The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation.

 

Released on the hacking forum XSS, the link to the source code is only accessible to active users on the site who have previously replied to or reacted to other posts on the site.

Security Joes researcher Tom Malka, who shared the source code with BleepingComputer, compiled the package and found it creates three executables - a ransomware configuration builder, the encryptor, and a decryptor.

Sprinkled throughout the source code are Russian comments, shown above, that clearly demonstrate the native language of the developer.

 

A Paradise ransomware affiliate can use the builder to customize their own version of the ransomware to include a custom command and control server, encrypted file extension, and contact email address.

Once the customized ransomware is created, affiliates can distribute the malware in their campaigns to target victims.

Welcome to Paradise

The Paradise Ransomware operation first launched in September 2017 through phishing emails containing malicious IQY attachments that downloaded and installed the ransomware.

 

Over time, multiple versions of the ransomware were released, with initial versions containing flaws that led to the release of a Paradise Ransomware decryptor.

 

However, the new versions switched the encryption method to RSA, which prevented the free decryption of files.

 

Michael Gillespie, who created the original Paradise Ransomware decryptor, told BleepingComputer that the versions of Paradise that were released include:

 

• Paradise - Native version that had the flaws allowing decryption.
• Paradise .NET - A secure .NET version that switched encryption algorithms to use RSA encryption.
• Paradise B29 - A "Team" variant that only encrypted the end of a file.

 

Gillespie said that it is not clear if they were all developed by the same group as they were all circulating at around the same time with thousands of different extensions, as threat actors flocked to the growing Ransomware-as-a-Service.

 

Based on submissions statistics to ID Ransomware, the Paradise Ransomware was heavily distributed between September 2017 and January 2020, when it suddenly tapered off until now, where it is rarely seen.

Unfortunately, Gillespie tells BleepingComputer that the source code is for the secure version of Paradise Ransomware that utilizes RSA encryption to encrypt files.

 

Using this source code, other threat actors  can easily modify it to release their own customized version of the ransomware, allowing an easy entry point into creating a new ransomware operation.

 

America's largest propane provider, AmeriGas, has disclosed a data breach that lasted ephemerally but impacted 123 employees and one resident.

 

AmeriGas servers over 2 million customers in all 50 U.S. states and has over 2,500 distribution locations.

 

This month's data breach was reported by the propane giant to the Office of the New Hampshire Attorney General.

Data breach lasted '8 seconds', impacted 123 employees

This month, AmeriGas has issued a data breach notification letter to the New Hampshire Attorney General's Office.

 

The data breach, however, originated at J. J. Keller, a vendor responsible for providing Department of Transportation (DOT) compliance services to AmeriGas.

 

These services include helping AmeriGas with conducting driving record checks, drug and alcohol testing for drivers, and other DOT-imposed regulatory checks. 

 

On May 10th, J. J. Keller detected suspicious activity on their systems associated with a company email account.

 

As such, the vendor promptly began investigating their network to discover that a J. J. Keller employee had fallen victim to a phishing email, leading to a compromise of their account.

 

During this brief access window threat actor(s) could view certain files present within the employee's compromised account.

 

After resetting the employee's account credentials, J. J. Keller promptly began their forensic activities to determine the full scope of this breach.

 

By May 21st, J. J. Keller notified AmeriGas that this eight-second breach exposed records of 123 AmeriGas employees present in the files viewable to the attacker.

 

"According to J.J. Keller, during the 8-second breach, the bad actor had access to an internal email with spreadsheet attachments containing 123 AmeriGas employees' information, including Lab IDs, social security numbers, driver's license numbers, and dates of birth."

 

"To date, we are unaware of any actual or attempted misuse of this personal data as a result of this incident," disclosed AmeriGas in a sample data breach notification letter dated June 4th, 2021. 

 

Also exposed in the breach, was the information of just one New Hampshire resident, who has since been notified of the incident and been provided with free credit monitoring services.

 

At this time, there is no indication that any employee information was copied or misused.

Second security incident concerning AmeriGas this year

This incident marks the second data breach incident concerning AmeriGas this year.

 

In March 2021, AmeriGas had disclosed an attempted data breach, in which a company customer service agent was fired for potentially misusing customer credit card information.

 

According to AmeriGas, some customers phoning AmeriGas customer service had verbally disclosed their credit card information to this representative who may have misused this information to make unauthorized purchases. 

 

At the time the company had said:

 

"We recently detected that there were unauthorized disclosures of credit card information to one of our customer service agents."

 

"We do not know whether your credit card information was shared but are writing in an abundance of caution. "

 

"We investigated the issue as a precaution to further secure your information."

 

"The agent involved has been terminated and we have already implemented additional safeguards," the company had disclosed at the time.

 

Cyber-attacks and incidents against critical energy companies are continuing to grow, prompting the need for stepping up security controls and awareness training across organizations.

 

Apple has fixed two iOS zero-day vulnerabilities that "may have been actively exploited" to hack into older iPhone, iPad, and iPod devices.

 

The two bugs (tracked as CVE-2021-30761 and CVE-2021-30762) are caused by memory corruption and use after free issues in the WebKit browser engine, both found and reported by anonymous researchers.

 

Webkit is a browser rendering engine used by Apple web browsers and applications to render HTML content on desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.

 

Attackers could exploit the two vulnerabilities using maliciously crafted web content that would trigger arbitrary code execution after being loaded by the targets on unpatched devices.

 

Impacted devices include older:

 

• iPhones (iPhone 5s, iPhone 6, iPhone 6 Plus).
• iPads (iPad Air, iPad mini 2, iPad mini 3).
• and the iPod touch (6th generation).

 

"Apple is aware of a report that this issue may have been actively exploited," Apple said when describing the two iOS 12.5.4 vulnerabilities.

Steady stream of exploited zero-days

Since March, we've seen a neverending stream of zero-day bugs—nine of them in total—showing up in Apple's security advisories, most of them also tagged as having been exploited in attacks.

 

Last month, Apple patched a macOS zero-day (CVE-2021-30713) used by the XCSSET malware to bypass Apple's TCC protections designed to safeguard its users' privacy.

 

Apple also addressed three zero-days (CVE-2021-30663, CVE-2021-30665, and CVE-2021-30666) in May, bugs found in the Webkit engine allowing arbitrary remote code execution (RCE) on vulnerable devices simply by visiting malicious websites.

 

The company also issued security updates to address one more iOS zero-day (CVE-2021-1879) in March and zero-days in iOS (CVE-2021-30661) and macOS zero-day (CVE-2021-30657) in April.

 

The latter was exploited by Shlayer malware to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks.

End-to-end encryption is coming to Google Workspace

 

 

Google Workspace, the company's productivity and collaboration suite, is set to  receive a new client-side encryption feature that is hoped to boost security for customers of all sizes. 

 

The announcement is one of a handful of security upgrades for Google Workspace and Google Drive, designed to enhance data security in new hybrid work environments.

 

The lack of end-to-end encryption in Google Workspace has been a major source of criticism, with some businesses opting for less feature-rich alternatives that offer built-in encryption.

 

However, the addition of client-side encryption gives Google a chance to pitch itself to industries with regulations that mandate the use of end-to-end encryption, most notably finance and healthcare. 

 

The new encryption controls will be rolled out for beta testing in the coming weeks.

Google Workspace security

According to Google, the client-side encryption feature will first be rolled out for the most popular Workspace services, including Drive, Docs, Sheets, and Slides. 

Google says the feature will be extended to Google Meet later in the fall, with some suggesting it will eventually make its way to Gmail as well.

 

Initially, the feature will reportedly enable Google Workspace users to store their encryption keys with one of four partners, namely Flowcrypt, Futurex, Thales or Virtru. 

 

Via VentureBeat

 

US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack.

 

Sol Oriens describes itself as helping the "Department of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms carry out complex programs."

 

However, job postings first spotted by CNBC correspondent Eamon Javers provide some insight into Sol Orien's operations, who are seeking program managers, consultants, and a 'Nuclear Weapon System Subject Matter Expert' to work with the National Nuclear Security Administration (NNSA).

