Anti-virus company Avast has revealed they were breached over several months, after identifying the suspicious activity on their network on 23rd September according to a blog post by their CISO. Avast think their CCleaner software was the target of a supply chain attack – with the hackers attempting to repeat the 2017 insertion of malicious code into the popular PC maintenance tool.
According to the blog post, Avast made two simple mistakes that were crucial to the success of the attack. Firstly, a VPN profile was left active without 2-Factor authentication being enabled. The attackers were able to access the VPN by trying various password and username combinations – possibly obtained in a different data breach. The first access over the VPN was back in May but Avast did not notice the intrusion until September when a Microsoft security alert warned that domain services were being replicated against an internal IP.
The second mistake, Avast admits, was that the warning from the security monitoring systems had been seen before and ignored because it was assumed to be a false-positive alert.
This breach serves as a useful reminder of the importance of monitoring logs and investigating alerts and not assuming breach alerts are false-positive noise.
The activities of the attackers were visible in the VPN logs since May and operations staff saw and discounted the alerts warning that the network’s domain credentials were being maliciously replicated.
You can check the effectiveness of your operational monitoring and logging by engaging a CREST certified penetration tester to perform a controlled hack of your network and check how long it takes your people and systems to spot the intrusion.