Search This Blog

Showing posts with label VPN. Show all posts

Parliamentary Panel Advises Indian Government to Ban VPN Services

 

Citing the growing threat in cyberspace, the Parliamentary Standing Committee on Home Affairs has advised the Indian government to block the virtual private network VPN (apps), saying VPNs provide significant technological challenges to maintain the sovereignty of the nation. 

The request from the Parliamentary Standing Committee comes as 31 Members of Parliament discovered that VPNs can bypass cyber security walls and allow cybercriminals to remain anonymous online. The Committee has termed the VPN services as a threat to counter cyber attacks and other nefarious activities. 

“The Committee notes with anxiety the technological challenge posed by VPN services and Dark Web, that can bypass cyber security walls and allow criminals to remain anonymous online. As of date, VPN can easily be downloaded, as many websites are providing such facilities and advertising them,” Parliamentary Standing Committee on Home Affairs said in its report. 

“The Committee, therefore, recommends that the Ministry of Home Affairs should coordinate with the Ministry of Electronics and Information Technology to identify and permanently block such VPNs with the help of internet service providers.”

India had recorded a 671 percent rise in the first half of 2021 compared to 2020 as a result of transformational changes in the working cultures of Indian companies. “Prior to 2021, the VPN penetration rate in India hovered around 3 percent, which is near the bottom of the list globally. Yet, by far the most significant growth in the number of downloads in H1-2021 was in India,” said Atlas VPN, a free VPN app that conducted the analysis.

The Indian government must act to strengthen tracking and surveillance by improving and developing state-of-the-art technology and put a check on VPN and the Dark Web, the Parliamentary Standing Committee advised. 

Impacts of Banning VPN on Indian Citizens 

According to the National Cyber Security Coordinator, India faces around 375 cyberattacks on a daily basis. In such circumstances, banning VPN in India could cause irreparable damage for large businesses that have relied on VPNs to secure their network connections, especially as remote work continues to be a new trend. 

Additionally, internet users will be more prone to third-party attacks and malwares trying to steal private information. Also, the internet users will not be able to access content online that is otherwise not available in India or is restricted. Also not to forget, users will lose one of the most basic and easiest ways to maintain privacy online.

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.

Pulse Security Devices Identified with Malware: Alerts CISA

 

A detailed warning concerning almost 13 malware samples associated with Pulse Secure operated devices has been issued by the Cybersecurity and Infrastructure Security Agency (CISA). These specimens were flown beneath the anti-virus radar. 

In Pulse Connect Secure's suite of virtual private network (VPN) devices, at least two main hacker groups have distributed a dozen malware families to spies on the US defense sector. Several hacking organizations supported by the Chinese are believed to be behind the attacks. 

Executives were urged to evaluate the document to identify the threat actor's strategies, techniques, and procedures while looking for any signs of data being compromised. 

Pulse Secure is indeed a global business with offices around the world. Its headquarters are situated in Silicon Valley, with development offices in Massachusetts and India. Pulse has sales offices located across America, Europe, the Middle East, and Asia. It's the most diverse SSL-VPN in the World to ensure user productivity, IT agility, and continuity in the enterprise. 

Pulse Secure devices, key infrastructure institutions, and other organizations in the commercial sector have been targeted by cyber threats ever since June 2020. Attackers used various vulnerabilities for the first entry and deployed backdoor web shells (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289). 

All of the documents examined by the CISA were identified on affected Pulse Connect Secure devices, including some updated versions of legal Pulse Secure scripts. 

In most cases, the Malevolent Files were web shells for remote persistence and remote controls to activate and execute, although other utilities were included. For one of these specimens, the CISA reports that it is a "modified version of the Secure Pulse Perl Module" - a fundamental firmware update file particularly DSUpgrade.pm - for hackers to retrieve and execute remote instructions converted to a web shell (ATRIUM). 

The embedded web shell was intended to accept an ID parameter from a web application post. The web shell processes the data offered by running it locally using a system() function within the 'id' parameter as a control of the operating system. 

In another examination, CISA discovered a customized Unix umount application designed to "hook" the environmentally friendly capabilities of a Unix device. 

The addition of this unmountable 'hook' feature results in many system changes providing persistent control and command (C2) remote operator access to an affected Pulse Secure device, as per CISA. 

The list of genuine CISA Pulse Secure files that the attacker has identified to modify include: 
  • licenseserverproto.cgi (STEADYPULSE) t
  • nchcupdate.cgi 
  • healthcheck.cgi 
  • compcheckjs.cgi 
  • DSUpgrade.pm.current 
  • DSUpgrade.pm.rollback 
  • clear_log.sh (THINBLOOD LogWiper Utility Variant) 
  • compcheckjava.cgi (hardpulse) 
  • meeting_testjs.cgi (SLIGHTPULSE) 

In cases studied by Mandiant Cybersecurity firm, most of the above files were subjected to change for nefarious intent earlier this year. The researchers indicated in an April report that CVE-2021-22893 was used by the suspected Chinese threat actor. 

