On October 21st, several news outlets reported that Avast, a Czech cybersecurity company owning 10% of global market share for anti-virus solutions, was breached through an insecure VPN account. According to the Czech intelligence agency BIS, the Chinese-based attackers targeted Avast’s CCleaner product, a system cleaner utility used to clean potentially unwanted files and invalid Windows Registry entries.
In a cyber week already quite eventful with an outage on Amazon Web Services (AWS), the Avast attack represents the latest example of a supply chain attack threat. My colleague John Anderson has shared his thoughts on the AWS outage in a recent post "Deciphering an eight-hour business interruption outage".
Focusing on the Avast attack, it is significant for four main reasons.
Firstly, supply chain attacks continue to represent a significant threat for enterprises. We’ve seen several major supply chain attacks on tech companies in the past year, including malware embedded in a software update from Asus in late 2018 that infected 1 million computers and an infection in Microsoft’s Visual Studio development tool that impacted hundreds of thousands of end users. CCleaner is a juicy target for attackers due to its widespread distribution providing direct access to the Windows endpoint systems of over 435 million active users distributed across 68 countries.
For a threat actor dropping malware looking to cast a wide net, the cost-benefit analysis makes this an excellent strategy. CyberCube models the catastrophic impact of supply chain attacks in our Portfolio Manager software product, in industries including aviation/transportation, technology and healthcare. Analyzing the kill chain and entry vectors of historically successful attacks such as the Avast attack feeds into our determinations for which attack techniques are most likely to be employed by attackers.
Secondly, companies that have been previously breached are more likely to be targeted again. Avast was breached successfully in 2017, when Chinese threat actors embedded Floxif malware in an update, which collected information from the users that downloaded it and installed a backdoor on 2.27 million machines. Some 40 of these machines, at major technology companies including Samsung, Sony, Asus, Intel, VMWare, Dyn, and Fujitsu, were hit with a heavily obfuscated second-stage payload that aimed to steal credentials and intellectual property data.
Mandiant, FireEye’s cyber security incident response arm, reports that retargeted attacks are climbing, with 64% of clients targets of at least one serious cyber attack by the same or similarly motivated threat groups within the past two years.
Thirdly, the attack underscores the continuing issue of detection time lags for enterprises. While the first presence of attackers was dated to May 14th, the attack was not detected until September 25th, giving the attackers almost five months of dwell time. Most major attacks have had significant dwell times - attackers dwelled in Ukraine’s power grid for over six months before executing on the 2017 attack. Ponemon reports that it takes an average of 206 days (almost seven months) to identify a breach. Put simply, a higher dwell time provides attackers more time to conduct greater malicious activity, resulting in a more damaging impact to an organization. Enterprises still have work to do in hiring skilled security personnel and effectively utilizing monitoring and detection technologies to discover breaches faster.
Finally, the attack underscores the importance of challenging preconceived notions about an industry - even companies whose mission is to provide cyber security services, such as Avast, are targeted and breached, just like anyone else.