In a dramatic new escalation of cyber espionage activities occurring around the world, hackers now appear to be going after software companies in so-called “supply chain attacks.” The primary goal is to infect as many computers as possible worldwide by going after popular software vendors. The most recent victim of an attempted supply chain attack is multi-billion-dollar Czech antivirus software company Avast, which has more than 435 million users in 68 countries for its popular cybersecurity products. Given the size and scale of Avast’s operations, it’s easy to see why hackers viewed the company as a particularly attractive supply chain attack target.
Details of the Avast cyber espionage case
According to Avast, the company first detected suspicious behavior on its network on September 23. Immediately, the company opened a full and extensive investigation into the cyber attack, and also enlisted the help of both the Czech police and the Czech intelligence agency Security Information Service (BIS). Preliminary evidence from this investigation suggests that the attack was a cyber espionage attempt perpetrated by Chinese threat actors. However, the exact identity of the intruder or their purpose is not known, primarily because the threat actor was progressing with exceptional caution.
Avast has been notably transparent about the entire cyber espionage attack, even as some details emerge from an external forensics team that could place Avast in a very negative light. According to Avast, unknown hackers attempted to access internal computer networks at least seven times in 2019. The intruder in each case used compromised username/password credentials that were used to access a temporary Virtual Private Network (VPN) profile. Access was possible, admits Avast, because the company was not using a multi-factor authentication approach, meaning that once the hackers had access to the login credentials, they were able to access the network.
The primary goal of the hackers, says Avast, was to gain deep access to the network. As part of the “Abiss” attack, the Chinese hackers used successful privilege escalation in order to go after domain administrator privileges. This was the key step in pulling off the cyber espionage attack – with the domain administrator privileges, the hackers might have gained significant control of the entire Avast network. As one UK cybersecurity expert opined, this would have given the cyber espionage threat actors “license to plunder all other accounts” on a worldwide basis.
Kevin Bocek, vice president of security strategy and threat intelligence at machine identity protection provider Venafi, comments on the type of attack carried out against Avast: “Based on Avast’s response, it’s seems likely that the attackers targeted code signing keys and certificates. For decades, code signing has been used to verify the integrity of software, and nearly every organization relies on it to confirm their code has not been corrupted with malware.”
“However, if code signing keys and certificates are not properly protected, attackers can turn them into powerful cyber weapons,” says Bocek. “With code signing, cyber criminals can make their malware look like trusted software, allowing it to spread and go undetected. Code signing certificates were the key reason Stuxnet and ShadowHammer were so successful; these attacks are prototypes that many attackers are trying to emulate today.”
Fortunately for Avast, the company was using an advanced cyber security product from Microsoft, which alerted the company about “malicious replication of directory service from an internal IP.” This was the tip-off that the company needed to understand that hackers were going after domain administrator privileges, even as traces of the intruder were still difficult to find. Avast immediately went to work hardening its internal cyber defenses, including a reset of all internal passwords. The company also pushed out new and updated “clean” versions of its software as an extra precaution, even though Avast says that hackers were not able to distribute any malicious code.
Another attack on CCleaner
The ultimate target of the internal network attack appears to have been CCleaner, a Windows utility app that helps uses clean up programs and speed up overall PC performance. CCleaner (originally known as “Crap Cleaner”) was launched in 2004, and has become one of the most popular apps of its kind. Avast describes it as a “thriving, best-in-class product” that has more than 400 million users worldwide.
However, it was exactly this popularity of CCleaner that made it so attractive for hackers. What better way to get access to hundreds of millions of computers around the world than to infiltrate a popular Windows app? And, indeed, CCleaner was also the target of a high-profile cyber espionage hack back in 2017, when hackers were able to gain access to it and then push out malicious, malware-infected versions to 2.27 million users worldwide. This, in essence, is what a “supply chain attack” is all about – the cyber espionage threat actors viewed Avast as simply the first step of a much wider attack that would enable them to gain access to sensitive business information from the world’s top companies. The way the attack was carried out was designed to leave no traces of the intruder.
Implications of the Avast cyber attack
As Avast noted in a blog post detailing the Abiss attack, global software companies are now being regularly targeted for disruptive attacks, cyber espionage campaigns and attempts at nation-state sponsored sabotage. In short, the very companies that people are counting on to provide them with anti-virus and anti-malware tools are now being targeted by hackers, often with insidious purposes in mind.
The big question now, of course, is how to prevent future attacks of the same nature from taking place. It will take more than just changing passwords or adopting multi-factor authentication. As Avast acknowledges, it’s important for software companies to “stay ahead of the bad guys.”
For now, Avast says it has no plans to discontinue CCleaner – but it’s easy to see how this second attack on CCleaner in just two years might lead to a loss of some customers. Throughout 2017 and 2018, Avast struggled to clean up the PR damage after the first attack. That might be why the company immediately enlisted the help of the Czech police and the Czech intelligence agency – they aren’t taking any more chances. The Chinese hackers pulled off an “extremely sophisticated attempt” this time, and there’s no reason to think that they won’t be back soon with another attempt.
Going forward, cyber security is going to become an even more important issue for senior executives at software companies around the world. It will impact which companies they partner with, which companies they acquire, and which companies they choose to do business with. The latest Avast cyber espionage hack is just further proof that hackers are becoming more and more sophisticated in how they target companies.