Antivirus solution provider Avast and VPN service NordVPN both disclosed data breaches caused by exposed credentials that granted attackers remote access to internal systems.
The twin developments come as supply chain attacks — compromising a third-party vendor with a connection to the true target — targeting security-related apps are becoming a common vector to install malware.
A cyber-espionage attempt
Czech Republic-based cybersecurity firm Avast said it encountered an “cyber-espionage attempt” on September 23 to insert malware into its popular CCleaner cleanup utility — similar to the supply chain attack of 2017 where the software was infected with Floxif malware.
The attackers — dubbed Abiss — gained foothold through compromised VPN credentials that were not protected using two-factor authentication, allowing them to access the internal network since May, the company revealed.
As a precaution, Avast said it paused upcoming CCleaner releases effective September 25 last month to check the integrity of the code and ensure it hadn’t been tampered with malicious alterations.
The company also intentionally left the compromised VPN profile open for purposes of tracking the threat actor, before rolling out a fresh update on October 15.
“It is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected,” Avast said.
The NordVPN breach
In a separate incident, NordVPN, a VPN service that promises to “protect your privacy online,” disclosed a breach of its own. Last weekend, security researchers pointed out that NordVPN’s private keys, used to digitally sign the authenticity of a website, were leaked on the internet.
Troublingly, a hacker could have engineered this exploit to stage a man-in-the-middle attack to route VPN users’ traffic through a malicious fake server. What’s more, the attack could have potentially captured users’ unencrypted data exchanged with non-HTTPS websites.
In response, the panama-based company said a few months ago it became aware that one of its rented servers in Finland was accessed without authorization in March 2018.
Additionally, the company said the server was vulnerable between January 31, 2018 and March 20, 2018, but noted it was only breached once, during March.
The hacker leveraged an unprotected remote management system – left exposed by the unnamed data center – to access the server. The key, the company said, was stolen at the same time this data center was breached.
NordVPN added the Finnish server did not contain activity logs, usernames, or passwords. But the attacker would have been able to see what websites users were visiting during that time, although the content of the websites themselves would be gated behind encryption barriers.
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys… pic.twitter.com/TOap6NyvNy
— undefined (@hexdefined) October 20, 2019
“We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues,” the company said, adding it couldn’t complete the security audit quickly because of its complex technical infrastructure and the huge number of servers involved.
VPNs are an increasingly popular means to circumvent online censorship. They add an additional layer of anonymity by routing web traffic through an encrypted tunnel of remote proxy servers that keeps it safe from prying eyes.
Using a VPN, however, will not keep your browsing habits anonymous as the VPN provider would still be able to see which sites you are visiting, even if your internet service provider cannot. This is why it’s important that a VPN provider has strong security controls and a zero-log policy, which NordVPN claims it strictly adheres to.
Supply chain attacks on the rise
Exploiting a third-party also vastly increases the scale of an attack, as a successful break-in opens up access to multiple businesses, making them all vulnerable at once.
If anything, the sustained attacks against security apps underscores the need for carefully choosing a “no-logging VPN operator who isn’t out to sell or read your web traffic” before entrusting them with virtually all your browsing data.