As per the report of Mandiant, the opponents converted the genuine files into the STEADYPULSE, HARDPULSE, and SLIGHTPULSE web shells and a variant of THINBLOOD LogWiper utility. 

Some of the documents CISA identified on hacked Pulse Secure devices at the time of investigation were uncovered by anti-virus solutions; just one of them was available on the VirusTotal file scanning portal which was uploaded two months ago and flagged as a variation of ATRIUM web shell by one antivirus engine. 

To ensure security posture in their systems, CISA administrators advised performing several actions. It suggested that antivirus and engines be kept up-to-date along with the patches. The experts also said that file sharing and printing services must be disabled. One must use strong passwords or Active Directory authentication if required.

69K Users Affected in LimeVPN Data Breach

 

According to analysts, the VPN provider LimeVPN has been hacked, affecting 69,400 user records. Before taking down the company's website, a hacker claims to have taken the company's entire client database. According to PrivacySharks, the stolen details include user names, plaintext passwords, IP addresses, and billing information. The attack also contained the public and private keys of LimeVPN users, according to the researchers.

“The hacker informed us that they have the private keys of every user, which is a serious security issue as it means they can easily decrypt every LimeVPN user’s traffic,” the firm said in a posting. Experts are concerned about the possibility of decryption because VPNs tunnel all of their users' internet activity, which could be a gold mine of information for cybercriminals. 

The entire alleged stockpile has been listed for sale on the hacker forum RaidForums. The hacker, who goes by the handle "slashx," initially stated that the database included 10,000 documents for $400 (on Tuesday) before increasing the number (on Wednesday). According to Slashx, the heist was carried out through a security breach, rather than an internal threat or an older attack. The site then went offline on Thursday, presumably due to a virus intrusion. “Worryingly, our access was blocked by Malwarebytes [antivirus protection] due to a potential trojan found on the site,” PrivacySharks claimed. 

LimeVPN verified the data breach, according to a PrivacySharks spokesperson, and the hacker who took the database also claimed responsibility for the site's outage. LimeVPN alerted RestorePrivacy that "our backup server has been compromised" and that it had "reset our access passwords and initiated a system audit," according to RestorePrivacy, which confirmed the leak separately. Both groups of researchers made contact with the perpetrator and examined samples of the alleged data. 

RestorePrivacy researchers observed that transaction details for users buying the service were available (as in dollar amounts and payment method), but real payment-card data or bank details were not included while evaluating the available sample data offered by slashx.“This is because the VPN uses a third-party payment processor called WHMCS,” the firm noted. “However, the hacker claims to have obtained the entire WHMCS database with the LimeVPN hack.”

“Even though LimeVPN is not a large provider like Surfshark or NordVPN, the fact that its entire database was scraped raises the question of security among VPN providers,” Cliff Durward, PrivacySharks’ head of security said. “Although most VPN companies, like LimeVPN, employ no-logs policies, identifiable data such as email addresses and payment information can still be stolen and sold if security breaches occur.”

Zyxel Warns Customers About Hackers Targeting its Firewalls & VPN Devices

 

Zyxel, a manufacturer of enterprise routers and VPN devices, has issued a notification that attackers are targeting its devices and changing configurations to gain remote access to a network. 

According to Zyxel, the attacks targeted the USG, ZyWALL, USG FLEX, ATP, and VPN series using on-premise ZLD firmware. All are multi-purpose networking devices that the company sells to enterprise customers as systems that include VPN, firewall, and load balancing. 

The company stated in an email, “We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled.” 

As per the vendor's information, the attacks appear to follow the following pattern: The threat actor tries to access a device through WAN, if successful, the threat actor bypasses the authentication and establishes SSL VPN tunnels with unknown user accounts, such as “zyxel slIvpn”, “zyxel ts”, or “zyxel vpn test”, to change the device's configuration. 

Zyxel spokespersons in the United States and the United Kingdom have not responded to requests for additional information. 

At the time of writing, it is unknown whether the attacker is targeting unpatched devices using an existing vulnerability or a never-before-seen flaw known as a "zero-day" in cyber-security circles. It's also unclear whether the assaults have already resulted in security breaches at any of Zyxel's customers or if the vendor discovered the attack early with honeytraps and is now alerting clients ahead of a potentially larger wave of incoming attacks. Despite this, the vendor appears to feel that the attacks may be avoided. 

As per the research, The Record experts advised maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface and certain points must be noted: 

1. Unless you must manage devices from the WAN side, disable HTTP/HTTPS services from WAN. 
2. If you still need to manage devices from the WAN side: 
• enable Policy Control and add rules to only allow access from trusted source IP addresses; and 
• enable GeolP filtering to only allow access from trusted locations. 

