How Supply Chain Attacks Made Avast And NordVPN Suffer From Data Breaches

With more devices connected to the internet, people are advised to use antivirus solutions and VPN services to enhance their security and privacy.

So it's ironic that both antivirus solution provider Avast and VPN service NordVPN disclosed that they have been hacked. The two experienced data breaches caused by exposed credentials, which granted attackers the remote access to their internal systems.

As software becomes more sophisticated, the wider the reach and the more complex it is to maintain them, companies may outsource certain resources to third-parties.

Both Avast and NordVPN suffered data breaches, but in different incident. And the cause was the same: supply chain attacks.

Supply chain attacks compromise the weakest third-party vendor at the supply chain, which are in connection to Avast and NordVPN.

First off, is Avast.

The Czech Republic-based cybersecurity firm said it encountered an “cyber-espionage attempt” on September 23, when bad actors inserted malware into its popular CCleaner cleanup utility.

The strategy was similar to the CCleaner supply chain attack of 2017 where the software was infected with the Floxif malware.

The attackers, dubbed Abiss, gained access to Avast's systems through compromising VPN credentials that were not protected using two-factor authentication.

As a precaution, Avast said it paused future CCleaner releases starting September 25th, to check the integrity of the code and ensure that it hadn’t been tampered with malicious alterations. The company also intentionally left the compromised VPN profile open so it can track the threat actors, before rolling out an update on October 15.

"At Avast, we constantly work hard to stay ahead of the bad guys and to fight off attacks on our users. It is therefore not so surprising that we ourselves could be a target," explained Avast on its blog post.

“It is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected."

Supply chain attack

And as for NordVPN, the VPN provider disclosed its own data breach.

Security researchers found that NordVPN’s private keys which were used to digitally sign the authenticity of a website, were leaked on the internet.

The hacker managed to gain access to NordVPN's unprotected remote management system, which was left exposed by an unnamed data center in Finland, back in March 2018. The keys, the company said, were stolen at the same time its data center was breached.

NordVPN added the Finnish server did not contain activity logs, usernames, or passwords.

"The intruder did not find any user activity logs because they do not exist. They did not discover users’ identities, usernames, or passwords because none of our applications send user-created credentials for authentication," said NordVPN on its blog post, officially responding to this incident.

But still, hackers could see what websites its users were visiting during that time, although the content of the websites themselves would be encrypted.

And if the hackers have engineered this exploit to stage a man-in-the-middle attack, they could reroute the VPN users' traffic to a malicious fake server controlled by them. If this was the case, the hackers could have potentially captured users’ unencrypted data exchanged with non-HTTPS websites.

NordVPN said that its server was vulnerable between January 31, 2018 and March 20, 2018, but noted it was only breached once, and that was in March.

“We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues,” the company said, adding it couldn’t complete the security audit quickly because of its complex technical infrastructure and the huge number of servers involved.

The Troubling Supply Chain Attacks

A supply chain is a system of activities involved in handling, distributing, manufacturing and processing.

In Avast's and NordVPN's case, the supply chains involve those that are responsible in delivering or maintaining their software across platforms and networks.

Generally, supply chain attacks in software begin with an advanced persistent threat to compromise the weakest link in the supply chain. If the attempt goes successful, the chain will break.

When this happens, the hackers can leverage their elevated privilege to continue and attack their main target.

Avast's and NordVPN's case happened in two different incidents. But what should be noted here is that, even those that are responsible for privacy and security can also be the targets of hackers, and failed to protect themselves.