Those who fail to learn the lessons of history are destined to repeat them. Don’t be that organization…
Back in September of 2017, Avast indicated that the network of its recently acquired (July 2017) subsidiary had been infiltrated, and that its CCleaner application had been compromised. The compromise, at that time, was first discovered by Cisco, by way of their Talos security team.
Earlier this month, Avast admitted that hackers had been able to breach its network again, most likely in pursuit of infecting CCleaner again.
There are some important things that should be learned, certainly by Avast, but also by other organizations, based on what has been publicly reported about this latest incident.
Taking Shortcuts Kill
The intruder was able to connect to a temporary VPN account, from a public IP address in the U.K., using a compromised username and password. Avast said the temporary VPN account had “erroneously been kept enabled,” and did not require two-factor authentication – making it easier for hackers to compromise.
Every time an organization takes a short cut in a process that has been designed to protect them, they open the door to chances for an attacker. And the attackers only need one weakness. In this case, a temporary VPN account was left enabled for much longer than necessary, and was not configured with multi-factor authentication (MFA). A temporary VPN profile that overstayed its welcome, combined with a failure to add multi-factor authentication to this profile, contributed directly to this breach. The organization has undoubtedly spent more time dealing with this breach than the user ever saved in not having MFA enabled.
It’s Called Defense in Depth, for a Reason
The user of the temporary VPN did not have domain admin privileges. However, through a successful privilege escalation attack, the actor managed to obtain domain admin privileges, said Avast (Avast did not provide further details about the privilege escalation attack).
It’s still somewhat astounding to me that organizations that seem to understand that redundancy is needed in storage and servers, are so diametrically opposed to redundancy in security tools and processes. The entire premise of defense in depth is that through the use of multiple, (at least slightly) overlapping layers of security, threats to an environment can be significantly reduced or curtailed.
The following are valid examples of that concept:
- Antimalware scanning at both the host and the network (preferably using tools from different vendors)
- Scanning for vulnerabilities at the code layer, and at the running application layer, and at the network infrastructure layer.
- Checking for invalid access at the perimeter (or the closest thing you have to one) AND also as close to the data itself as possible.
- Employing multifactor for all remote access, plus all privileged access.
Not OR, but AND.
These are merely starting points, and should not be considered the pinnacle, but rather the beginning of effective organizational cybersecurity practices.
Although we don’t know this for sure in this case, I can assure you that the reasoning I have heard in many other places and scenarios is that “MFA is not needed, since this account is not a privileged account.” But as we look at the reports of this incident, we see that a privilege escalation attack was performed, essentially turning this relatively safe account into a far more powerful account. The bad guys are not coming at your network with just one trick or approach. They will be combining every vulnerability they can successfully exploit.
Sure, a medium vulnerability by itself might not be a huge issue, but when chained together with a couple of other mediums and maybe even few lows, with guidance from a half-dozen disclosure vulnerabilities, a motivated attacker will be able to make significant progress through your environment.
Stop Defaulting to “False Positive”
Staff eventually tracked down other security alerts inside Avast’s ATA dashboard, alerts that engineers previously ignored, thinking they were false positives. ATA stands for Microsoft Advanced Threat Analytics, an on-premise network parsing engine and traffic analysis system that Microsoft sells to enterprises in order to protect internal networks from malicious attacks triggered from inside.
Too many people fail to take security seriously, even though we have breaches announced in the news each and every week.
Avast is running Microsoft Advanced Threat Analytics. That’s a good thing. It appears to be configured well enough, as it ultimately helped them identify this intrusion.
But, it might have been more helpful for them if they hadn’t ignored previous alerts – going back to May 2019 – because they had considered them false positives. I’m not saying that false positives don’t exist, but I am saying that over the years, I have seen far too much enthusiasm to respond to an alert by performing a cursory investigation, if that, and then confidently declaring, “It’s a false positive!” I suppose that everyone is just waiting for AI to make these problems go away. I assure you that it won’t. (Certainly not on day 1, day 100 or even day 1000.)
The reason we obtain advanced threat analytics tools is because we have advanced threats. So we should do some real digging when we get alerts, and not be so quick to write them off. No, it is not good practice to leap to the “false positive” conclusion without in-depth research. Of course, it is also true that organizations which are under resourced (whether we are talking tools or staff) will undoubtedly see more of this sort of categorization, as the staff has little time to deal with anything that is not a clear and obvious in-your-face-right-now threat. In the case of Avast, this turned out to be an alert that showed that their entire Active Directory infrastructure map had been replicated.
Visibility is Everything
The alert showed that the compromised user account replicated Avast’s Active Directory service, an effective digital map of the company’s internal network.