The attacks against Zyxel devices come after a series of similar attacks on a variety of VPN devices, which provide a convenient way for remote attackers to get persistent access to a corporate network. 

Over the past years, Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Cisco, Sonicwall, Sophos, and F5 Networks have all been targeted by a series of attacks on their firewalls, DNS servers, and load balancers. Cyber-espionage and financially motivated groups that seek to steal sensitive information frequently target these devices.

FireEye: Transportation and Telecom Firms Being Hit in Chinese Espionage

 

According to security firm FireEye, a massive Chinese espionage operation against US and European government entities includes four new hacking tools and reaches more commercial sectors than previously reported. 

Two China-linked gangs — as well as additional hackers that investigators did not name — have used virtual private network software in breaches affecting the transportation and telecommunications industries. The breaches had previously only been identified as affecting the defense, banking, and government sectors, according to the firm. 

The intruders are using Pulse Connect Secure, a popular VPN product, to break into networks and steal critical data. According to Mandiant, FireEye's incident response arm, many of the hacked firms "operate in verticals and industries aligned with Beijing's strategic objectives" specified in the Chinese government's latest "Five Year Plan" for economic growth. 

According to Sarah Jones, senior principal analyst at Mandiant Threat Intelligence, most of the breaches have been carried out by a group called UNC2630, which appears to work on behalf of the Chinese government. Four other pieces of malware are being used by the alleged Chinese hackers to collect data and cover their tracks. 

In a blog post published Thursday, Mandiant analysts said, “Chinese cyber-espionage activity has shown a larger tolerance for risk and is less restrained by diplomatic considerations than previously characterized.” 

In a separate incident disclosed by Microsoft in March, alleged Chinese spies used vulnerabilities in the Exchange Server software to steal email inboxes from U.S. firms. Some researchers said that the intrusions were unethical because the malicious code left on victims' systems could have been exploited by a variety of financially motivated criminals. 

On Thursday, a request for comment on Mandiant's findings was not immediately answered by a representative for the Chinese Embassy in Washington, D.C. Beijing consistently denies carrying out cyberattacks. Responding to the alleged Chinese attacks as well as a suspected Russian operation that used SolarWinds software has been a time-consuming process for US officials. 

Pulse Connect Secure is used by at least 24 federal entities, with some national-security-focused research laboratories openly announcing the use of the software. According to a representative from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Pulse Connect Secure cyberattack may have compromised at least five civilian agencies.  

According to the security firm, the claimed Chinese spies covered up traces of many of their hacks in some of the Pulse Connect breaches as Mandiant prepared to reveal the operation last month.

“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicate that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to U.S. and European commercial entities,” the Mandiant analysts alerted.

APT: China-Based Threat Group Attacks Pulse Secure VPNs

 

Several hacker groups that are supposed to support Chinese long-term economic goals continue in the defense, high-tech, public, transportation, and financial services industry networks in the US and Europe. 

Many breaches have taken place wherein attacks by Chinese threat actors penetrated Pulse Secure VPN devices to break into an organization's network and steal confidential material. 

Whereas in several other incidents the attackers took full advantage of the Pulse Connect Secure (PCS) (CVE-2021-22893) authentication bypass vulnerability to enter into the victim's network. The intruders also gained control of the combination of previously known vulnerabilities. Meanwhile, last month, a failure in the bypass authentication was detected and rectified. 

Mandiant issued a warning this week – on China's advanced persistent threat (APT) activity for U.S. and European organizations. In the alert, Mandiant had focused on a battery of malware tools used to address vulnerabilities in Pulse Secure VPN devices on two Chinese-based organizations: UNC2630 and UNC2717. Mandiant said that UNC2630 had targeted US military industry groups and UNC2717 had attacked an EU entity. 

"The exploitation activity we have observed is a mix of targeting unpatched systems with CVEs from 2019 and 2020, as well as a previously unpatched 2021 CVE (CVE-2021-22893)," says Stephen Eckels, a reverse engineer at Mandiant. "Since our original report, Pulse Secure and Mandiant have worked together, and the zero-day has since been patched." 

"At this time, Pulse Secure has patched all known vulnerabilities," Eckels added. 

In certain cases, the attackers had set up their local admin accounts on critical Windows servers to operate freely on the target network. Instead of depending on internal endpoints of the security vulnerabilities, they used exclusivity of Pulse Secure web-shells and malware. 

The UNC2630 and UNC2717, according to Mandiant, are just two of the various groups which threaten Pulse Secure VPNs that seem to work for the interest of the Chinese administration. Many of the groups use the same number of instruments, but their strategies and tactics are different. 

There has been no confirmation so far that the threat actors had acquired American data that would provide economic advantages for Chinese enterprises. In particular, a 2012 agreement between President Barack Obama and a Chinese counterpart Xi prohibits cyber espionage of such data. 

"Right now we're not able to say that they haven't, just that we don't have direct evidence that they have violated [the agreement]," Mandiant says. "Some of the affected entities are private companies that would have commercial intellectual property, the theft of which would violate the agreement. We just have not seen direct evidence of that type of data being staged or exfiltrated." 

Mandiant's assessment of the Chinese ferocious ATP activities is coinciding with this week's alert from Microsoft for Nobellum, the Russian menace actor behind the SolarWinds attack and an extensive e-mail campaign. In both cases, cyber espionage seems to be the major motif in support of national strategic objectives.

NCSC Warns of Exploited VPN Servers: Here are the Safety Tips to Fix Your VPN

 

The UK’s Nationwide Cyber Safety Centre (NCSC) has published a new advisory warning that cybercriminals as well as Advanced Persistent Threat (APT) actors are actively searching for unpatched VPN servers and trying to exploit the CVE-2018-13379 susceptibility.

According to NCSC, a significant number of organizations in the UK have not fixed a Fortinet VPN vulnerability found in May 2019, resulting in the credentials of 50,000 vulnerable VPNs being stolen and revealed on a hacker forum. As such, the NCSC recommended organizations that are using such devices to assume they are now compromised and to start incident management procedures, where security updates have not been downloaded.

“The NCSC is advising organizations which are using Fortinet VPN devices where security updates have not been installed, to assume they are now compromised and to begin incident management procedures. Users of all Fortinet VPN devices should check whether the 2019 updates have been installed. If not, the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured, and then returned to service,” NCSC stated.

Safety tips for users & organizations 

The first step is to check whether the 2019 update is installed on all Fortinet VPN devices or not. If not, the NCSC recommends installing it as soon as possible. Secondly, the corrupt devices should be removed from service, returned to a factory default, reconfigured, and then restored to service. 

While fixing the security loophole, organizations should examine all connected hosts and networks to detect any further attacker movement and activities. Anomalous connections in access logs for the SSL VPN service may also indicate the use of compromised credentials. Organizations should then make it a high priority to upgrade to the latest FortiOS versions to prevent reinfection. 

"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.

Data of 21 Million VPN Users Leaked Online

Security experts from Cybernews have discovered a massive data breach which is directly linked to the millions of VPN user. Security experts discovered during their investigation that cybercriminals are selling over 21 million users’ records on a popular hacker forum and are trading three databases that contain user credentials and device data stolen from three different Android VPN services – SuperVPN (with 100 million+ installs on Play Store), GeckoVPN (10 million+ installs), and CatVPN (50,000+ installs).

List of Leaked Information 

As per the reports of Cybernews, cybercriminals are trading three databases, two of which allegedly contain a variety of data apparently gathered by the providers from more than 21 million users. This data includes:
 
• Email addresses 
• User Names 
• Full Names 
• Country Names 
• Randomly generated password strings 
• Payment related data • Premium membership status and its expiration data 

Based on the sample that the security experts were able to view from the database, the collection also appears to contain user device information, including: 

• Serial numbers of devices 
• Phone types and manufacturers 
• Device IDs • IMSI numbers of the devices 

“The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use,” Cybernews stated. 

VPN providers: The main culprits 

Millions of users trust VPN because it strengthens user’s data privacy and security on the internet, it alters their IP address and location, making their browsing activity safe and private from cybercriminals. Cybernews claims that these three VPN providers are logging in for more information about their users than stated in their Privacy Policies. It also suspects that the cybercriminals might have gained full remote access to the VPN servers.

“If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first. With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more,” Cybernews further stated.

 

Database of 21 million users of popular VPN services leaked

The database contains email addresses, passwords and usernames of Russian users. This information can be used by hackers to obtain bank card data.

A database of 21 million users of free VPN services GeckoVPN, SuperVPN, and ChatVPN for the Android operating system was put up for sale on Darknet.

According to the SuperVPN page in the Google Play Store, the app has been installed more than 100 million times. GeckoVPN has over 10 million installs, and ChatVPN has over 50,000.

The database contains e-mail addresses, passwords and usernames of users. One of the archived samples for sale contains data about VPN users' devices, including serial numbers, phone types, and brands.

SuperVPN users' data was already in the public domain as a result of a large-scale leak last summer. The founder of the company "Internet-search" Igor Bederov, in an interview with the publication, said that the new data leak of free VPN users occurred due to "obvious negligence in handling confidential information." “Service owners have not trite to change the default passwords on their database servers,” he explained.

According to experts, user data can be used by fraudsters for phishing and man-in-the-middle attacks, when a hacker puts malicious tools between the victim and the target resource, thus intercepting the user's web sessions.

Alexei Kubarev, an expert at the Solar Dozor Product Center, told that such attacks endanger confidential data transmitted from devices over the Internet, including passwords and CVV codes of bank cards.

