Avast Says Hackers Breached Internal Network Through Compromised VPN Profile

An anonymous reader writes: Czech cyber-security software maker Avast disclosed today a security breach that impacted its internal network. In a statement published today, the company said it believed the attack's purpose was to insert malware into the CCleaner software, similar to the infamous CCleaner 2017 incident. Avast said the breach occurred because the attacker compromised an employee's VPN credentials, gaining access to an account that was not protected using a multi-factor authentication solution. The intrusion was detected on September 23, but Avast said it found evidence of the attacker targeting its infrastructure going as far back as May 14, this year. The identity of the attacker is currently unknown, but the company said hackers didn't manage to modify CCleaner downloads this time around.

Kiss of death?

[Jerry]

When an AV firm can't protect its own network who is going to trust their products?

Re:

[The-Ixian]

Especially when it is by pure negligence that the compromise was allowed to take place.

What on earth would lead someone to believe that a firewall-bypassing link to an internal network should not need a second authentication factor?

Is it time to rethink TCP/IP?

[jellomizer]

This is the second VPN hack today. Perhaps we need to rethink the TCP/IP protocol. As it was initially intended for a rather closed network, of trusted computers, which it became the go to for almost all communication, where encryption of the data portion of a packet isn't enough anymore, perhaps we need to really rethink what is going on.

Re:

[pak9rabid]

We have, multiple times. It's why we now have IPv6 and IPsec.

Re:

[notdecnet]

@ jellomizer [slashdot.org]: “This is the second VPN hack today. Perhaps we need to rethink the TCP/IP protocol. As it was initially intended for a rather closed network, of trusted computers, which it became the go to for almost all communication, where encryption of the data portion of a packet isn't enough anymore, perhaps we need to really rethink what is going on.”

There's nothing wrong with TCP/IP that needs fixing, it does exactly what it was designed to do, however there is something defective with th

Re:

[Hylandr]

Sounds like a great idea:

https://xkcd.com/927/ [xkcd.com]

Re:

[skids]

No, it's the VPN software. There's not one native OS client other than strongswan that supports both enterprise EAP methods and a second phase of authentication when using modern (IKEv2) IPSec configurations. So unless you do hardware keys as the second factor, or do your second factor post-tunnel-establishment (block the user's VPN IP until they 2FA) you are stuck with using shitty systems that use IKEv1 and XAUTH, and most of the commercial MFA providers further want you to expose your RADIUS infrastruc

Re:

[AHuxley]

Some sort of advance network dongle to carry around with crypto in it?
Then phone and talk to another member of staff to get a code just for that dongle. Using the human voice as a person on the phone.
Use humans to add to the layers of security. To get a one time code thats only good for that session.
A smaller private secure VPN crated over the company VPN?
Secure networks per session over secure networks to ensure more security?
Layers of new code, hardware and new crypto on the existing network crypt

Re:

[skids]

Or... the main providers of native OS client software (apple, microsoft, google) could just fix their crap so the existing 2FA solutions work solidly and present themselves in a way the users can understand.

OTP and Crypto keys are both adequate solutions. Some of the cell-based solutions aren't too awful if your cell is an MDM-managed corporate-issued device. Barrring that, running OTP or even IM (not SMS) at least raises the bar so both the phone and access credentials have to be compromised.

What makes i

Re:

[Narcocide]

Is someone paying you to derail the conversation with this stupid bullshit? TCP/IP had nothing to do with how the VPN endpoint got compromised, so telling people that changing to something else would have prevented it is both false and harmful.

Friendly reminder

[kurkosdr]

AV firms are not in the IT security business, they are in the signature subscription business. Back when MS-Blaster was all the rage, not a single AV firm bundled the anti-Blaster KBs with their products (even ones released after the mass breakout) and not a single AV firm integrated any additional countermeasures in their AV software against Blaster (such as temporarily locking the port or scanning it on an unpatched system), but boy did they sell a lot of signature subscriptions because of it. I just use Windows Defender. It doesn't slowly kill my system over time, doesn't install any strange kernel drivers, and it doesn't bother me with pop-ups or subscription blackmail.

Re:

[kurkosdr]

The sad thing is customers are falling for it. They will use av-test to compare AVs and think that a 98% vs 99% difference in virus signature detection is a big deal. It's not. And it varies over time a lot. Use whatever AV doesn't expire and doesn't drop kernel drivers (which can be a security hole themselves).