It looks like a VPN as a service is not having a good day. NordVPN is already under fire about its Private keys being leaked, and data decrypted on one of its servers, and now Avast Antivirus network has been confirmed to be breached through an insecure VPN profile. Avast has confirmed that instruction was detected on September 25, 2019, and the hackers were able to gain access using a compromised VPN account.
Avast Antivirus Network breached
According to Jaya Baloo, Avast Chief Information Security Officer, this hack wasn’t easy. The hackers started working on it from May, and they used an extremely sophisticated attempt. They also made sure to cover all their tracks, but logs were found for May, July, September, and October.
The primary reason hacker was able to get in using the VPN was the missing 2FA factor for that VPN. They used a public IP address and made a malicious replication of directory services from an internal IP that belonged to their VPN address range. The only good thing about the hack was that they did not have enough permission to act as a domain administrator.
The real plan was to put a malicious payload on CCleaner
Avast doubts that the real intention was to put a malicious payload in the CCleaner, which was coming out with an update. However, it was proactively taken down and stopped to check on any malicious modification. Not only this, but Avast has also resigned the clean update of the product, pushed it out to users via automatic update on October 15. Also, the previous certificate was revoked.
Microsoft has recently blacklisted CCleaner links for interfering with the utility with Microsoft Security policy that might have prompted its removal. One of the Primary reason Microsoft has rolled out Tamper Protection.
Coming back to the VPN, the profile was closed, and all internal user credentials have been reset. Avast will continue to monitor and investigate further to find if they had missed anything.
It is not easy for any company to manage security, and mistakes like this always send a reminder that Security needs to be continually updated, and validated.