According to Denis Batrankov, an independent information security expert, users of VPN services need to set unique passwords so that in the event of a leak, fraudsters cannot brute force access to other services with the same password.

SonicWall Breached via Zero-Day Flaw

 

SonicWall revealed on Friday night that, highly sophisticated threat actors assaulted its internal systems by abusing a probable zero-day flaw on the organization's secure remote access products. 

The Milpitas, Calif.- based platform security vendor said the undermined NetExtender VPN customer and SMB-situated Secure Mobile Access (SMA) 100 series items are utilized to give workers and clients remote access to internal resources. The SMA 1000 series is not susceptible to this assault and uses customers different from NetExtender, as indicated by SonicWall. 

SonicWall declined to respond to questions concerning whether the assault on its internal systems was done by the same threat actor who for quite a long time infused pernicious code into the SolarWinds Orion network monitoring tool. 

The organization, notwithstanding, noticed that it's seen a “dramatic surge” in cyberattacks against firms that give basic infrastructure and security controls to governments and organizations. The organization said it is giving relief suggestions to its channel accomplices and clients. Multi-factor authentication should be enabled on all SonicWall SMA, firewall and MySonicWall accounts, as indicated by SonicWall. 

Products compromised in the SonicWall break include: the NetExtender VPN customer variant 10.x (released in 2020) used to associate with SMA 100 series appliances and SonicWall firewalls; as well as SonicWall's SMA rendition 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance. SonicWall accomplices and clients utilizing the SMA 100 series ought to either utilize a firewall to just permit SSL-VPN connections with the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA straightforwardly itself, as per the organization. 

For firewalls with SSN-VPN access utilizing the undermined variant of the NetExtender VPN customer, accomplices and clients ought to either impair NetExtender access to the firewalls or limit access to clients and administrators through an allow list/whitelist for their public IPs, as per SonicWall. 

The networking gadget creator, whose items are regularly used to secure access to corporate networks, presently turns into the fourth security vendor to disclose a security breach in the course of recent months after FireEye, Microsoft, and Malwarebytes. Each of the three previous organizations was breached during the SolarWinds production network assault. CrowdStrike said it was targeted in the SolarWinds hack also, however, the assault didn't succeed.

Top VPN Provider Zyxel Hacked, Here's a Quick Look into the Security Incident

 

Technology and networking have turned out to be the need of the hour and we must also be equally qualified to operate networking devices. One such innovation-oriented and customer-focused company is Zyxel. The network equipment company offers routers, gateways, security solutions along with several other services to make communication simpler and uninterrupted. One of the company's main services also includes providing VPN services to its patrons. Recently, the aforesaid communications corp. became a swift target for hackers because of undetected flaws in the networking devices and their VPN. 

Headquartered in Hsinchu, Taiwan Zyxel is a networking hardware company, focused on providing devices with eHome Shield that is geared up by F-Secure to give lasting protection against cybercriminals worldwide and other potential threats as well. It's a wide known fact how hackers employ specialized programming to easily break through the firewall of networking devices and access the other smart home gadgets and devices running on the compromised connection – for instance, Smart TVs, Mobile Phones, Laptops, etc. 

A while ago, an association of some cybersecurity researchers of a Dutch firm named 'Eye Control' discovered a prospective damaging the security of the system and a popular VPN solution and networking agency, Zyxel, making it more vulnerable. 

Although Zyxel has produced and transported some hundred thousand highly encrypted devices with zero percent of compromising security still it malfunctioned. This vulnerability was later confirmed by the firm itself. 

Now the question that arises is what happened and how did the hackers manage to enter the encrypted system of such a big firm with ease? 

According to the cybersecurity researchers, the backdoor account of Zyxel devices and VPN uses a username and password that were completely visible in the plain text within the Zyxel system binaries, that were running firmware version 4.60, patch 0. These credentials allowed hackers to completely access the confidential information of the users of Zyxel devices. 

After further investigation, the team of researchers concluded that the hundred thousand devices that were affected by the vulnerability were because of the latest version of the firmware update 4.60, patch 0. The Zyxel devices affected by the vulnerability included the Advanced Threat Protection series of devices, the company’s NCX series of devices, its VPN of Gateways, and a few more. 

The company has already issued new patches for the Advanced Threat Protection series (ATP), Unified Security Gateway (USG), USG Flex, and VPN series. Alongside, it has also affirmed that it would release another patch for the remaining compromised devices like the WLAN access point controller, NCX series, etc., and will launch its new update around April for better fixation of devices and safety. Till then it has requested its consumers to download the available new patches with the latest updates for the devices to ensure their safety. 

Microsoft Suffered A Rare Cyber-Security Lapse When One of Bing's Backend Servers Were Exposed Online

 

Microsoft endured a rather rare cyber-security lapse just this month when the company's IT staff incidentally left one of Bing's backend servers exposed on the web. 

