confidence that CCleaner users are protected and not affected by cybercriminals. After that, finally, the compromised employee credentials were reset.
From the information gathered by experts, it is clear that this was an extremely sophisticated hacking attempt. Hackers did everything possible to leave no traces, no information about themselves and their goals. It is still impossible to determine whether these were the same people as before (I recall that the government hack group Axiom is responsible for the previous attack).
Avast experts continue to conduct detailed monitoring of networks and systems to minimize the time it takes to detect a threat and respond to it. In addition, researchers, together with third-party experts, plan to further study the logs to identify when and how hackers showed themselves. The IP addresses of attackers are already known. The investigation is ongoing.