 

"Sol Oriens LLC currently has an opening for a Senior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4. This. Subject Matter Expert works with NNSA Federal and other Contractor personnel to organize,. coordinate, implement, and manage technical program activities for the W80-4 Life Extension. Program.," says one of the job postings.

 

"Position Responsibilities. Planning and managing nuclear weapon life extension programs and associated. stockpile management as they relate to the maintenance of a highly reliable and safe. nuclear deterrent."

REvil claims to have stolen data from Sol Oriens

Last week, the REvil ransomware operation listed companies whose data they were auctioning off to the highest bidder.

 

One of the listed companies is Sol Oriens, where REvil claims to have stolen business data and employees' data, including salary information and social security numbers.

 

As proof that they stole data during the attack, REvil published images of a hiring overview document, payroll documents, and a wages report.

 

As a way to pressure Sol Oriens into paying the threat actor's extortion demands, the ransomware gang threatened to share "relevant documentation and data to military angencies (sic) of our choise (sic)."

In a statement shared by Javers on Twitter, Sols Oriens confirmed a cyberattack in May 2021 that affected their network.

 

"The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems."

 

"Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved."

 

"We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved."

 

Like many other ransomware operations, REvil is believed to be operating out of Russia or another CIS country.

 

Over the weekend, G7 leaders issued a statement asking Russia to help disrupt ransomware gangs believed to be operating within its borders.

 

President Biden will also be discussing the recent ransomware attacks with Russian President Vladimir Putin at the June 16th Geneva summit.

 

The VPN industry is booming and prospective users have hundreds of options to pick from.

 

All claim to be the best, but some are more privacy-conscious than others.

 

The VPN review business is also flourishing as well. Just do a random search for “best VPN service” or “VPN review” and you’ll see dozens of sites filled with recommendations and preferred picks.

 

We don’t want to make any recommendations. When it comes to privacy and anonymity, an outsider can’t offer any guarantees. Vulnerabilities are always lurking around the corner and even with the most secure VPN, you still have to trust the VPN company with your data.

 

Instead, we aim to provide an unranked overview of VPN providers, asking them questions we believe are important. Many of these questions relate to privacy and security, and the various companies answer them in their own words.

 

We hope that this helps users to make an informed choice. However, we stress that users themselves should always make sure that their VPN setup is secure, working correctly, and not leaking.

 

This year’s questions and answers are listed below. We have included all VPNs we contacted that don’t keep extensive logs or block torrent traffic on all of their servers. The order of the providers is arbitrary and doesn’t carry any value.

 

—

 

1. Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long?

2. What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate?

3. What tools are used to monitor and mitigate abuse of your service, including limits on concurrent connections if these are enforced?

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

6. What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past?

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? Do you provide port forwarding services? Are any ports blocked?

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

10. Do you provide tools such as “kill switches” if a connection drops and DNS/IPv6 leak protection? Do you support Dual Stack IPv4/IPv6 functionality?

11. Are any of your VPN servers hosted by third parties? If so, what measures do you take to prevent those partners from snooping on any inbound and/or outbound traffic? Do you use your own DNS servers?

12. In which countries are your servers physically located? Do you offer virtual locations?

 

Important note: services that offer dedicated or fixed IP-addresses are often able to link the IP-address to the user account, irrespective of the answer to question 1.

 

Tip: Here’s a list of all VPN providers covered here, with direct links to the answers. Some links in this article are affiliate links. This won’t cost you a penny more but it helps us to keep the lights on.

All VPNs

– NordVPN
– ExpressVPN
– Private Internet Access
– TorGuard
– IVPN
– Windscribe
– VPNArea
– Surfshark
– Oeck
– AtlasVPN
– Speedify
– AirVPN
– Trust.Zone
– SwitchVPN
– Mullvad
– Perfect Privacy
– Hide.me
– AzireVPN
– Guardian

ExpressVPN

 

1. No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data content, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity.

2. Express VPN International Ltd is a British Virgin Islands (BVI) company.

3. We reserve the right to block specific abusive traffic to protect the server network and other ExpressVPN customers. With regards to limits on the number of devices simultaneously connected, no timestamps or IP addresses are ever logged; our systems are merely able to identify how many active sessions a given license has at a given moment in time and use that counter to decide whether a license is allowed to create one additional session. This counter is temporary and is not tracked over time.

4. We use Zendesk for support tickets and SnapEngage for live chat support; we have assessed the security profiles of both and consider them to be secure platforms. We use Google Analytics and cookies to collect marketing metrics for our website and several external tools for collecting crash reports (only if a user opts in to sharing these reports).

5. As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not identify or report users as a result of DMCA notices. User privacy is always preserved.

6. Legally our company is bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. Regarding a demand that we log activity going forward: Were anyone ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold.

We never store any data that could match an individual to specific network activity or behavior. Thus, we may only inform law enforcement that we do not possess logs of connections or user behavior that could associate a specific end-user with an infringing IP address, timestamp, or destination. This was proven in a high-profile case in Turkey in which law enforcement seized a VPN server leased by ExpressVPN but could not find any server logs that would enable investigators to link activity to a user or even determine which users, or whether a specific user, were connected at a given time.

7. We do not believe in restricting or censoring any type of traffic on any of our VPN servers, including BitTorrent traffic. We do not support port forwarding.

8. ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, neither ExpressVPN nor any external party can link payment details entered on our website with a user’s VPN activities, including IP assignments.

9. By default, ExpressVPN automatically chooses the protocol best-suited to your network depending on a variety of factors. For example, our in-house modern protocol Lightway uses a 4096-bit CA with AES-256-GCM and ChaCha20/Poly1305 encryptions, D/TLS 1.2, and SHA256 signatures to authenticate traffic.

10. Yes, our Network Lock feature, which is turned on by default, prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your internet connection drops or in various additional scenarios. We do not currently support IPv6 routing through the VPN tunnel. ExpressVPN also protects users from data leaks in a number of ways.

11. Our VPN servers are hosted in trusted data centers with strong security practices, where the data center employees do not have server credentials. Leased vs co-located is not the salient factor in determining security.

The efforts we take to secure our VPN server infrastructure are extensive and include (among other things) our proprietary TrustedServer technology, unique keys per server, VPN servers that don’t store user data, and carefully engineered our apps and VPN servers to categorically eliminate sensitive information. We run our own logless DNS on every server, meaning no personally identifiable data is ever stored. We do not use third-party DNS. ExpressVPN shared some extra details with us here.

12. ExpressVPN has over 3,000 servers in 94 countries. For more than 97% of these servers, the physical server and the associated IP addresses are located in the same country. For countries where it is difficult to find servers that meet ExpressVPN’s rigorous standards, we use virtual locations. The specific countries are published on our website here.

 

ExpressVPN extra details

 

NordVPN

 

1. We do not keep connection logs nor timestamps that could allow us to match customers with their online activity.

2. Parent company is Nordvpn S.A., operating under the jurisdiction of Panama.

3. We use an automated tool that limits the maximum number of concurrent connections to six per customer and a system that automatically suspends the account if a specific connection pattern is recognized, e.g. hundreds of connections to different servers in a very short period of time. This is being done in order to mitigate web scraping. Apart from that, we do not use any other tools.

4. NordVPN uses third-party data processors for emailing services and to collect basic website and app analytics. We use Iterable for correspondence, Zendesk to provide customer support, Google Analytics to monitor website and app data, as well as Crashlytics, Firebase Analytics and Appsflyer to monitor application data. All third-party services we use are bound by a contract with us to never use the information of our users for their own purposes and not to disclose the information to any third parties unrelated to the service.

5. NordVPN is a transmission service provider, operating in Panama. DMCA takedown notices are not applicable to us.

6. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our no-log policy means that we do not store any information about our users’ online activity – only their email address and basic payment info. So far, we haven’t had any such cases.

7. We do not restrict any BitTorrent or other file-sharing applications on most of our servers. We have optimized a number of our servers specifically for bandwidth-hungry activities. At the moment, we do not offer port forwarding and block outgoing SMTP 25 and NetBIOS ports.