Discovered by Ata Hakcil, a security researcher at WizCase, only imparted his discoveries to ZDNet the previous week. As per Hakcil's investigation, the server is said to have exposed more than 6.5 TB of log documents containing 13 billion records coming from the Bing search engine.

Hakcil said the server was exposed from September 10 to September 16, when he initially had informed the Microsoft Security Response Center (MSRC), and the server was made secure one more time with a password. 

The Wizcase researcher had the option to check and re-check his discoveries by finding search queries he performed in the Bing Android app in the server's logs.

 
Microsoft admitted to committing this mistake and commented last week, 

"We've fixed a misconfiguration that caused a small amount of search query data to be exposed," a Microsoft spokesperson told ZDNet in an email last week. After analysis, we've determined that the exposed data was limited and de-identified." ZDNet, which was provided access to the server while it was exposed without a password, can affirm that no personal user info was made public. 

Rather, the server exposed specialized details, like search inquiries, details regarding the client's system (device, OS, browser, etc.), geo-location details (wherever accessible), and various tokens, hashes, and coupon codes.
The leaky server was distinguished as an Elasticsearch system. Elasticsearch servers are high-grade systems where organizations collect huge amounts of information to handily search and channel through billions of records easily. 

Throughout the previous four years, Elasticsearch servers have frequently been the source of numerous coincidental information leaks. 

The reasons are known to fluctuate and can go from administrators neglecting to set a password; firewalls or VPN frameworks unexpectedly going down and uncovering an organization's normally-internal servers; or organizations duplicating production data to test systems that aren't always secured as rigorously as their essential infrastructure.

VPN Services Reportedly Leaked Around 1.2TB User Data Containing Sensitive Information


A recent discovery by a tech service company has taken the world by storm. The VPN services may not be as protected and secure as they guarantee to be, the company reveals that around 894GB of client information and data from UFO VPN has been exposed on the web.

This was proved true for eight quite well-known VPN services that have purportedly released a mammoth 1.2TB of client information. These VPN applications are as yet accessible on the Google Play Store with just one removed until now.

The leaked info contains subtleties like accounts passwords, VPN session secrets/tokens, IP addresses of both client devices and servers, and even the operating system of the devices.

As per by Comparitech, the tech service company responsible for the discovery,  more than 20 million client entries are included in the logs every day.

The VPN specialist co-op was likewise informed regarding the information spill yet denied any such claims. UFO VPN said that the client logs are saved for traffic monitoring and that every last bit of it is 'anonymized'.

It was later found that there are seven more Hong Kong-based VPN administrations that have around 1.2TB of client information out in the open online.

The list incorporates FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN, and UFO VPN as well. Found by VPNmentor, it was discovered that all these VPN services share a typical Elasticsearch server and also the same recipient for payments, Dreamfii HK Limited.

The information uncovered from these VPN administrations contain sensitive data like home addresses, Bitcoin and PayPal payment details, email addresses and passwords, user names, and more. Dreamfii HK is expected to be the parent company for all these VPN services.

As of now, these VPN applications are as yet accessible on the Play Store, and only Rabbit VPN has been removed.

Indians to use VPN as a way to evade ban on Chinese Apps


It seems like people have found a way to circumvent government's ban on 59 Chinese Apps including favorites like TikTok, Share it, Shien, Clash of Kings, and many more and have moved on to use VPN (Virtual Private Network) to access these apps.


Right after the ban announcement by government companies like SatoshiVPNS put an advert on their social media stating, Ann investment in a VPN is an investment that always pays for itself — many times over.” There have been articles on blabberpost and others recommending how and which VPN to use to access the banned applications.

And it's not the first time Indians have turned to VPN to dodge regulations, in fact, we are quite notorious when it comes to VPN. After Reliance Jio, Bharti Airtel and Vodafone Idea - the largest telecom providers in the country- took down porn websites from their network, India fell only three steps from 12 to 15 in terms of visitors to Pornhub. A 2019 report from Pornhub revealed that 91% of Indian users access the site via mobile phone.

 Since February, India has seen a growth of 15% in VPN usage, according to a report by ExpressVPN; the global average stands at 21%. 

By the books, using VPN is not illegal in India for as much as it's not used for any illegal activity. The most common use of a VPN in the country is either to watch pornography or to access torrents and both of these do not summon legal actions.

Since the suspension of Internet service from August 2019 till March 2020 in the Kashmir Valley and the aftermath of weak 2g and 3g networks, many citizens turned to VPN in order to reach blocked content Facebook, Twitter, and other social media sites. The government even arrested some for using VPN to promote unlawful activities.
after the ban, Google and Apple App Store removed TikTok and Helo for Indian users but other banned apps like Browsers, Club Factory, Shein, ShareIT, and Clash of Kings are still listed on both the stores.

Firefox Web Browser Launching Its Own Paid VPN Service



The Firefox Private Network service launched in beta just the previous year as a browser extension for desktop versions of the Firefox web browser is all set to be renamed as Mozilla VPN.

