beebright - stock.adobe.com
Antivirus vendor Avast said it was able to stop another attempted CCleaner attack, but experts said these types of supply chain attacks should be a concern for enterprises.
According to Jaya Baloo, CISO at Avast, a malicious actor used stolen VPN credentials to access the company's internal network with the apparent aim of manipulating CCleaner software before it was released.
Baloo wrote in a blog post that the company first noticed suspicious behavior on its network on Sept. 23 and began an investigation in collaboration with "the Czech intelligence agency, Security Information Service, and an external forensics team."
The investigation uncovered an attempted CCleaner attack that had been ongoing for several months. Baloo claimed in the blog post that "we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year." However, an Avast spokesperson confirmed that company logs showed "access with an unprivileged account" going back to that date.
"We still don't have a full incident analysis at this time, so we may learn more as we continue to do our forensic analysis," the spokesperson told SearchSecurity. "We have found no indications that any of our users or data have been affected. We identified an attempt to access our infrastructure, but found no indication of any attack on our users. Having taken a number of precautions, we are confident to say that our users are protected and unaffected."
According to Baloo's blog post, the malicious actor accessed the internal Avast network seven times between May 14 and Oct. 4. As part of the investigation, the company did not immediately shut down the VPN profile used for the intrusion and tracked the malicious actor to discover the attempted CCleaner attack.
"On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made," Baloo wrote. "As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate."
Baloo said Avast took extra precaution because of a successful CCleaner attack in 2017 in which a supply chain attack led to CCleaner being compromised by malware that spied on victims. She also said it's unclear if the same threat actors were behind both attacks.
Vendor supply chain attacks
With the second CCleaner attack in two years, experts said supply chain attacks against vendors should be a concern for enterprises.
"Enterprises are right to be worried about compromises of their vendors, particularly if those vendors have a partnership or other close relationship, as shared credentials, VPN gateways and other points of access are always high priority targets for threat actors," said Morgan Bjerke, principal at Booz Allen Hamilton.
Yelisey Boguslavskiy, director of research at Advanced
Intelligence LLC, said the CCleaner attack -- in which the attacker used privilege escalation to obtain administrator access -- "illustrates the value of lateral movement hackers."
"Previously, hackers who could operate in such a secure environment as Avast networks preferred to work alone. However, recently we observe more and more talented network movement experts joining larger organized cybercrime syndicates," Boguslavskiy told SearchSecurity. "As a result, supply chain attacks will definitely increase in their scale and gravity. To make matters worse, the top lateral movement expert hackers tend to have a very well developed clientele, which includes ransomware collectives."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, added that supply chain attacks are especially dangerous because "once an attacker is able to hijack trusted software they can use this platform to execute many new attacks."
"The risk is that nearly every enterprise is in the software business. Even if they don't publish software for their customers, chances are good that they are producing software tools for internal users and external partners and other stakeholders," Bocek told SearchSecurity. "In addition, most organizations are blind to these types of attacks: They completely trust their software and code signing certificates."
Boguslavskiy agreed that "AV companies are one of the most valuable hubs of security technology" and should remain a target for high-profile groups or individuals.
"The nature of risks will be the same as with other cyberattacks -- data loss, business interruptions, and of course, ransomware threat," Boguslavskiy said. "The supply chain attacks, however, are a great enabler for criminals, as they open opportunities for new offensive models."
Bjerke said the risks of supply chain attacks are far-reaching.
"These risks range from direct compromise, in which the attackers gain access to a company's networks, to the theft of login credentials used to access a company's networks remotely, and even to the misuse of legitimate systems to send malicious documents to targets further up the supply chain," Bjerke said. "The attackers are then able to do as they please, usually for the purposes of cyberespionage, to destructive attacks. Other types of risks include system or process disruption, ransom for payment, production system downtown, introduction of a backdoor granting shop floor access, loss of sensitive or customer information, product tampering and more."