The likelihood is that your organization does not have the skills or tools or other resources necessary to prevent every single attack from being successful. Especially not these days, when so many attacks are from nation states or other entities similarly motivated/resourced. Yet, without visibility, your organization is totally and thoroughly doomed.
Avast will likely bounce back from this incident because they had tools in place that could tell them critical things about their infrastructure and applications. Yes, it’s bad that their attacker – whom they could not definitively identify – was able to get so far, and do so much. But imagine if they had lacked the necessary visibility to see that this was done? The outcome would be far, far worse than it is at present.
Security monitoring must have a high priority in organizations – both real-time capabilities and forensics/historical capabilities. Because, once you have found that you were attacked successfully, it helps to be able to say what your overall exposure is. Avast is able to do that, despite whatever other things they may appear to have done less effectively.
Could your organization say the same thing?
Transparency is your friend
Avast handled the 2017 breach with grace, never using the excuse that “Piriform was hacked, not us,” and kept users updated on their investigation at every step [1, 2, 3, 4] — laying the ground for how many companies should handle security breaches.
If you do find that you have had a breach situation, jump on it and handle the communication clearly and honestly and in a timely manner.
Both in 2017 and in 2019, Avast has stepped up to the plate in their response, which has allowed many people to maintain confidence in their tools and organization. Organizations like Equifax and Capital One have taken a beating because of their poor post-breach communications. Even though no-one wants to go through a breach situation, dealing with it in an up front and transparent way will allow your organization to be able to put it behind them far more quickly, than being evasive and sketchy.
Avast is going to require super duper diligence with regards to the way they protect their network from here on out, because a third strike will be exceedingly difficult for them to overcome.
(Disclosure: I was already wary of using CCleaner from their previous breach, so no change for me as far as that product is concerned. But I did ditch my Avast installation from my mobile phone in light of this new breach.)
At the same time, Avast also changed the digital certificate it was using to sign CCleaner updates. The new update was signed with a new digital certificate, and the company revoked the previous certificate used to sign older CCleaner releases. It did so to prevent attackers from using it to sign fake CCleaner updates, in case the hackers managed to get their hands on the old certificate during the recent intrusion.
The last step was to reset all employee credentials.
“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Baloo said.
This is the post-breach version of “don’t take shortcuts.”
If something has gone wrong and you have been able to find that out, then take all the steps necessary. Many organizations will change some accounts, and quarantine some servers, and do some other partial actions. Why? Take the time to employ maximum remediation efforts. Don’t half-step now.
Security processes are designed to protect an organization, its data (including employee data), and its customers (including their data). Certainly, such processes should be designed with the necessarily flexibility to ensure that the organization remains productive and profitable, while reducing risk.
But many users – and even organizational leaders – chaff under the perceived inconveniences that security processes can inflict, from their perspective. “Security is too hard or too cumbersome” we are told, and so it is avoided or undermined.
“Make security easy,” we are told. If it were easy, there would be no risk. Does anyone think that the bad guys aren’t jumping through hoops to infiltrate organizations? Of course they are, because the payoff is huge! Thus the protection is correspondingly complex and involved.
What’s interesting to me, however, is how few complain about security measures after they have been breached. Similarly, you almost never hear anyone complaining about all the security they need to employ after they have had their identity stolen, and had to jump through the real hoops of getting new documents and fixing their identity, etc.
Inconvenience, then, is merely a matter of perspective. For me, I prefer the voluntary inconvenience of risk reduction over forced inconvenience of breach recovery.
My advice to both organizations and individuals is this:
- Stop taking safety and security shortcuts.
You’ll lose more time and money in one breach than you saved in a year of shortcuts.
- Get some depth into your defense.
Yes, there will be overlaps, but you’ll be happy when the bullet proof vest stopped the projectile that your reinforced vehicle glass didn’t.
- Spend some time validating alerts.
Verify, verify and verify some more, because the tools are there for a reason. If the alerts are in fact wrong, reconfigure the tool.
- Visibility is Everything.
Better to be 100% in visibility and 50% in prevention, than the reverse, since you will never know when something new bypasses the protection.
- Honesty is the Best Policy.
Everything gets revealed in the end, and those who aren’t honest lose in the long-term.
- Remediate Completely.
Change all accounts, lock all doors, revoke all access, etc. If you do it half-way, you’ll be back in breach-land before you know it.
While it is true that personal experience is what helps lessons to stick the best, it is far less costly to learn from others. Here’s one time where second best has its clear advantages. Try to avail yourself of these less costly learning opportunities, both from a personal and corporate perspective.