© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Sony and Lexar-trusted encryption provider leaked sensitive data for over a year

ENC Security, a Netherlands software company, had been leaking critical business data since May 2021.

When you buy a Sony, Lexar, or Sandisk USB key or any other storage device, it comes with an encryption solution to keep your data safe. The software is developed by a third-party vendor – ENC Security.

Netherlands-based company with 12 million users worldwide provides “military-grade data protection” solutions with its popular DataVault encryption software.

As it turns out, ENC Security had been leaking its configuration and certificate files for more than a year, the Cybernews research team discovered.

“The data that was leaking for over a year is nothing less than a goldmine for threat actors,” Cybernews researcher Martynas Vareikis said.

The company said a misconfiguration by a third-party supplier caused the issue and fixed it immediately upon notification.

The discovery

The data inside the leaky server included Simple Mail Transfer Protocol (SMTP) credentials for sales channels, the single payment platform’s Adyen keys, email marketing company’s Mailchimp API keys, licensing payment API keys, HMAC message authentication codes, and public and private keys stored in .pem format.

The data was accessible from 27 May 2021 up until 9 November 2022. The server was closed after Cybernews disclosed the vulnerability to ENC Security.

According to Vareikis, the discovery is worrying since bad actors could exploit the aforementioned data for a variety of cyberattacks – from phishing to ransomware.

ENC Security leak

For example, sales communication channels could be used to phish clients by sending them fake invoices or spreading malware via trusted email addresses.

“Mailchimp API keys add even more value for the malicious actors interested in phishing campaigns, as it allows them to send massive marketing campaigns and view/collect leads. Having a client list and the ability to use real email for phishing campaigns is nothing less than a goldmine for threat actors,” Vareikis explained.

Ransomware operators exploit .pem files – the keys left inside could result in unauthorized access or even a server takeover.

The repercussions of such a takeover could be devastating. Threat actors might switch the download file with an infected one.

“Having clients such as SanDisk, Sony, Lexar, and more promoting (TrustPilot reviewers complain being forced into using this software when purchasing thumb drives) your infected files would produce one of the biggest ransomware campaigns yet,” Vareikis explained.

ECN Security says its solution is downloaded over 2,000 times monthly.

Payment API keys could expose sensitive client information to the public.

Company’s response

ENC Security said it had taken swift action after analyzing the issue discovered by the Cybernews research team. The vulnerability concerned a misconfiguration by a third-party supplier, ENC Security told Cybernews. The issue is now resolved.

“At ENC Security we take the security and protection of our data seriously. Every finding is thoroughly researched and remediated with appropriate measures. Relevant measures are taken when required, amongst which security measures, informing customers and further enhancing security,” the company’s spokesperson said.

The company told Cybernews the issue affected 0,7% of its users, and it found "no signs or traces of any malicious actor in the respective period."

ENC Security lists Sony, Lexar, Sandisk, and WD as large corporations that trust them. However, the company told Cybernews that both "Sony and Lexar have not been active customers of ENC Security for more than two years."

Pelissier discovery

Vareikis believes the Cybernews discovery is no less worrying than the researcher’s Sylvain Pelissier discovery in December 2021.

Last year, Pelissier demonstrated a couple of vulnerabilities found in ENC Security’s DataVault encryption software that could lead to an attacker obtaining user passwords and modifying files in a vault without detection.

At the time, ENC Security acknowledged that DataVault software versions 6 and 7.1, and their derivatives, were vulnerable to dictionary-type attacks. The software also used a “password hash with an insufficient computational effort” that could allow attackers to brute force user passwords.

The company addressed vulnerabilities by issuing an upgrade.

"Big company names and trendy security keywords like "military-grade" encryption should always be treated with skepticism. Companies overusing these keywords induce false trust, given that simple configuration errors could lead to huge damages for everyone involved," Vareikis concluded.

More from Cybernews:

WhatsApp data leak: 500 million user records for sale

OpZero’s modus operandi: opportunity hunter, front for Kremlin, or both?

RansomExx joins the ranks of ransomware gangs switching to Rust

UK bans Chinese cameras on government sites

Almost a thousand arrested over global $130m cyber fraud

Why individual arrests will not shut down LockBit

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked