Avast has become the victim of a cyberespionage campaign that saw hackers gain deep access to its network. But the Czech company, which has more than 400 million customers for its various antivirus and cybersecurity products, claims the damage is limited.
In an announcement Monday morning, Avast said its internal network had been breached using a username and password for a temporary VPN account. The account had mistakenly been kept open and did not require a second factor of authentication, providing an easy way onto Avast computers.
The attack was detected on September 23 when a Microsoft security tool put out an alert due to “malicious replication of directory services from an internal IP.” Directory services are software programs that provide admins with a single point in a business IT network where they can manage things like identities and security of employees. The hackers managed to acquire domain administrator privileges, which would have given them significant control over the Avast network.
“It gives you license to plunder all the other accounts,” explained professor Alan Woodward, a cybersecurity expert from the University of Surrey. “Change passwords, access just about anything basically.”
The hackers had been trying to break into the Avast network through its VPN as early as May 14. Various usernames and passwords were used to access that VPN, leading the company to suspect they had been stolen, though it is unclear how.
While the company isn’t sure just what the hackers were trying to do, Avast determined that its CCleaner business “was the likely target of a supply chain attack.” In 2017, CCleaner, a tool used to remove infections from PCs, was previously targeted by hackers, believed to be Chinese, who had successfully added malicious code to downloads. It led to the compromise of 2.3 million people’s PCs. Avast doesn’t believe any CCleaner downloads were similarly tweaked in the latest attack.
Avast said it was working with Czech law enforcement and intelligence agencies to continue to investigate the breach. It also reset all internal employee passwords and pushed out an updated version of CCleaner.
“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected,” the company added. “We do not know if this was the same actor as before and it is likely we will never know for sure.”
Despite the breach, Avast’s business continues to boom. The Prague-based business was cofounded by billionaire Pavel Baudis and is listed on the London Stock Exchange. Shares are at an all-time high giving the group a $5 billion market cap.