8. Our customers are able to pay via all major credit cards, regionally localized payment solutions and cryptocurrencies. Our payment processing partners collect basic billing information for payment processing and refund purposes, but that data cannot be connected to an internet activity of a particular customer. Bitcoin is the most anonymous option, as it does not link the payment details to the user identity or other personal information.

9. All our protocols are secure, however, the most advanced encryption is used by NordLynx. NordLynx is based on the WireGuard® protocol and uses ChaCha20 for encryption, Poly1305 for authentication and integrity, and Curve25519 for the Elliptic-curve Diffie–Hellman key agreement protocol.

10. We provide automatic kill switches and DNS leak protection. Dual-Stack IPv4/IPv6 functionality is not yet supported with our service; however, all NordVPN apps offer an integrated IPv6 Leak Protection.

11. Most of our servers are leased, but we are gradually increasing our collocated server network. That said, the security of our infrastructure is our top priority. To elevate our standards to a higher level, we have partnered with VerSprite, a global leader in cybersecurity consulting and advisory services. Due to our special server configuration, no one is able to collect or retain any data, ensuring compliance with our no-logs policy. We do have our own DNS servers, and all DNS requests travel through a VPN tunnel. Our customers can also manually set up any DNS server they like.

12. We do not offer virtual locations, our servers are located in places we state they are. At the time of writing, we have almost 6000 servers in 59 countries.

 

NordVPN details

Private Internet Access

 

1. We do not store any logs relating to traffic, session, DNS or metadata. There are no logs kept for any person or entity to match an IP address and a timestamp to a current or former user of our service. In summary, we do not log, period. Privacy is our policy.

2. Private Internet Access, Inc. is an Indiana corporation, under the parent company Kape Technologies PLC, a company listed on the London Stock Exchange.

3. We have an active, proprietary system in place to help mitigate abuse including attempts to bypass our simultaneous connection limit.

4. At the moment we are using Google Apps Suite and Google Analytics on our website only with interest and demographics tracking disabled and anonymized IP addresses enabled. We utilize DeskPro for our support team.

5. Primarily, we stress that our service is not intended to be used for illegal activities and copyright infringements and we request our users to comply with this when accepting our Terms of Use. That said, we have an active, proprietary system in place to help mitigate abuse that preserves the privacy of our customers while following the letter of the law.

6. Every subpoena is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” While we have not received any valid court orders to identify an active or former user of service, we do periodically receive subpoenas from law enforcement agencies that we scrutinize for compliance and respond accordingly. If forced to provide logs by a court of law, Private Internet Access has verified in court multiple times that we keep no logs. Our company would fight a court order that requires us to do any sort of logging.

7. BitTorrent and file-sharing traffic are not discriminated against or throttled. We do not censor our traffic, period. We do provide port forwarding services on some of our VPN servers, check here for the full list of PIA VPN servers that support port forwarding.

8. We utilize a variety of payment systems, including, but not limited to: PayPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, Bitcoin Cash, Zcash, CashU, OKPay, PaymentWall, and even support payment using major store-bought gift cards. Payment details are only linked to accounts for billing purposes. IP assignments and other user activity on our VPN servers aren’t linkable to specific accounts or payment details because of our strict and demonstrated no-log policy.

9. At the moment, the most secure and practical VPN connection and encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256 over OpenVPN.

10. Our users gain access to a plethora of additional tools, including but not limited to a Kill Switch, IPv6 Leak Protection, DNS Leak Protection, Shared IP System, and MACE, which protects users from malware, trackers, and ads.

11. We utilize our own bare metal servers in third-party data centers that are operated by trusted business partners with whom we have completed serious due diligence. When countries or data centers fail to meet our high privacy standards, we remove our VPN server presence as has previously happened in Brazil, South Korea, Germany, and Russia.

12. We currently operate 3,395 servers across 64 locations in 44 countries. For more information on what countries are available, please visit our PIA network page. All of our locations are physical and not virtualized.

 

Private Internet Access details

 

TorGuard

 

1. TorGuard has never kept or retained logs for any user. No timestamps or IP logs are kept on any VPN or authentication server. The only information TorGuard has is statistical network data which helps us to determine the load of a given server. Additionally, we now run the whole network on ramdisks.

2. TorGuard is owned by VPNetworks LLC and its parent company Data Protection Services. We operate under US jurisdiction.

3. We use custom modules in a platform called Nagios to monitor VPN/Proxy hardware utilization, uptime and latency. TorGuard does enforce an eight device per user limit in real-time and each session is immediately wiped once the user has logged out. If that user failed to log out or was disconnected accidentally, our system automatically discards these stale sessions within a few minutes.

4. We are currently migrating away from Google Apps for email. All support is handled internally and TorGuard does not utilize third-party tools for customer support.

5. If a valid DMCA takedown notice is received it would be handled by our legal team. Due to our no-log policy and shared IP network, we are unable to forward any requests to a single user.

6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of our shared IP network configuration and the fact that we do not hold any identifying logs or time stamps.

TorGuard’s network was designed to operate with minimum server resources and is not physically capable of retaining user logs. Due to the nature of shared VPN servers and the large traffic volume flowing through our network, it would not be possible to retain such logs.

7. Yes, torrents work on all servers except our residential and streaming IP network. TorGuard does offer port forwarding for all ports above 2048 and the only port we block outgoing is SMTP port 25 to prevent abuse.

8. We use Stripe for credit or debit card processing and utilize our own BTCPay instance for Bitcoin and Litecoin transactions. Paypal is available through Paddle. TorGuard accepts all cryptocurrency through coinpayments.net and uses Paymentwall and PayGarden for Gift Card payments. TorGuard has gone through extreme measures by heavily modifying our billing system to work with various payment providers and to help protect our users’ privacy.

9. For a high level of security, we would recommend using OpenVPN with AES-256-GCM-SHA512 using our stealth VPN protocol as an added measure through the TorGuard desktop or mobile apps.

10. Yes – our kill switch is uniquely designed to send all traffic into a *black hole* if the user loses connectivity or the app crashes for any reason. Dual-stack IPv4/IPv6 is currently in development and will be released very soon.

11. We do have servers hosted at third parties but only select a location after extensive due diligence on very specific security criteria. We encrypt all disks and run 80% so far on virtual RAM disks. We do provide secure public DNS but we also provide our internal DNS on every endpoint which queries root VPN servers directly.

12. At this time we have three virtual locations: Taiwan, Greece and Mexico. TorGuard would rather not provide any virtual locations but occasionally if we cannot find a bare-metal data center that meets our security criteria we won’t take the risk.

 

TorGuard website

 

VPNArea

 

1. We do not keep or record any logs. We are therefore not able to match an IP-address and a time stamp to a user of our service.

2. The registered name of our company is “Offshore Security EOOD” (spelled “ОФШОР СЕКЮРИТИ ЕООД” in Bulgarian). We’re a VAT registered business. We operate under the jurisdiction of Bulgaria.

3. To prevent email spam abuse we block mail ports used for such activity, but we preemptively whitelist known and legit email servers so that genuine mail users can still receive and send their emails.

To limit concurrent connections to 6, we use an in-house developed system that adds and subtracts +1 or -1 towards the user’s “global-live-connections-count” in a database of ours which the authentication API corresponds with anonymously each time the user disconnects or connects to a server. The process does not record any data about which servers the subtracting/detracting is coming from or any other data at any time, logging is completely disabled at the API.

4. We host our own email servers. We host our own Ticket Support system on our servers. The only external tools we use are Google Analytics for our website and Live Chat software.

5. DMCA notices are not forwarded to our users as we’re unable to identify a responsible user due to not having any logs or data that can help us associate an individual with an account. We would reply to the DMCA notices explaining that we do not host or hold any copyrighted content ourselves and we’re not able to identify or penalize a user of our service.

6. This has not happened yet. Should it happen our attorney will examine the validity of the court order in accordance with our jurisdiction, we will then inform the appropriate party that we’re not able to match a user to an IP or timestamp, because we’re not recording any logs.

