Breach happened 19 months ago. Popular VPN service is only disclosing it now.
Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base.
A log of the commands used in the attack suggests that the hackers had root access, meaning they had almost unfettered control over the server and could read or modify just about any data stored on it. One of three private keys leaked was used to secure a digital certificate that provided HTTPS encryption for nordvpn.com. The key wasn’t set to expire until October 2018, some seven months after the March 2018 breach. Attackers could have used the compromised certificate to impersonate the nordvpn.com website or mount man-in-the-middle attacks on people visiting the real one. Details of the breach have been circulating online since at least May 2018.
Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the third certificate suggested it could also have been used for many different sensitive purposes, including securing the server that was compromised in the breach.
The revelations came as evidence surfaced suggesting that two rival VPN services, TorGuard and VikingVPN, also experienced breaches the leaked encryption keys. In a statement, TorGuard said a secret key for a transport layer security certificate for *.torguardvpnaccess.com was stolen. The theft happened in a 2017 server breach. The stolen data related to a squid proxy certificate.
TorGuard officials said on Twitter that the private key was not on the affected server and that attackers “could do nothing with those keys.” Monday’s statement went on to say TorGuard didn’t remove the compromised server until early 2018. TorGuard also said it learned of VPN breaches last May, “and in a related development we filed a legal complaint against NordVPN.
VikingVPN officials have yet to comment.
One of those keys expired on December 31, 2018, and the other went to its grave on July 10 of the same year, a company spokeswoman told me. She didn’t say what the purpose of those keys were. A cryptography feature known as perfect forward secrecy ensured that attackers couldn’t decrypt traffic simply by capturing encrypted packets as they traveled over the Internet. The keys, however, could still have been used in active attacks, in which hackers use leaked keys on their own server to intercept and decrypt data.
It was unclear how long the attackers remained present on the server or if they were able to use their highly privileged access to commit other serious offenses. Security experts said the severity of the server compromise—coupled with the theft of the keys and the lack of details from NordVPN—raised serious concerns.
Here is some of what Dan Guido, who is the CEO of security firm Trail of Bits, told me:
Compromised master secrets, like those stolen from NordVPN, can be used to decrypt the window between key renegotiations and impersonate their service to others… I don’t care what was leaked as much as the access that would have been required to reach it. We don’t know what happened, what further access was gained, or what abuse may have occurred. There are many possibilities once you have access to these types of master secrets and root server access.
Insecure remote management
In a statement issued to reporters, NordVPN officials characterized the damage that was done in the attack as limited.
The server itself did not contain any user activity logs… None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. The exact configuration file found on the internet by security researchers ceased to exist on March 5, 2018. This was an isolated case, no other datacenter providers we use have been affected.
The breach was the result of hackers exploiting an insecure remote-management system that administrators of a Finland-based datacenter installed on a server NordVPN leased. The unnamed datacenter, the statement said, installed the vulnerable management system without ever disclosing it to its NordVPN. NordVPN terminated its contract with the datacenter after the remote management system came to light a few months later.
NordVPN first disclosed the breach to reporters on Sunday following third-party reports like this one on Twitter. The statement said NordVPN officials didn’t disclose the breach to customers while it ensured the rest of its network wasn’t vulnerable to similar attacks.
The statement went on to refer to the TLS key as expired, even though it was valid for seven months following the breach. Company officials wrote:
The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.
Not as hard as claimed
The suggestion that active man-in-the-middle attacks are complicated or impractical to carry out is problematic. Such attacks can be carried out on public networks or by employees of Internet services. They are precisely the type of attacks that VPNs are supposed to protect against.
“Intercepting TLS traffic isn’t as hard as they make it seem,” said a security consultant who uses the handle hexdefined and has spent the past 36 hours analyzing the data exposed in the breach. “There are tools to do it, and I was able to set up a Web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim’s traffic (e.g. on public Wi-Fi).”
Note also that the statement says only that the expired TLS key couldn’t have been used to decrypt VPN traffic of any other server. The statement makes no mention of the other two keys and what type of access they allowed. The compromise of a private certificate authority could be especially severe because it might allow the attackers to compromise multiple keys that are generated by the CA.
Putting all your eggs in one basket
VPNs put all of a computer’s Internet traffic into a single encrypted tunnel that’s only decrypted and sent to its final destination after it reaches one of the provider’s servers. That puts the VPN provider in the position of seeing huge amounts of its customers’ online habits and metadata, including server IP addresses, SNI information, and any traffic that isn’t encrypted.