According to a blog post, Mozilla VPN will move out of the beta and be available as a standalone service later this year with select regions, which will include the United States.

The VPN will be accessible for $4.99 every month and the user will have the option to utilize around five devices with a similar account. Mozilla specifies this pricing is just temporary yet has not clarified whether the price will be increased or new plans introduced for fewer devices.

Mozilla VPN will be launched as a standalone and system-wide VPN service for Android, iOS, Windows, ChromeOS, macOS, and Linux platforms throughout the next few weeks.

While the Android, iOS, Windows, and Chromebook clients will be available at first, Mozilla is likewise chipping away at Mac and Linux clients which have additionally been requested by the beta testers.

Mozilla, as opposed to other web browser makers like Opera, isn't offering the service for nothing. They claim that a paid service will permit the organization to continue offering the service without benefiting from users’ data.

The service, in its current form as Firefox Private Network, is fuelled by Mullvad VPN and has servers in excess of 30 nations. It runs on the WireGuard standard that offers more privacy and better execution when contrasted with customary standards like OpenVPN being another protocol; it may not be as steady as the 'legacy' ones.

In the event that the user wishes to be a part of the beta testing or express interest for the service to be accessible in their region, they can join the waitlist by signing up the official website of the Firefox Private Network VPN and they will be notified whenever Firefox Private Network is accessible for their device and region.

The link of which is provided below: https://fpn.firefox.com/vpn/invite 

100 Million Android Users Warned Against Using this "Very Dangerous" VPN App


Millions of Android users are being cautioned against using a popular Android VPN that was removed by Google from its Play store. The action was taken by Google after Researchers found vulnerabilities in 'SuperVPN' that could leave devices open to malware attacks and allow attackers to redirect victims onto malicious servers.

As of now, the app has around 100 million downloads, however, in the year 2016 when the risks associated with the app surfaced for the first time ever in related research, it only had a total of 10,000 downloads.

While testing, security researchers identified three main issues with the app:

1. Unencrypted HTTP traffic: The communications can be intercepted by the attackers, it has been said that transferring highly sensitive information over HTTP is not secure at all.

2. Hardcoded encryption keys: The app has inbuilt decryption keys that can easily decrypt the information in an encrypted format.

3. Payload including EAP credentials: EAP credentials are being used by the VPNs therefore users outside the app can not connect to the same server. Hence, EAP credentials sent in the unencrypted payload in a way defeats the purpose.

Notably, SuperVPN was also listed as one of the top 5 VPN in Google Play Store's search results before it was taken down by the authorities. As per the findings by researchers, it contained vulnerabilities that allowed attackers to carry out man-in-the-middle attacks, also known as MITM attacks. It could expose communication that took place between the user and provider letting hackers have access to everything the user is doing online, be it browsing tabs in Chrome, making video calls or loading up apps – all of that sensitive data including passwords, private texts, and voice messages is being made available to the attackers.

Other occasions where SuperVPN drew negative remarks include the app being ranked third by the Australian researchers in an examination of the most malware-rigged VPN apps. The researchers pointed out that the app had been posing risks since it appeared on the Play Store.

While explaining more about the issues, Jan Youngren, Security Researcher at VPNPro told, "SuperVPN used a wide range of shady techniques to help it rank highly in Google, as well as to hide who actually owns the app, where it’s located, and the other apps from the same developer that may have similar issues."

"But lastly, and most importantly, it seems that the entire time the app was on the Play store, it had critical vulnerabilities in one way or another, either by being a vehicle for malware in 2016 or allowing for MITM attacks just before being removed."

"The only thing unclear now is whether these vulnerabilities are due to mistake, or intention. Nonetheless, there are millions of users right now with a dangerous app on their phone. If you’re one of those users, we implore you to delete SuperVPN immediately." He further added.

Microsoft Issues Its First Ever ‘Targeted’ Warning ; Saving VPN Servers of Hospitals


Following a recent disclosure about Iranian hackers targeting on vulnerabilities in VPN servers like the Pulse Secure, Palo Alto Systems, Fortinet, and Citrix, Microsoft gave its first-ever 'targeted' warning to a few dozen hospitals, informing them of the vulnerabilities in their own virtual private network (VPN) appliances.

With the organizations depending all the more heavily on the VPN servers as the lockdowns are in full swing of the unfortunate outbreak of the Corona Virus. They had no other option except to fall back to this means to help telecommuters but that in the end has made that specific part of the system a weakness i.e a soft spot for ransomware attackers to target – specifically at hospitals with already stressed assets.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) a month ago cautioned all organizations to fix VPN services, however, Microsoft is especially worried about hospitals' vulnerability to human-operated ransomware due to unpatched VPN servers.

One group the Microsoft team has been following is the REvil, otherwise known as Sodinokibi, ransomware gang, which is known for setting monstrous ransom demands for businesses and government agencies.