7. BitTorrent and torrents, in general, are allowed on all our servers. We offer port forwarding only on the dedicated IP private VPN servers at the moment with the goal to allow it on shared servers too. The only ports which are blocked are those widely related to abuse, such as spam.

8. We accept PayPal, Credit/Debit cards, AliPay, Bitcoin, Bitcoin Cash, Ethereum, WebMoney, GiroPay, and bank transfers. In the case of PayPal/card payments, we link usernames to the transactions so we can process a refund. We do take active steps to make sure payment details can’t be linked to account usage or IP assignments. In the case of Bitcoin, BCH, ETH we do not link usernames to transactions.

9. We use AES-256-CBC + SHA256 cipher and RSA4096 keys on all our OpenVPN servers without exception. We also have Double VPN servers, where for example the traffic goes through Russia and Israel before reaching the final destination. We also have Tor over VPN servers to provide diversity in the anonymous setup a user prefers.

10. Yes, we provide both KillSwitch and DNS Leak protection. We actively block IPv6 traffic to prevent IP leaks, so connections are enforced via IPv4. We have also created a free leak testing website where users can test their VPN connection for DNS leaks.

11. We use our own no-logs DNS servers. We work with reliable and established data centers. Nobody but us has virtual access to our servers. The entire logs directories are wiped out and disabled, rendering possible physical brute force access to the servers useless in terms of identifying users.

12. All our servers are physically located in the stated countries. A list of our servers in 60+ countries is available here.

 

VPNArea website

 

AirVPN

 

1. No, we do not keep or share with third parties ANY data that would allow us to match an IP address and a timestamp to a current or former user of our service

2. AirVPN in Italy. No parent company/companies.

3. No tools are used.

4. No, we do not use any external email providers, analytics, or support tools that hold information provided by users.

5. They are ignored if they pertain to P2P, they are processed, verified and handled accordingly (rejected or accepted) if they pertain to websites (or FTP services etc.) hosted behind our VPN servers.

6. a) We would co-operate to the best of our abilities, although we can’t give out information we don’t have. b) We are unable to comply due to technical problems and limitations. c) The scenario in ‘case b’ has never occurred. The scenario in ‘case a’ has occurred multiple times, but our infrastructure does not monitor, inspect or log customers’ traffic, so it is not possible to correlate customer information (if we had it) with customers’ traffic and vice-versa.

7. a) Yes, BitTorrent and other file-sharing traffic are allowed on all servers. AirVPN does not discriminate against any protocol or application and keeps its network as agnostic as possible. b) Yes, we provide remote inbound port forwarding service. c) Outbound port 25 is blocked.

8. We accept payments via PayPal and all major credit cards. We also accept Bitcoin, Ethereum, Litecoin, Bitcoin Cash, Dash, Doge, and Monero. By accepting directly various cryptocurrencies without intermediaries we get rid of privacy issues, including correlations between IP addresses and payments. By accepting Monero we also offer the option to our customers to pay via a cryptocurrency that protects transactions with a built-in layer of anonymity.

9. CHACHA20-POLY1305 and AES-256-GCM

10. We provide Network Lock in our free and open-source software. It can prevent traffic leaks (both IPv4 and IPv6 – DNS leaks included) even in case of application or system processes wrong binding, in case of UPnP caused leaks, wrong settings, WebRTC and other STUN related methods, and of course in case of unexpected VPN disconnection. b) Yes, we do provide DS IPv4/IPv6 access, including IPv6 over IPv4, pure IPv4 and pure IPv6 connections. In this way, even customers whose ISP does not support IPv6 can access IPv6 services via AirVPN.

11. We do not own our datacenters and we are not a transit provider, so we buy traffic from Tier 1, Tier 2 and only occasionally Tier 3 providers and we house servers in various datacenters. The main countermeasures are: exclusive access to IPMI etc. via our own external IP addresses or a specific VPN for the IPMI etc.; reboot inhibition; USB support eliminated from kernel; all data stored in RAM disk, and some other methods we prefer not to disclose. However, if server lines are wiretapped externally and transparently, and server tampering does not occur, there is no way inside the server to prevent, or be aware of, ongoing wiretapping. Wiretapping prevention must be achieved with other methods on the client-side (some of them are integrated into our software), for example, VPN over Tor, Tor over VPN etc.

12. NO, we do not offer virtual locations and/or VPS. We declare only real locations of real “bare metal” servers.

 

AirVPN website

 

Oeck

 

1. No. We do not keep any connect / disconnect timestamps or similar information. We explain exactly what we don’t log and what we monitor in our Privacy Policy.

2. Oeck Limited. We are registered in Hong Kong as the data retention laws are still in favor of VPN companies. We are however moving Oeck to Singapore as we believe Hong Kong will no longer be a safe home for VPN services in the future.

3. Though we allow account sharing for our customers, we do limit their total concurrent connections to six. This is monitored in real-time and there is no logging of this information whatsoever. We also do ask that our customers use a designated P2P region if they are going to be doing any torrenting or other P2P activity.

4. We use AWS for our outbound email – however, email is never used for correspondence. We have a support ticket system that our customers must use in order to communicate with us which is custom made and part of our website. Tickets are deleted 48 hours after resolution. We use Matomo for our analytics. We went down this path as Matomo is hosted by us and no other party has access to it.

5. If possible, we temporarily suspend usage of the port on the VPN node specified in the complaint. That’s all we can do, as there is no way for us to match anything to any customer. The suspension of the specified port on the specified server is lifted after 31 days.

6. This has never happened to us. However, in this event, we would only be able to provide a customer’s username, email address, and any possible billing information from our payment providers ( receipts of payment, etc ). Billing information will be impossible if the customer has chosen to pay by cash. If we were forced by authorities to log activity moving forward, we would simply turn off our servers in the affected jurisdiction. We own all of our own hardware ( even the routers in the datacenter ) and our exit-nodes run without any storage media. We will simply turn the switch off. We also make use of a warrant canary.

7. Yes. We allow our customers to torrent via our torrent region as it is optimized for that technology. Although we do not block torrenting in our other regions, we do suggest that users use the torrent region when torrenting. We provide a very advanced port-forwarding service to all of our customers. No ports are blocked.

8. We use Stripe, PayPal and Coinbase Commerce for online payments. We also accept cash in the mail. The only detail we have is if a customer has paid their account or not. As far as what the payment providers log – they log everything they possibly can. We encourage payments via cash if possible.

9. We offer OpenVPN with RSA-4096 and AES-256-GCM.

10. Our apps come with a kill-switch feature. For users who choose not to use our apps and use a third-party OpenVPN client instead, we have made available SOCKS5 proxies that work just like a kill-switch. These can only be accessed via our VPN. They can be used via a browser, app, or system-wide proxy.

11. No. All of our hardware is owned by us. Even the routers are owned by us. We do not log any VPN activity. Our VPN exit-nodes do not have hard drives or other storage capabilities, everything runs off RAM. Our upstream providers do not have access to our network as our stuff begins at our own routers. We only ever use our own DNS servers.

12. We have a real-time monitor of our servers. That is a list of our available VPN regions that users can connect to. The graph is displaying the information as a per-region display. This is because we node-balance our servers so users always have the best connection. Though we don’t offer virtual locations, we do offer residential IP proxies as part of our service. There are over 30 regions available and these are used for our smart routing feature.

 

Oeck website

 

Perfect Privacy

 

1. We do not store or log any data that would indicate the identity or the activities of a user.

2. The name of the company is VECTURA DATAMANAGEMENT LIMITED COMPANY and the jurisdiction is Switzerland.

3. The number of connections/devices at the same time is not limited because we do not track it. In case of malicious activity towards specific targets, we block IP addresses or ranges, so they are not accessible from our VPN servers. Additionally, we have limits on new outgoing connections for protocols like SSH, IMAP, and SMTP to prevent automated spam and brute force attacks. We do not use any other tools.