The VPN provider has received recommendations and favorable reviews from CNET, TechRadar, and PCMag. But not everyone has been so sanguine. Kenneth White, a senior network engineer specializing in VPNs, has long listed NordVPN and TorGuard as two of the VPNs to reject because, among other things, they post pre-shared keys online.
Until more information is available, it’s hard to say precisely how people who use NordVPN should respond. At a minimum, users should press NordVPN to provide many more details about the breach and the keys and any other data that were leaked. Kenneth White, meanwhile, suggested people move off the service altogether.
“I have recommended against most consumer VPN services for years, including NordVPN,” he told me. “[The services’] incident response and attempted PR spin here has only enforced that opinion. They have recklessly put activists lives at risk in the process. They are downplaying the seriousness of an incident they didn’t even detect, in which attackers had unfettered admin LXC ‘god mode’ access. And they only notified customers when reporters reached out to them for comment.”
2 Companies Ready For a Huge Cybersecurity Opportunity
It was always there. But it would be naive to say the COVID-19 pandemic hasn’t accelerated the cybersecurity market’s growth pace. With millions of employees still — and perhaps permanently — working from home, many enterprises remain far too vulnerable to hacking and digital security breaches.
The depth of the need for cybersecurity solutions, however, may still not be fully appreciated by investors. That in turn means that cybersecurity providers Palo Alto Networks (NYSE:PANW) and Fortinet (NASDAQ:FTNT) may remain underestimated. Not only are they two of the top names in the business, but each has a security solution available right now for employees connecting to a company’s network from home.
A couple of recent predictions flesh out this opportunity.
Just the beginning
The cybersecurity market is currently worth around $200 billion, according to numbers from Mordor Intelligence, but it’s on pace to grow a bit more than 14% per year through 2025. That’s impressive, particularly compared to other industries’ growth outlooks.
But it’s an estimate that still fails to adequately paint a complete picture of what the right company could do given the opportunity at hand. Even with power players like the aforementioned Fortinet and Palo Alto in place, Mordor says the market remains highly fragmented. Both companies could continue to make acquisitions, achieving economies of scale as they expand.
Even without dealmaking, though, the industry’s rising tide will lift these boats.
Technology market research firm Gartner supplies one of the clearest reasons to expect that tide to keep rising. Last month it opined that “bring your own PC,” or BYOPC, security will be normalized in five years or less. And within 10 years, secure access service edge, or SASE, will be the norm for enterprise-level organizations.
The terms and their acronyms may not mean much to the layperson, but cybersecurity folk may be nodding their heads in agreement. Bringing-your-own-PC security is exactly what it sounds like. Rather than a tech department issuing devices to workers with security features pre-installed, employees procure their own devices and then — hopefully — take all the necessary steps to ensure cloud-based connections are secure. A secure access service edge is a newer digital security theme that creates a networking environment that allows for, among other things, BYOPC.
In some regards, they’re the next step in the natural evolution of connectivity. Gartner may not be overstating things, however, when it suggests the two technologies “will have transformational impact on global businesses within the next 10 years.” In a post-COVID world, Gartner research director Rob Smith explains, “[Cyber] security leaders should expect the need to support BYOPC to be dependent upon a long-term work-from-home strategy, and also expect to support security tools needed for a BYOPC environment.”
In the same vein, technology market analytics outfit International Data Corp. (IDC) recently predicted that by 2024, 60% of the United States’ employees will work remotely — either at home or out in the field with customers and at project sites. That would push the total number of remote workers to more than 93 million, and subsequently expand the likelihood of cyberattacks.
The cybersecurity industry isn’t starting from scratch, however. Both Palo Alto and Fortinet had remote connectivity protection available even before the pandemic took hold.
For Palo Alto Networks, one of those products is Prisma Access, which is a secure access service edge — or SASE — offering that Gartner suggests will become commonplace by 2030. It’s built specifically for mobile users and branch offices that need reliable, safe access to a corporate network. Palo Alto also offers cloud-based SD-WAN, or software-defined wide-area networking, with the help of recently acquired CloudGenix. It’s a testament to the potential of the right sort of dealmaking that allows for bolt-on improvements of the company’s existing capabilities.
As for Fortinet, it’s got a few tools in its mobile cybersecurity toolbox as well, like the FortiGate platform. Among other things, it’s a way of putting a firewall in place, managing virtual private networks that encrypt communications from devices all the way to a company’s servers, and implementing an intrusion prevention system. FortiGate customers also automatically have access to an SD-WAN solution for remote offices or remote employees, and the platform was a key part of last quarter’s growth.
