It happened again, the Avast CCleaner application has been targeted by another attempted supply chain attack. This most recent supply chain attack should serve as an important security reminder for everyone.
- Your business is part of a supply chain consisting of customers, vendors, and partners who you share data with and perhaps integrated IT systems.
- Any successful cybersecurity attack on an entity within your supply chain can potentially lead to breaches to your IT infrastructure and across the entire supply chain.
It’s also critical to take into account that each of your customers, vendors and partners has their own supply chain. If any of those supply chains should be attacked by cybercriminals, they may be able to find a path that eventually leads to your IT infrastructure.
Entire Supply Chains Must be Monitored
Ultimately, every business functions within a complex supply chain ecosystem. So, in addition to managing your internal security posture, your IT security team needs to monitor the postures of customers, vendors, and partners. It’s also important to check out how well all of these entities monitor their supply chains; a fourth-party or even fifth party cyberattack could find its way back to your digital assets.
Consider a cloud platform that’s provisioned by a third-party service provider. They may very well utilize a service provider (who in essence is a fourth party) to oversee the data security of the cloud data center. That security company likely outsources their payroll to a company that’s essentially a fifth-party service provider in your supply chain ecosystem.
If a hacker breaches the IT infrastructure of the payroll company, they may be able to infiltrate the security company and then the cloud platform provider. That puts them one step away from your network.
The Risk is Too High to Ignore
While it’s true that it takes a lot of hacking expertise for a cybercriminal to work its way through a supply chain, the risk is simply too high to ignore. It’s critical to be vigilant about the security postures of everyone in your supply chain.
But also consider how much trust your supply chain is placing on your security posture—and the enormous responsibility your IT security team has in making sure your company “plays safe” within your supply chain. Should a breach of your IT infrastructure infiltrate the IT infrastructures of customers, vendors or partners, the reputation of your company will take a serious hit.
Customers will be apprehensive of doing business with you while vendors may hesitate to provide products and services that make it possible for you to service your customers. And partners may decide they are better off collaborating with your competitors.
A Lesson From Avast
Avast is not alone in being hit by supply chain attacks. According to a Ponemon Institute survey,
56% of organizations have suffered from a breach caused by one of their vendors. The scenario as to how Avast reacted to the attack thus presents a lesson that all of us can learn from.
As detailed in an October 2019 blog by Avast CISO Jaya Baloo, Avast identified suspicious behavior on its network in September and found a malicious replication of directory services from an internal IP address. The user, whose credentials were compromised, did not have admin privileges. However, through privilege escalation, the threat actor obtained these privileges.
The connection was made from a public IP address hosted in the UK, and Avast determined the attacker also used other endpoints through its VPN service provider. After further analysis, Avast found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require two-factor authentication.
In order to track the actor, as the blog by Baloo explains, Avast left open the temporary VPN profile— continuing to monitor and investigate access going through the profile—until Avast was ready to conduct remediation actions. In parallel with monitoring and the investigation, Avast carried out proactive measures to protect end-users and ensure the integrity of both its product build environment as well as its release process.
Avast believes that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach. But the company expanded its remediation actions to be on the safe side. This included halting future CCleaner releases and checking prior CCleaner releases to verify that no malicious alterations had been made. As two further preventative measures, Avast re-signed a clean update of the product, pushed it out to users via an automatic update, and revoked the previous security certificate.
Is Third Party Cyber-Risk Management Now Mandatory?
Having taken the precautions outlined above, Avast is confident CCleaner users are protected and unaffected. In the end, the company stopped the attempted supply chain attack before any damage occurred.
But this scenario underscores how all businesses should be wary of similar supply chain attacks. This is particularly true for close-working relationships with customers, vendors and partners that involve point-of-access systems with shared credentials and VPN gateways. These are high-priority targets for cybercriminals because they create opportunities for lateral movements across supply chains.
Given the current sophistication of these cybersecurity attacks, it’s now critical to define your company's security requirements and develop a cyber-risk management program. Only then can you effectively evaluate the reputations and the security postures of the customers, vendors and partners with which you share digital information. All parties must be clear about what data is available, who has access to the data, and how it will be used. Only then can trust be developed that shared digital assets will remain safe and that the entire supply chain ecosystem will remain protected.