4. Our websites use Google Analytics to improve the quality of the user experience and its GDPR compliant with anonymized IP addresses. You can prohibit tracking with just one click on a provided link in the privacy policy. If a customer has a problem with Google, he has the possibility to disable the tracking of all Google domains in TrackStop. I believe we are the only VPN provider that offers this possibility. All other solutions like email, support, and even our affiliate program is in-house software and under our control.

5. Because we do not host any data, DMCA notices do not directly affect us. However, we generally answer inquiries. We point out that we do not keep any data that would allow us to identify a user of the used IP address.

6. If we receive a Swiss court order, we are forced to provide the data that we have. Since we don’t log any IP addresses, timestamps or other connection-related data, the only step on our side is to inform the inquiring party that we do not have any data that would allow the identification of a user based on that data. Should we ever receive a legally binding court order that would require us to log the activity of a user going forward, we’d rather shut down the servers in the country concerned than compromise our user’s privacy.

There have been incidents in the past where Perfect Privacy servers have been seized, but no user information was compromised that way. Since no logs are stored in the first place and additionally all our services are running within RAM disks, a server seizure will never compromise our customers. Although we are not subject to US-based laws, there’s a warrant canary page available.

7. With the exception of our US servers and French servers, BitTorrent and other file-sharing software is allowed. We offer port forwarding and do not block any ports.

8. We offer Bitcoin, PayPal and credit cards for users who prefer these options and over 60 other payment methods. Of course, it is guaranteed that payment details are not associated with any IP addresses. The only thing you know about a person is that he or she is a customer of Perfect Privacy and which email address was used.

9. The most secure protocol we recommend is still OpenVPN with 256-bit AES-GCM encryption. With our VPN Manager for Mac and Windows you also have the possibility to create cascades over four VPN servers. This Multi-Hop feature works tunnel in tunnel. If you choose countries for the hops which are known not to cooperate with each other, well you get the idea. On top of that, you can activate our NeuroRouting feature, which changes the routing depending on the destination of the visited domain and dynamically selects different hops for the outgoing server to ensure it is geographically close to the visited server.

10. Yes, our servers support full Dual Stack IPv4/IPv6 functionality, even when your ISP does not support IPv6. Our VPN Manager has a “kill switch” which has configurable protection with three security levels.

11. We run dedicated bare-metal servers in various data centers around the world. While we have no physical access to the servers, they all are running within RAM disks only and are fully encrypted.

12. Currently, we offer servers in 25 countries worldwide. All servers are located in the city displayed in the hostname – there are no virtual locations. For full details about all servers locations, please check our server status site as we are constantly adding new servers.

 

Perfect Privacy website

 

SwitchVPN

 

1. No, SwitchVPN does not store any logs which would allow anyone to match an IP address and a time stamp to a current or former user of our services.

2. Our company name is “CS SYSTEMS, INC” and it comes under United States jurisdiction.

3. We pro-actively take steps to mitigate abuse of our service/servers by implementing certain firewall rules. Such as blocking default SMTP ports which are likely to be abused by spammers.

4. We use Chatra for providing Live Chat and our web-based ticketing system which is self-hosted. No personal information is collected.

5. SwitchVPN is transitory digital network communications as per 17 U.S.C § 512(a) of the Copyright Act. So in order to protect the privacy of our users we use shared IP addresses, which makes it impossible to pinpoint any specific user. If the copyright holder only provides us with an IP address as identifying information, then it is impossible for us to associate a DMCA notice with any of our users.

6. There have been no court orders since we started our operation in 2010, and as we do not log our users’ sessions and we utilize shared IP addresses, it is not possible to identify any user solely based on timestamps or IP addresses. Currently, there are no mandatory data logging requirements in the United States but in case the situation changes, we will migrate our company to another privacy-friendly jurisdiction.

7. Yes, we have P2P optimized servers that provide dynamic port forwarding. It can be easily filtered in our VPN application.

8. We accept all major payment methods such as Credit Card, PayPal, Bitcoin and other Crypto Currencies. We use shared IPs and every account is assigned an alias username for connecting to the VPN server.

9. SwitchVPN utilizes AES-256bit encryption with SHA512 Authentication Channel by default.

10. Yes, Kill Switch & DNS Leak protection is provided on our Windows and Mac application. Currently, we only support IPv4.

11. Before we get into an agreement with any third party, we make sure the company does not have any poor history for privacy and we make sure the company is in line with our privacy requirements for providing our users with a no-log VPN service. We also use our own DNS servers to anonymize all DNS requests.

12. All of our servers are physically located in the countries we have mentioned, we do not use virtual locations.

 

SwitchVPN website

 

Hide.me

 

1. No, we don’t keep any logs. We have developed our system with an eye of our customers’ privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all.

2. Hide.me VPN is operated by eVenture Limited and based in Malaysia with no legal obligation to store any user logs at all.

3. We do not limit or monitor individual connections. To mitigate abuse, we deploy general firewall rules on some servers that apply to specific IP ranges.

4. Our website does not include third-party tracking tools. For live support, we embed Zendesk in a privacy-friendly two-click solution, so it does not load by default and no personal data is shared.

5. Since we don’t store any logs and/or host infringing copyright material on our services, we’ll reply to these notices accordingly.

6. Although it has never happened in such a scenario, we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs, and there is no way we could link any particular cyber activity to any particular user. In case, we are forced to store user logs, we would prefer to close down rather than putting our users at stake who have put their trust in us.

7. There is no effective way of blocking file-sharing traffic without monitoring our customers, which is against our principles and would be even illegal. Usually, we only recommend our customers to avoid the US & UK locations for file-sharing, but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place.

8. We support a wide range of popular payment methods, including all major cryptocurrencies like Bitcoin, Litecoin, Ethereum, Dash, Monero, Paypal, credit cards and nank transfer. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can not be connected to the user’s VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.

9. After all, modern VPN protocols that we all support – like WireGuard, IKEv2, OpenVPN, SoftEtherVPN, and SSTP, are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 8192-bit key size and a strong symmetric encryption (AES-256) for the data transfer.

10. Our desktop client supports security features such as Multihop Double VPN, Kill Switch, Firewall to limit apps to VPN, Firewall to limit all connections to VPN, Split Tunnel, Auto Connect, Auto Reconnect, etc, which makes sure that the connection is always secure. Above all, we have put in some additional layers of security, which include default protection against IP and DNS leaks.

Hide.me is one of the few VPN providers that supports Dual Stack IPv4 and IPv6, so our customers do not need to worry about potential IP leaks.

11. We operate our own non-logging DNS-servers to protect our customers from DNS hijacking and similar attacks. We do not own physical hardware, but in case there is intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore, we choose all third-party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no unauthorized person could access our servers. Among our reputable partners are NFOrce, M247, Psychz Networks and many more.

Similar to Apple’s private relay, our dynamic Multihop Double VPN feature allows to route tunnel the connection over multiple server locations. Neither the incoming or outgoing server can match users’ activity, which provides an extra layer of security.

12. Our servers are located in countries all over the world.

 

Hide.me website

 

Trust.Zone

 

1. Trust.Zone doesn’t store any logs. Therefore, we have no data that could be linked and attributed to the current or former user. All we need from customers is an email to sign up.

2. Trust.Zone is under Seychelles jurisdiction. The company is operated by Internet Privacy Ltd.

3. Our system can understand how many active sessions a given license has at a given moment in time. This counter is temporarily placed in RAM and never logged or saved anywhere.

4. Trust.Zone has never used any third-party tools like Google Analytics, live chat platform, support tools or other.

5. If we receive any type of DMCA requests or Copyright Infringement Notices – we ignore them. Trust.Zone is under offshore jurisdiction, out of 14 Eyes Surveillance Alliance. There is no data retention law in Seychelles.

6. A court order would not be enforceable because we do not log information and therefore there is nothing to be had from our servers. Trust.Zone supports Warrant Canary. Trust.Zone has not received or been subject to any searches, seizures of data, or requirements to log any actions of our customers.