These offerings aren’t exactly brand new, and more are apt to be on the way. What’s new is the sudden, true realization of the need for them. As Gartner’s Rob Smith noted: “Prior to the COVID-19 pandemic, there was little interest in BYOPC. At the start of the pandemic, organizations simply had no other alternative. The urgent need to enable employees to work from home and a lack of available hardware bolstered its adoption globally.” International Data Corp.’s senior research analyst Bryan Bassett expects that adoption has only begun, saying: “To meet the needs of more mobile, remote, and work-from-home workers, U.S. enterprises have indicated that mobile security and mobile management solutions will be top spending priorities going forward.”
While the bullish outlook for these companies is strong, would-be investors in either should note that the predictions from IDC and Gartner are long-term in nature. Gartner’s SASE adoption expectation could take up to 10 years to play out fully. International Data Corp.’s mobile worker outlook looks to the end of 2024. Investors not thinking in multi-year terms may find this opportunity isn’t for them.
Still, the opportunity is real for those willing to wait for it to fully gel. It’s long-term enough, in fact, that investors interested in plugging into it don’t necessarily have to do so today, this month, or even this year.
Emotet Botnet: A Primer for Cybersecurity and IT Pros
With all that’s going on with COVID-19, work-from-home and economic contraction in the U.S. and globally, it’s easy for cybersecurity experts and other technologists to have missed that one of the most destructive malware strains made a surprise return in late July.
Emotet, a botnet with global reach, resurfaced on July 21 after a nearly five-month absence, according to multiple security firms, including Proofpoint and Malwarebytes. Since that time, researchers have recorded at least 800,000 spam messages associated with the malware in countries all over the world, including in the U.S., U.K., Canada, Austria, Germany, Brazil, Italy and Spain.
Waves of malware tend to come and go, but Emotet has developed a unique reputation over the years as it matured from banking Trojan to full-blown menace. When the U.S. Cybersecurity Infrastructure and Security Agency issued a warning about the botnet in January, the agency’s analysts warned about its destructive potential.
“Emotet continues to be among the most costly and destructive malware affecting [State, Local, Tribal, and Territorial] governments. Its worm-like features result in rapidly spreading network-wide infections, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate,” stated the public CISA alert.
With the current Emotet campaign underway, analysts and experts warn that security and IT teams should be on the lookout for the malware and the possible destructive effects it could have on an enterprise. The campaign is also using the COVID-19 pandemic as a lure to get the unsuspecting to click on phishing emails that help power its spread.
“The campaigns usually include various payloads that have evolved over the years, primarily focused on stealing banking information or funds. Since the return of Emotet this summer, we’ve seen it using COVID-19 themes in the social engineering lures, as well as sending to recipients in a wide variety of countries,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint and well-known expert on Emotet, told Dice.
“The threat group behind Emotet is one that uses timely lures in campaigns that are truly massive in scale. In some Emotet campaigns we’ve seen over a million messages over the course of a few days,” DeGrippo added.
Emotet: A History
Emotet started life as a banking Trojan in 2014 that mainly stole financial and personal data. Over the next few years, however, the malware evolved into more of a botnet with the ability to infect multiple devices and expand its malicious network. Due to its modular nature, its creators have added new features as time went on, and it continues to evolve to this day.
In addition to the botnet, Emotet also has the ability to act as a dropper (or downloader) that can help plant other malware within a compromised device. In 2019, security experts found a triple threat: Emotet delivering another malware called TrickBot to infected endpoints, which would then download a ransomware variant called Ryuk.
These and other features are one of several reasons why warning bells ring whenever Emotet re-emerges. “Emotet is one of the most prolific malware families of the past five years. It has evolved from being specifically a banking Trojan into malware-as-a-service (MAS) with a distributed botnet infrastructure,” Jared Greenhill, director at Crypsis Group, an incident response and risk management firm, told Dice.
In the latest Emotet campaign that started in July, researchers have found that attacks start with a large-scale spam campaign that delivers phishing emails to as many victims as possible. The messages contain either a malicious attachment, a URL in the email body, or an attachment with a link. These attachments and links then deliver the initial malware infection, DeGrippo said.
If the link or attachment is opened, malicious macros are enabled that launch a PowerShell script that eventually installs Emotet within a compromised device. From there, Emotet can then download other malware. In the latest campaign, DeGrippo and others have found that it attempts to install Qbot—a banking Trojan that is known to infect financial institutions and their customers.
In some cases, the Emotet-laced message appears as part of an existing email chain, making it more likely that someone will click on the malicious link or attachments. These types of built-in social engineering techniques are a key reason why Greenhill recommends additional security training for employees to help spot this type of malware lurking in seemingly legitimate messages.
