قالب وردپرس درنا توس
Home / Business / Avast and NordVPN violate phantom user accounts – Krebs on Security

Avast and NordVPN violate phantom user accounts – Krebs on Security



Antivirus and Security Giant Avast and the Virtual Private Networking (VPN) Software Provider NordVPN today reported months of network crashes that – otherwise had nothing to do with each other – had a common cause : Forgotten or unknown user accounts that allowed remote access to internal systems with little more than one password.

Based in the Czech Republic, Avast is the most popular antivirus vendor on the market with over 435 million users. In a blog post, Avast announced today that it has detected and resolved a violation that occurred between May and October 2019, apparently aimed at users of the CCleaner application, a popular utility for cleansing and repairing Microsoft Windows.

Avast said that CCleaner downloads were taken offline in September to verify the integrity of the code and to ensure it was not injected with any malware. The company also stated that it had invalidated the certificates used to sign earlier versions of the software and released a re-signed clean update of the product on October 1

5 through an automatic update. Then all internal user credentials were disabled and reset.

Given all these precautions, we are confident that our CCleaner users are protected and unaffected, "wrote Jaya Baloo (19459004). This is not the first so-called "supply chain" attack on Avast: In September 2018, researchers from Cisco Talos and Morphisec announced that hackers were using the computer cleanup tool for more than a month had compromised, resulting in 2.27 million downloads of the damaged CCleaner version. [19659003] Avast said the attack started when attackers used stolen credentials for a VPN service that was configured to connect to its internal network, and that the attackers were not challenged with some sort of multi-factor authentication "We have found that access to the internal network was successful with tampered credentials over a temporary VPN profile that was falsely enabled and did not require 2FA, "Baloo said.

THE NORDVPN BREACH

Independently, NordVPN, a virtual private network service promising to "protect your privacy online," independently acknowledged that it was hacked . Today's acknowledgment and Nord's Post Mortem blog comes just hours after it was revealed that NordVPN has revealed an expired internal private key that potentially enables anyone to outsource its own servers to NordVPN, "writes Zack Whittaker under . TechCrunch .

VPN software creates an encrypted tunnel between your computer and the VPN provider, effectively preventing your ISP or anyone else on the network (except you and the VPN provider) from doing so To determine which websites you visit or which content of your communication is displayed. This can provide a degree of anonymity, but the user also relies heavily on this VPN service to avoid hacking and revealing that sensitive browser data.

NordVPN's account appears to downplay the intrusion as long as the attackers could have used it If the attackers had used the private keys to intercept and view the traffic for some of their customers' traffic, they would have been limited to using one of the communication routers monitor more than 3,000 servers of the company.

"The server itself contained no data user activity logs; None of our applications sends user-created authentication credentials, so they could not intercept usernames and passwords, "the NordVPN blog post says. "By the same token, the only way to abuse website traffic was to conduct a personalized and complicated man-in-the-middle attack to intercept a single connection that was trying to access NorthVPN."

NorthVPN announced that the intrusion had occurred In March 2018, NordVPN stated in one of its data centers in Finland that "the attacker has gained access to the server by exploiting an insecure remote management system left by the data center provider, although we did not know that such a system existed. "NordVPN declined to name the data center However, the provider removed the remote administration account without notifying it on March 20, 2018.

"When we learned about the data center vulnerability a few months ago, we immediately terminated the contract with the server provider and all the data is destroyed by the servers we rented from them," the company said. "We did not release the exploit immediately because we had to make sure none of our infrastructures were prone to similar problems. This could not be done quickly due to the large number of servers and the complexity of our infrastructure.

This page may need to be updated.

TechCrunch hired NordVPN to criticize the somewhat dismissive tone of its disclosure of violations Kenneth White, director of the Open Crypto Audit Project, said on Twitter that the company had suffered a significant breach that went undetected for more than a year Pastebin protocols that were dropped accurately described the extent of the intrusion: "The attacker had full remote administrator rights to his Finnish node containers."

"These are people of God Mode," wrote White. "And they did not sign up and did not recognize it, I would treat all their claims with great skepticism."

ANALYSIS

Many readers are curious whether they should cover their entire online communication over a VPN. However, it is important to understand the limitations of this technology and to take the time to inform providers before you entrust them with virtually all your browser data – and possibly even tighten your privacy issues. In this post you will learn what to look for when examining a VPN service.

Forgotten user accounts that grant remote access to internal systems, such as: VPN and Remote Desktop Services (RDP) have been a constant source of data breaches for years. Thousands of small and medium businesses have been relieved of millions of customer card records over the years as their hacked IT contractors at each customer site used the same remote access credentials.

Almost all of these violations could have been stopped by requiring a second authentication method in addition to a password, which could easily be stolen or faked.

The ongoing attack on the supply chain against Avast reminds me of something that I recently thought about software to automatically update whenever you like it. I've heard from a reader who complained about the demise of programs like Secunia's Personal Software Inspector and FileHippo that allowed users to automatically download and install available updates for a wide range of third-party Windows programs. I search and disable all auto-update programs. Functions in the software I have installed. I'd rather be notified of new updates when I start the program and have the ability to review changes and see if there's any issues with the new version. Years of experience with unexpected surprises on Microsoft Patch Tuesdays have healed me of any affinity I once had for auto-update capabilities.



Tags: Avast Breach, FileHippo, Jaya Baloo, Kenneth White, Northern VPN Injury, Open Crypto Audit Project, Secunia Personal Software Inspector, Attack on Supply Chain, Techcrunch, Zack Whittaker

You can jump to the end and leave a comment. Ping is currently not allowed.


Source link