7. BitTorrent and file-sharing traffic is allowed on all Trust.Zone servers. Moreover, we don’t restrict any kind of traffic. Trust.Zone does not throttle or block any protocols, IP addresses, servers or any type of traffic whatsoever. We offer port forwarding to increase download speeds for torrents.

8. All major credit cards are accepted. PayPal, Alipay, wire transfer, and many other types of payments are available. As we don’t store any logs, there is no way to link payment details with a user’s internet activity

9. We use the most recommended protocols in the VPN industry – IKEv2/IPSec, OpenVPN. We also support WireGuard and our own protocol which is faster than OpenVPN and also includes Perfect Forward Secrecy (PFS). Trust.Zone uses AES-256 Encryption by default.

10. Trust.Zone supports a kill-switch function. We also own our DNS servers and provide users with the ability to use our DNS to avoid any DNS leaks. All features listed above are also available with a 30-day Free Plan. Trust.Zone does not support IPv6 to avoid any leaks. We also provide users with additional recommendations to be sure that there are no DNS leaks or IP leaks.

11. We have a mixed infrastructure. Trust.Zone owns some physical servers and we have access to them physically. In locations with lower utilization, we normally host with third-parties. But the most important point is that we use dedicated servers in this case only, with full control by our network administrators. DNS queries go through our own DNS servers.

12. We are operating with 200+ dedicated servers in 100+ geo-zones and are still growing. We also provide users with dedicated IP addresses and port forwarding. The full map of the server locations is available here.

 

Trust.Zone website

 

Windscribe

 

1. No.

2. Windscribe Limited. Ontario, Canada.

3. Byte count of all traffic sent through the network in a one month period as well as a count of parallel connections at any given moment.

4. No. Everything is self-hosted.

5. Our transparency policy is available here.

6. Under Canadian law, a VPN company cannot be compelled to wiretap users. We can be legally compelled to provide the data that we already have (as per our ToS) and we would have to comply with a valid Canadian court order. Since we do not store any identifying info that can link an IP to an account, the fact that emails are optional to register, and the service can be paid for with cryptocurrency, none of what we store is identifying.

7. We allow P2P traffic in most locations. Yes, we provide port forwarding for all Pro users. Only ports above 1024 are allowed.

8. Stripe, Paypal, Coinpayments, Paymentwall. IP addresses of users are not stored or linked to payments.

9. The encryption parameters are similar for all protocols we support. AES-256 cipher with SHA512 auth and a 4096-bit RSA key. We recommend using IKEv2, as it’s a kernel space protocol that is faster than OpenVPN in most cases. We also support WireGuard.

10. Our desktop apps have a built-in firewall that blocks all connectivity outside of the tunnel. They also have split routing (per process, or network level), MAC address spoofing, and external DNS server support. In an event of a connection drop, it fails closed – nothing needs to be done. The firewall protects against all leaks, IPv4, IPv6 and DNS. We only support IPv4 connectivity at this time.

11. We lease servers in over 150 different datacenters worldwide. Some datacenters deploy networking monitoring for the purposes of DDOS protection. We request to disable it whenever possible, but this is not feasible in all places. Even with it in place, since most servers have dozens/hundreds of users connected to them at any given moment, your activity gets “lost in the crowd”. Each VPN server operates a recursive DNS server and performs all DNS resolution locally.

12. Our server overview is available here. We don’t offer virtual locations.

 

Windscribe website

 

Mullvad

 

1. No, all details are explained in our no-logging data policy.

2. Mullvad VPN AB – Swedish. The parent company is Amagicom AB – Swedish.

3. We mitigate abuse by blocking the usage of ports 25, 137,139, and 445 due to email spam and Windows security issues.

OpenVPN: Number of connections: Each VPN server reports to a central service. When a customer connects to a VPN server, the server asks the central service to validate the account number, whether or not the account has any remaining time. If the account has reached its allowed number of connections, and so on. Everything is performed in temporary memory only; none of this information is permanently stored on disk.
WireGuard: Number of connections: Each VPN server reports public keys connected to a central service. If a key is abused, it will be revoked.

Our servers send two types of data to our monitoring system: aggregated application data, such as the total number of current VPN connections, and generic system metrics, such as CPU load per core and total bandwidth used by the server.

We log the total sum of each of these statistics in order to monitor the health of each individual VPN server. We ensure that the system isn’t overloaded, and we monitor the servers for potential attacks, bugs, and network issues. We also monitor the real-time state of total connections per account as we only allow for five connections simultaneously. As we do not save this information, we cannot, for example, tell you how many connections your account had five minutes ago. For WireGuard we have a limit of a maximum of 5 keys (i.e. 5 devices).

4. We have no external elements at all on our website. We do use an external email provider; for those who want to email us, we encourage them to use PGP encryption which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. As explained here, there is no such Swedish law that is applicable to us.

6. From time to time, we are contacted by governments asking us to divulge information about our customers. Given that we don’t store activity logs of any kind, we have no information to give out. Worst-case scenario: we would discontinue the servers in the affected countries. The only information AT ALL POSSIBLE for us to give out is records of payments since these are stored at PayPal, banks etc.

7. All traffic is treated equally, therefore we do not block or throttle BitTorrent or other file-sharing protocols. Port forwarding is allowed. Ports 25, 137,139, and 445 are blocked due to email spam and Windows security issues.

8. We accept cash, Bitcoin, Bitcoin Cash, bank wire, credit card, PayPal, GiroPay, Eps transfer, Bancontact, IDEAL, Przelewy24 and Swish. We encourage anonymous payments via cash or one of the cryptocurrencies. We run our own full node in each of the blockchains and do not use third parties for any step in the payment process, from the generation of QR codes to adding time to accounts. Our website explains how we handle payment information

9. We offer OpenVPN with RSA-4096 and AES-256-GCM. And we also offer WireGuard which uses Curve25519 and ChaCha20-Poly1305.

10. We offer a kill switch and DNS leak protection, both of which are supported in IPv6 as IPv4. While the kill switch is only available via our client/app, we also provide a SOCKS5 proxy that works as a kill switch and is only accessible through our VPN.

11. At 12 of our locations (4 in Sweden, 1 in Denmark, 1 in Amsterdam, 1 in Norway, 1 in the UK, 1 in Finland, 1 in Germany, 1 in Paris, 1 in Zurich) we own and have physical control over all of our servers. In our other locations, we rent physical, dedicated servers and bandwidth from carefully selected providers. Keep in mind that we have 3 locations in the UK and 3 in Germany, the servers we physically own are the ones hosted by 31173.se (they start with gb-lon-0* and de-fra-0* , and gb4-wireguard, gb5-wireguard, de4-wireguard and de5-wireguard)

Yes, we use our own DNS servers. All DNS traffic routed via our tunnel is hijacked, even if you set accidentally select another DNS our DNS will anyhow be used. Except if you have set up DNS over HTTPS or DNS over TLS, or if you use a custom DNS in our app.

12. We don’t have virtual locations. All locations are listed here.

 

Mullvad website

 

Surfshark

 

1. We do not keep any logs, data, timestamps, or any other kind of information that would enable anyone to identify neither current nor former users of our service.

2. Surfshark is a registered trademark of Surfshark Ltd., a company registered in the British Virgin Islands (BVI). Surfshark Ltd. is not a subsidiary of any other company.

3. We do not limit the number of simultaneous connections. We have two safeguards against abuse of our service: our Terms of Service has a clause on Fair Usage Policy; if this policy is intentionally violated, we have an automated network maintenance system that indicates the abnormalities on server load and can limit an immoderate number of devices simultaneously connected to one session to make sure that none of our customers are affected by the potentially deteriorated quality of our services.

4. We do not use any Alphabet Inc. products except for Google Analytics, which is used to improve our website performance for potential customers. For a live 24/7 customer support and ticketing service, we use industry-standard Zendesk. For our communication, we use a secure email system Hushmail. For transactional and user communication, we use Iterable. These third-party services have no access to any other kind of user information outside the scope of the one specified in our Privacy Policy. Also, we have legally binding agreements with all third-party service providers to not disclose any of the information they have to anyone outside the scope of the services they provide to us

5. DMCA takedown notices do not apply to our service as we operate outside the jurisdiction of the United States. In case we received a non-US equivalent, we would not be able to provide any information because we have none (strict no logs policy).