While the ransomware gang hasn't yet developed new attack techniques but instead has repurposed strategies from state-sponsored attacks for new campaigns that exploit the heightened requirement for information in the current coronavirus crisis.

The Microsoft Threat Protection Intelligence Team uncovered in a new post, "Through Microsoft's vast network of threat intelligence sources, and we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."

"To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities," it added later.

When mentioning these new ransomware gangs the Microsoft team noted, “We haven't seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people's fears and the urgent need for information."

And so the Multinational Technology's recommendation to hospitals and various other organizations is to follow three key steps to shield their VPN services from attacks:

  • Apply all available security updates for VPN and firewall configurations. 
  • Monitor and pay special attention to your remote access infrastructure. 
  •  Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. 

Apart from these, there are a few more published by Microsoft to further help mitigate these attacks.

Hackers Exploit Vulnerabilities in Pulse VPN and Android Devices to Launch Heavy Cyberattack


The vulnerability named CVE-2019-1150 has affected Pulse VPN's network and is regarded as highly 'severe.' Whereas vulnerability named CVE-2019-2215 targets unpatched android smartphones. As we all know, in the world of cybersecurity, it becomes highly unsafe when the hackers target unpatched devices and systems as they can have terrible consequences. Recently, it has become a trend among hackers to target unpatched Android smartphones. Attackers were also found exploiting the flaws in Pulse Secure VPN in an attempt to compromise the cybersecurity of various organizations and individuals.


The flaw in Pulse Secure VPN

According to Kevin Beaumont, who is a Uk based cybersecurity expert, the assertion that 'Revil' is big-time ransomware and at least 2 companies are affected after the hackers exploited the vulnerability in Pulse Secure's VPN flaw. Many hackers are now exploiting this flaw to launch ransomware attacks. As per the latest information, the organization that is said to be affected by this cyber attack is a currency exchange and travel insurance company 'Travelex.' According to cybersecurity experts, the attack was launched using the Revil ransomware. The consequences of this cyberattack compelled Travelex to shut down all of its online mode of operations.
As a result, the company shut down its system offline and had to manually operate its nationwide branches.

The vulnerability known as CVE-2019-1150 is regarded as highly 'hazardous' by the cybersecurity experts. CVE-2019-1150, an uncertain read data vulnerability attacks different versions of Pulse Secure VPN named Pulse Connect Secure and Pulse Policy Secure. The vulnerability allows hackers access to Https and connects the hackers to the company's network without the hackers having to enter login credentials such as id and password. By exploiting this vulnerability, hackers can view confidential files, download files, and launch various malicious codes to disrupt the company's entire network. Pulse Secure VPN had released a security patch last year in April, and the users are requested to update to the latest security patch.

The flaw in Android Devices

Hacking group 'SideWinder APT' exploited vulnerabilities via 3 apps in the Google play store named as Camera, FileCrypt, and CallCam. “These apps may be attributed to SideWinder as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. Also, a URL linking to one of the apps’ Google Play pages is found on one of the C&C servers,” says Trend Micro cybersecurity experts.

NordVPN agrees to 'private' server infringement


NordVPN, a VPN provider has affirmed an intrusion on one of its servers in Finland, although the damage done was nothing serious. There were no dubious records on the server. “We don't trace, retrieve or distribute users' data. It is almost impossible for the attacker to obtain usernames and identifications and also, the hacker couldn't decipher the VPN traffic to different servers,” says the company.



"The only probable way to exploit website traffic was by doing an individual and complex MiTM breach to prevent a private connection that attempted to locate nordvpn.com," commented the company on its website. The attack happened in March 2018, when an unapproved user located the NordVPN server in Finland. They used an "unsafe remote administration system" that the data hub provider had forgotten.  The company didn't know of any such system. The server misused was attached to NordVPN's server record on January 31.

The service provider caught the violation and dismissed the account on 20th March without notifying the network provider NordVPN. The company discovered the attack several months back and immediately discontinued its engagement with the data center provider and cleansed all the details on the borrowed servers. It didn't reveal the infringement instantly because the company had to investigate the rest of its system to prevent the same incident from happening again. It also stimulated the decryption of our systems.

"This took a while because of the complex infrastructure and more than 3000 servers that our firm handles," says NordVPN. The problem didn't stir any of NordVPN's other servers. The company says that it would need engaged providers to reach more formidable safety measures. "We are also moving all of our data centers to RAM and this process would take another one year to complete," says NordVPN. While the break won't have any meaningful result on user secrecy, it will create a negative image of the company in the internet society. “NordVPN is multiplying measures on user privacy. We have supported an administration safety inspection and we are striving on a secondary no-records examination for the moment and are planning a fault munificence project." NordVPN will start autonomous surface scrutiny of its data systems to ensure it doesn't miss any loopholes.