Cyber Incident Victim: Gen Digital

On September 23, 2019, Avast detected unauthorized access to its internal network after identifying suspicious privilege escalation activity involving a compromised employee VPN account lacking multi-factor authentication. Forensic analysis revealed the initial breach occurred as early as May 14, 2019, with attackers gaining entry through stolen credentials that provided limited access. The threat actor subsequently elevated privileges to obtain domain administrator rights, enabling broader network access. Microsoft Advanced Threat Analytics (ATA) alerts initially dismissed as false positives showed the attackers had replicated Avast's Active Directory service, creating a comprehensive map of internal systems. Avast's security team determined the intrusion aimed to implant malware into CCleaner software, mirroring objectives from the 2017 CCleaner compromise. The company intentionally maintained the compromised VPN connection from detection through October 15 to monitor attacker behavior and gather intelligence, observing the threat actor operated with high sophistication to avoid detection.

Avast initiated containment measures on October 15 by releasing a clean CCleaner update signed with a new digital certificate and revoking the previous certificate to prevent fraudulent updates. The company reset all employee credentials and collaborated with Czech intelligence (BIS), national police cyber units, and third-party forensic investigators to analyze the breach. While BIS attributed the attack to Chinese threat actors, Avast stated no conclusive evidence linked them to the 2017 incident but acknowledged the attacker's advanced tradecraft. Internal audits confirmed no malicious code reached CCleaner releases during the compromise period. The investigation remained ongoing with no additional details disclosed due to legal restrictions, though Avast affirmed user security was maintained through certificate revocation and credential resets.