6. We have never received a court order from the British Virgin Islands (BVI) authorities. If we ever received a court order from the BVI authorities, we would truthfully respond that we are unable to identify any user as we keep no logs whatsoever. If data retention laws would be enacted in the BVI, we would look for another country to register our business in. For any information regarding received legal inquiries and orders, we have a live warrant canary.

7. Surfshark is a torrent-friendly service. We allow all file-sharing activities and P2P traffic, including BitTorrent. For that, we have hundreds of specialized servers in various countries, and the user will always be connected to the fastest specialized server in case of P2P activities. We do not provide port forwarding services, and we block port 25.

8. Surfshark subscriptions can be purchased using various payment methods, including cryptocurrency, PayPal, Alipay, major credit cards, and many country-specific options. Neither of these payments can be linked to a specific user as we do not collect any timestamps, IP addresses, session information, or other data.

9. We recommend using automatic protocol selection as it selects the optimal protocol depending on various network conditions. If a user wants to select the protocol manually, the optimal option would be Wireguard.

10. We provide ‘kill switches’ in all our apps and have inbuilt DNS leak protection. Also, Surfshark provides IP masking, IPV6 leak protection, WebRTC protection, ad, malware, and tracker blocking on DNS level, MultiHop (double VPN), Whitelister (works both as direct and reverse split tunneling), etc. Currently, we do not support Dual Stack IPv4/IPv6 functionality.

11. We use our own DNS servers which do not keep any logs as per our Privacy Policy. All our servers are physically located in trusted third-party data centers. 100% of our servers are already RAM-only.

Before choosing a third-party service provider, we have a strict due diligence process to make sure they meet our security and trust requirements. To prevent unauthorized snooping, we use the 2FA method to reach our servers and have developed a special authorization procedure so that only authorized system administrators can access them for configurations.

12. As of June 2021, we have over 3200 servers physically located in over 110 locations, in 65 countries. As per user requests, we have only a few virtual locations that are clearly indicated within our apps’ user interfaces.

 

Surfshark website

 

IVPN

 

1. No. We believe that not logging VPN connection related data is fundamental to any privacy service regardless of the security or policies implemented to protect the log data. Specifically, we don’t log: traffic, DNS requests, connection timestamps and durations, bandwith, IP address or any account activity except simultaneous connections.

2. Privatus Limited, Gibraltar. No parent or holding companies.

3. We limit simultaneous connections by maintaining a temporary counter on a central server that is deleted when the user disconnects (we detail this process in our Privacy Policy).

4. No. We made a strategic decision from day one that no company or customer data would ever be stored on third-party systems. All our internal services run on our own dedicated servers that we setup, configure and manage. No third parties have access to our servers or data. We don’t host any external scripts, web trackers or tracking pixels on our website. We also refuse to engage in advertising on platforms with surveillance-based business models, like Google or Facebook.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we inform them that we never store the IP addresses of customers connected to our network nor are we legally required to do so. We have a detailed Legal Process Guideline published on our website.

6. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information. If legally compelled to log activity going forward we would do everything in our power to alert the relevant customers directly (or indirectly through our warrant canary).

7. We do not block any traffic or ports on any servers. We provide a port forwarding service.

8. We accept Bitcoin, Cash, Monero, PayPal, and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, the transaction is processed through our self-hosted BitPay server. We store Bitcoin transaction IDs in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. We accept Monero directly to our wallet and, no third party has access to payment information. When paying with PayPal or a credit card a token is stored that is used to process recurring payments but this is not linked in any way to VPN account usage or IP assignments.

9. We offer and recommend WireGuard, a high-performance protocol that utilizes state-of-the-art cryptography. Alternatively, we also offer OpenVPN with RSA-4096 / AES-256-GCM, which we also believe is more than secure enough for the purposes for which we provide our service.

10. Yes, the IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible including IPv6, DNS, network failures, WebRTC STUN etc. Our VPN clients work on a dual-stack IPv4/IPv6 but we currently only support IPv4 on our VPN gateways. Full IPv6 support is in the pipeline.

11. We use bare metal dedicated servers leased from third-party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized the data is worthless.

We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult. We operate our own network of log-free DNS servers that are only accessible to our customers through the VPN tunnel.

12. We have servers in 32 countries. No virtual locations. Full list of servers is available here.

 

IVPN website

 

AtlasVPN

 

1. If the question relates to the VPN server’s IP address and a user’s online activity while connected to VPN, then the answer is no.

2. Atlas VPN is incorporated under Peakstar Technologies Inc. We operate in Delaware’s (USA) jurisdiction.

3. We use an automated system that monitors the number of simultaneous connections per account. Yet, we do not store this information. The free version of our service is limited to 2 concurrent connections. Worth noting that our premium subscription does not limit the number of concurrent connections.

4. We mainly use Zendesk to communicate with our users. We also use Google Analytics and AppsFlyer to monitor application and website data.

5. Atlas VPN is considered to be a transmission service provider as per § 512 (a) of the Digital Millennium Copyright Act (DMCA), and not a storage service provider. Transmission service providers have no obligations to react to take-down notices or enable counter-notices.

6. We would comply with a justified court order in a manner that would be deemed appropriate after consultation with legal counsel. It would naturally depend on the court order on what steps we would need to take to ensure compliance. As far as logging future activity, we would do whatever it takes to protect our users’ privacy. We can not say how the process would unfold as we have never received any court order of this nature.

7. Yes, it is allowed. No port forwarding services are provided. SMTP ports are blocked to prevent email abuse.

8. Stripe (as well as Google Pay for the convenience of our users), PayPal as well as reseller services, such as Google Play and App Store. The details can be linked with account usage as far as app analytics go. They can be linked with ongoing sessions. This linkage is deleted as the VPN session is terminated.

9. It depends on the platform of the application. We use the IPSec/IKEv2 protocol, and depending on the platform we recommend Diffie Hellman group 20 and 256 bit ChaCha20/Poly1305 with 128-bit ICV.

10. Yes, these are implemented using platform tools. We do support dual-stack functionality.

11. All of our servers are hosted by third parties. We perform proper due diligence to ensure that the partners are reliable. Even if partners tried snooping, they would not be able to do so, since inbound and outbound traffic from the client is encrypted. We do use our own DNS servers.

12. They are located in the countries that are shown in our applications at any given time. No virtual locations are offered.

 

AtlasVPN website

 

Speedify

 

1. No, we do not share ANY user information with ANY third party. We do not store or log ANY information about which users accessed which domain names or IP addresses. We do not log customer’s IP addresses.

2. Connectify, Inc. – operating under the US jurisdiction.

3. We monitor with a set of self-hosted, open-source tools including Prometheus and Grafana.

4. We don’t use third-party analytics tools. Our help desk is built on HelpScout. Messages are automatically deleted after a time period.

5. We politely reply! But unfortunately, we never do have enough information in our logs to be very helpful.

6. We properly respond to law enforcement and offer the information which is in our logs. Which as previously noted, is not helpful for connecting users to activity. We would fight any order that attempted to force us to log a user activity going forward. We have received subpoenas for information about various IP addresses before. We have never been asked or ordered to attempt to log information about any user going forward.

7. Speedify has dedicated servers for P2P traffic. Most of our servers do not allow BitTorrent traffic. We do provide port forwarding and static IP address services with our dedicated VPN servers. Only port 25 is blocked as unencrypted SMTP is dangerous and insecure to even the sender, and has no legitimate use.

8. Speedify offers a variety of ways to pay, including Apple App Store, Google Play Store, Recurly, PayPal and FastSpring. Purchases through Apple App Store and Google Play Store do not provide us any information about the purchaser unless the user provides it to us directly.

9. We default to 128 bit AES encryption. Those concerned about security may wish to turn on the Killswitch to ensure traffic does not go out while the VPN is not connected.