“One of the reasons Emotet is so effective is, like other types of threats, it begins with phishing tactics, and recent approaches have used brand names the recipient would be familiar with or subjects that have urgency, such as past-due notifications,” Greenhill said. “As we often see, much of the success of this malware begins with users making an error—opening a malicious attachment. A very important remedy to this is rigorous end-user training on spotting malicious emails, attachments, links, and senders, even if the sender appears legitimate.”
While Emotet is more destructive than most other malware, it’s not impossible to fight back and protect people and data alike.
“People can best protect themselves against Emotet by implementing a strong antimalware program within their secure email gateway, in conjunction with user education that reinforces the risks posed by links and attachments,” DeGrippo said.
In its alert, CISA offers several ways to counter Emotet as well as other malware. These include:
Block: Organizations should block email attachments associated with malware, such as .dll and .exe files, as well as attachments that cannot be scanned by antivirus software, such as .zip files.
Implement: Organizations should implement programs such as antivirus programs and formal patch management processes. CISA also recommends implementing a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system to cut down on spoofed emails.
Segment: Organizations should segment networks and functions to keep attacks from spreading across the network.
Limit: Finally, organizations should work to limit lateral movement throughout their network, which can reduce Emotet’s ability to move from device-to-device.
Others have found their own ways to fight back against Emotet. In August, James Quinn, an analyst with security firm Binary Defense, published a blog post that details how he found a “kill switch” in Emotet that helped reduce attacks earlier this year. That’s one of the reasons the botnet disappeared from the scene between February and late July.
Malware gang uses .NET library to generate Excel docs that bypass security checks
A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems.
Discovered by security researchers from NVISO Labs, this malware gang — which they named Epic Manchego — has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document.
But NVISO said these weren’t your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates.
Malicious Excel files were compiled with EPPlus
According to NVISO, this was because the documents weren’t compiled in the standard Microsoft Office software, but with a .NET library called EPPlus.
Developers typically use this library part of their applications to add “Export as Excel” or “Save as spreadsheet” functions. The library can be used to generate files in a wide variety of spreadsheet formats, and even supports Excel 2019.
NVISO says the Epic Manchego gang appears to have used EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format.
The OOXML spreadsheet files generated by Epic Manchego lacked a section of compiled VBA code, specific to Excel documents compiled in Microsoft’s proprietary Office software.
Some antivirus products and email scanners specifically look for this portion of VBA code to search for possible signs of malicious Excel docs, which would explain why spreadsheets generated by the Epic Manchego gang had lower detection rates than other malicious Excel files.
This blob of compiled VBA code is usually where an attacker’s malicious code would be stored. However, this doesn’t mean the files were clean. NVISO says that the Epic Manchego simply stored their malicious code in a custom VBA code format, which was also password-protected to prevent security systems and researchers from analyzing its content.
But despite using a different method to generate their malicious Excel documents, the EPPlus-based spreadsheet files still worked like any other Excel document.
Active since June
The malicious documents (also called maldocs) still contained a malicious macro script. If users who opened the Excel files allowed the script to execute (by clicking the “Enable editing” button), the macros would download and install malware on the victim’s systems.
The final payloads were classic infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user’s browsers, emails, and FTP clients, and sent them to Epic Machengo’s servers.
While the decision to use EPPlus to generate their malicious Excel files might have had some benefits, in the beginning, it also ended up hurting Epic Manchego in the long run, as it allowed the NVISO team to very easily detect all their past operations by searching for odd-looking Excel documents.
In the end, NVISO said it discovered more than 200 malicious Excel files linked to Epic Manchego, with the first one dating back to June 22, this year.
NVISO says this group appears to be experimenting with this technique, and since the first attacks, they have increased both their activity and the sophistication of their attacks, suggesting this might see broader use in the future.
Nevertheless, NVISO researchers weren’t totally surprised that malware groups are now using EPPlus.
“We are familiar with this .NET library, as we have been using it since a couple of years to create malicious documents (“maldocs”) for our red team and penetration testers,” the company said.
Tech News18 hours ago
Apple Loop: Shock iPhone 12 Details, Massive iOS 14 Problems, Macbook Pro Delay
Research18 hours ago
Apple iPhone 12 Pro Max’s AnTuTu result shows minor performance gains
Internet3 days ago
Google Chrome prepares new tab groups feature that creates groups automatically
The Motivator18 hours ago
PS5 Game Install Sizes Revealed, And They’re Enormous
Systems18 hours ago
LG Wing takes aim at Galaxy Z Fold 2 – shakes up the new status quo
The Motivator18 hours ago
Editing HTML Like A Boss In VS Code