Avast, NordVPN Breaches Tied to Phantom User Accounts
Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that — while otherwise unrelated — shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.
Based in the Czech Republic, Avast bills itself as the most popular antivirus vendor on the market, with over 435 million users. In a blog post today, Avast said it detected and addressed a breach lasting between May and October 2019 that appeared to target users of its CCleaner application, a popular Microsoft Windows cleanup and repair utility.
Avast said it took CCleaner downloads offline in September to check the integrity of the code and ensure it hadn’t been injected with malware. The company also said it invalidated the certificates used to sign previous versions of the software and pushed out a re-signed clean update of the product via automatic update on October 15. It then disabled and reset all internal user credentials.
“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Jaya Baloo wrote.
This is not the first so-called “supply chain” attack on Avast: In September 2018, researchers at Cisco Talos and Morphisec disclosed that hackers had compromised the computer cleanup tool for more than a month, leading to some 2.27 million downloads of the corrupt CCleaner version.
Avast said the intrusion began when attackers used stolen credentials for a VPN service that was configured to connect to its internal network, and that the attackers were not challenged with any sort of multi-factor authentication — such as a one-time code generated by a mobile app.
“We found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA,” Baloo wrote.
THE NORDVPN BREACH
Separately, NordVPN, a virtual private networking services that promises to “protect your privacy online,” confirmed reports that it had been hacked. Today’s acknowledgment and blog post mortem from Nord comes just hours after it emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN,” writes Zack Whittaker at TechCrunch.
VPN software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. This can offer a measure of anonymity, but the user also is placing a great deal of trust in that VPN service not to get hacked and expose this sensitive browsing data.
NordVPN’s account seems to downplay the intrusion, saying while the attackers could have used the private keys to intercept and view traffic for some of its customers’ traffic, the attackers would have been limited to eavesdropping on communications routing through just one of the company’s more than 3,000 servers.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” reads the NordVPN blog post. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
NordVPN said the intrusion happened in March 2018 at one of its datacenters in Finland, noting that “the attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed.” NordVPN declined to name the datacenter provider, but said the provider removed the remote management account without notifying them on March 20, 2018.
“When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them,” the company said. “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure.”
This page might need to be updated.
TechCrunch took NordVPN to task on the somewhat dismissive tone of its breach disclosure, noting that the company suffered a significant breach that went undetected for more than a year.
Kenneth White, director of the Open Crypto Audit Project, said on Twitter that based on the dumped Pastebin logs detailing the extent of the intrusion, “the attacker had full remote admin on their Finland node containers.”
“That’s God Mode folks,” White wrote. “And they didn’t log and didn’t detect it. I’d treat all their claims with great skepticism.”
ANALYSIS
Many readers are curious about whether they should enshroud all of their online communications by using a VPN. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process. For a breakdown on what you should keep in mind when considering a VPN service, see this post.
Forgotten user accounts that provide remote access to internal systems — such as VPN and Remote Desktop services (RDP) — have been a persistent source of data breaches for years. Thousands of small to mid-sized brick-and-mortar businesses have been relieved of millions of customer payment card records over the years when their hacked IT contractors used the same remote access credentials at each client location.
Almost all of these breaches could have been stopped by requiring a second form of authentication in addition to a password, which can easily be stolen or phished.
The persistent supply chain attack against Avast brings to mind something I was considering the other day about the wisdom of allowing certain software to auto-update itself whenever it pleases. I’d heard from a reader who was lamenting the demise of programs like Secunia’s Personal Software Inspector and FileHippo, which allowed users to automatically download and install available updates for a broad range of third-party Windows programs.
These days, I find myself seeking out and turning off any auto-update functions in software that I install. I’d rather be alerted to new updates when I launch the program and have the ability to review what’s changing and whether anyone has experienced issues with the new version. I guess you could say years of dealing with unexpected surprises on Microsoft Patch Tuesdays has cured me of any sort of affinity I may have once had for auto-update features.
Tags: Avast breach, FileHippo, Jaya Baloo, Kenneth White, NordVPN breach, Open Crypto Audit Project, Secunia Personal Software Inspector, supply chain attack, Techcrunch, Zack Whittaker
You can skip to the end and leave a comment. Pinging is currently not allowed.
So dive into embracing your true value and drawing closer to God even within the midst of fear and questions. Dress true to your model in clean clothes and then carry your look with confidence. After all these married ladies are fairly sturdy and when you is not going to display a powerful personality then you definately might lose the prospect of getting the date you wish to have. Many men sill choose women by their seems because they have not had the right motivation to not, or have not run into the issues it may cause. Located within the Facebook app, you may build your courting profile based on pre-filled info taken out of your existing Facebook social media profile, making it simpler than ever to get started making matches. The more real and humble a man comes off, the more seemingly it’s that he will get a lady so far her.
It normally comes off as whining and complaining. However, once we discuss in context of Indian tradition and traditions, most marriages, until just a few years in the past, were arranged. However, not all men are able to win the center of these married ladies and so they never get the possibility to go on relationship married women. Dating married women has been taken under consideration by some men. Are you one of those males? Many males want they’d know the way to make a date go higher. It is healthier to take the initiative and start chatting your self. You should also take care to truthfully replicate who you might be on your teenage relationship profile. No woman likes a man who doesnt take care of himself. For many ladies, this is a sign of a responsible man. It solely takes one strong man and the courage to deal with married ladies and ask them for a date.
Again, a responsible and respectful man will get to the agreed place on time. Aboriginal time relationship is supposed for alive anniversary others. Be simple on your aboriginal date. So accumulate it simple and smooth. Simple to login and with simple phrases and privateness policy, it’s range finest method up to now with different folks on this site and to get your soul mate on Completely Free Dating. It happens many instances that if you are out and down, then mates begin suggesting you to go on a date. If the subject is one thing acquainted then share the data. Feel free to share your strategy within the comment section. Contact my workplace for extra info particulars of how to obtain free 7-part on line e-course. Although some online dating sites offer free membership, there will probably be some prices incurred somewhere with the utilization of services as all companies are set as much as make revenue. To apperceive added about your date you charge to ask some questions however be abiding that you are allurement the questions which you appetite to ask. Dont be boring by going by the weather and so on. Also, the worst factor you are able to do is keep speaking, telling a lot about yourself that your date can’t get a word in.
Dating 101 is a guide created for females to assist keep them protected whereas courting. They lock moisture into the hair, they help keep your hair erect and they reduce friction allowing the blade to glide easily over the skin. In case you may help it, dont keep saying hey to folks passing by as you are in your date. Can you keep criticism out of the conversation? Should you had not made reservations, pick [url=https://asiamescam.wordpress.com/]asiame review[/url] a table where you may have a non-public conversation, however not so removed from the remainder of the room that your date feels trapped. If I used to be wanting for somebody to spend the remainder of my life with, why wouldn’t I be choosy as possible? What I did be taught that winter was the value in approaching life as a perpetual scholar; being keen to pay attention and study. There aren’t many alternatives to do these things if you live a busy life, so why not make courting into something fun by spicing it up in comparison with your regular life? Uniform Dating is a fast growing, profitable business which is a dominant player within the uniformed personnel courting niche and fits completely into our portfolio of websites. Obviously, the relationship websites claim they do.