10. Yes, we support killswitch. It is not on by default, but it’s available in the settings menu. Yes, we have built-in DNS and IPv6 leak protection. The software supports Dual Stack IPv4/IPv6, but not all our deployed servers are on IPv6. it’s rolling out to more and more servers as we speak.

11. Speedify VPN servers are hosted by third parties. On the VPN side, traffic is entirely encrypted. Internet traffic from clients is run through a server-side TCP proxy to erase hints in IP and TCP headers such as RTT which a sophisticated opponent could otherwise use to tease apart traffic from different operating systems. Then the traffic is NATed together, often 1000 users sharing a single IP address, to make individuals impossible to trace. We proxy the DNS before forwarding it to trusted, privacy-oriented DNS partners.

12. Our servers are constantly changing: in areas with few users, we will use virtual servers, but in most cases, we will use hardware servers.

 

Speedify website

 

AzireVPN

 

1. No, we do not record or store any logs related to our services. No traffic, user activity, timestamps, IP addresses, number of active and total sessions, DNS requests, or such kinds of logs are stored.

2. The registered company name is Netbouncer AB, and we operate under Swedish jurisdiction. In Sweden, no data retention laws apply to VPN providers.

3. We take extra security steps to harden our servers: they are prepared by having their hard drives removed. Their custom base image is running into RAM. Also, Blind Operator mode, a software module ensuring that it is difficult to set up traffic monitoring, is hardening the kernel. Regarding abuses like incoming DDoS attacks, filtering is used on an attacker’s source port to mitigate them.

4. No, we do not rely on and refuse to use external third-party providers. We run our email infrastructure and encourage people to use PGP encryption for reaching us. The ticketing support system, website analytics (Piwik with anonymization settings), and other tools are all open-source, or custom software hosted in-house.

5. We politely inform the sender that we do not keep any logs and cannot identify a user.

6. A court may issue an order to require the identification of a user. In that case, first, we will make sure that the order is valid. Then, we will inform the other party that we cannot identify an active or former user of our service due to our particular infrastructure. If they force us to hand over physical access to a server, they would have to reboot it to disable the Blind Operator mode due to the nature of this kernel module. Rebooting would make all data lost as the image is running in RAM.

So far, we have never received any court order, and we have never given out any personal information.

7. Yes, BitTorrent, peer-to-peer, and file-sharing traffic is allowed and treated equally to any other traffic on all of our servers. We do not provide port forwarding services yet, but we are working on it and expect to release it in the incoming months. However, we propose a public IPv4+IPv6 addresses mode on OpenVPN that assigns IP addresses being used by only one user at a time for the whole duration of the connection. In this mode, all ports are opened, except for unencrypted outgoing port 25 TCP, usually used by the SMTP protocol, which is blocked to prevent abuse by spammers.

8. Anonymous payment methods include cryptocurrencies or sending cash via postal mail. Available cryptocurrencies are Bitcoin, Litecoin, Monero, and some others. Classic payment options such as PayPal (with or without recurring payments), credit cards (VISA, MasterCard, and American Express through Paymentwall), and Swish are accepted. We do not store sensitive payment information on our servers; we only retain an internal reference code for order confirmation. Our database is getting all transaction information deleted after six months.

9. We recommend the use of our WireGuard servers. Our new custom clients are available on Windows, Android, and iOS. Otherwise, it is preferable to use official tools on Linux, macOS, and routers (using OpenWrt or DD-WRT).

WireGuard is a new VPN protocol using the modern ChaCha20 and Poly1305 encryption cipher for authentication and data integrity.

10. We offer easy-to-use and look-alike custom VPN applications for Windows, Android, and iOS, which do not require manipulating configuration files. We are planning to add a kill switch and DNS leak protection to our desktop client in the future. We provide our users with a full dual IPv4+IPv6 stack on all servers and VPN protocols. Thus, we do not need to include any loose IPv6 leak protection.

Also, connection to our WireGuard servers is possible through IPv4 or IPv6, depending on one’s Internet line.

11. We physically own all our servers in all locations. Our team sends them to data centers that meet our strict criteria, like closed racks for security and neutral Internet carriers for privacy. Also, we host our non-logging DNS servers in each location; our VPN tunnels use those by default. Static DNS servers are available for use outside of tunnels.

12. We operate 65 servers across 19 locations on three continents. During the last year, we launched new servers in France, Germany, Italy, Romania, Spain, Switzerland, and the United States. There are no virtual locations.

 

AzireVPN website

 

Guardian

 

1. We do not.

2. Sudo Security Group, Inc. United States of America.

3. No limits on concurrent connections, though we may introduce bandwidth throttling if we notice huge amounts being consumed. We still won’t track, just would limit speeds in such cases.

4. Zendesk, so if you send an e-mail to support, it will have a help ticket for the inquiry you’ve sent. No analytics.

5. We simply block the port that they allege was in use. We do not retain any useful records and thus have no further action to take.

6. We have not had such a case occur. If one were to happen, we would engage with our legal counsel on how to fight it.

7. We currently have no terms for or against specific types of traffic. If a DMCA request is filed and says a specific port is being used for file sharing activity, we will block the port.

8. We use Apple’s in-app purchase system on iOS, and Stripe on the web. Our payment authorization systems are separated from our VPN credential generation systems.

9. We make use of AES-256, SHA-384, and DH Group 20 for the IKE Security Association, and AES-256-GM with DH Group 20 for the child Security Association.

10. We currently only support IPv4, with IPv6 on our roadmap. We do not support what may be deemed a “kill switch” in a traditional sense due to limitations of iOS.

11. We use 1.1.1.1 for DNS, and we use baremetal servers (not shared VMs) on our hosting provider. We are in the process of setting up our own data centers.

12. No virtual locations. We are in United States, Canada, France, Germany, Netherlands, London, Japan, Singapore, and Australia.

 

Guardian website

*Note: Private Internet access, ExpressVPN and NordVPN are TorrentFreak sponsors. We reserve the first three spots for them as a courtesy. This article also includes a few affiliate links which help us pay the bills. We never sell positions in our review article or charge providers for a listing.

CET support is coming to version 94 of Edge

 

 

Microsoft is making private browsing mode even safer in Edge by adding Intel's Control-Flow Enforcement Technology (CET) to its browser.

 

This security feature, which is supported on Intel 11th Gen or AMD Zen 3 CPUs, is already enabled in Windows 10 as the software giant had adopted CET through an implementation known as Hardware-enforced Stack Protection in its operating system.

 

Google recently added Hardware-enforced Stack Protection to Chrome as well though Microsoft Edge was the first Chromium-based browser to adopt CET with the release of the Canary build of version 90 of its browser. 

Soon even more Edge users will be able to take advantage of CET support for safer browsing when this feature rolls out later this year.

Control-Flow Enforcement Technology

In a new post on the Microsoft 365 Roadmap, the software giant revealed that CET support for Edge is currently in development and will arrive with the release of version 94 of Edge in September.

 

To take advantage of this feature, your system will need to have either an Intel 11th Gen or AMD Zen 3 CPU. However, you can also disable CET by changing Image File Execution Options (IFEO) using group policy.

As the browser is becoming one of the most used tools by employees working from home as well as by those whose organizations are implementing hybrid working, Microsoft's decision to add CET support to Edge will help keep workers safe from new exploits and attacks designed to be delivered remotely. 

 

Microsoft 365 Defender researchers have disrupted the cloud-based infrastructure used by scammers behind a recent large-scale business email compromise (BEC) campaign.

 

The attackers compromised their targets' mailboxes using phishing and exfiltrated sensitive info in emails matching forwarding rules, allowing them to gain access to messages relating to financial transactions.

Initial access gained via phishing

"The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns," Microsoft 365 Defender Research Team's Stefan Sellmer and Microsoft Threat Intelligence Center (MSTIC) security researcher Nick Carr explained.

 

"The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation."

 

Microsoft researchers revealed the entire attack flow behind a recent BEC incident, from the initial access to the victim's mailboxes to gaining persistence and stealing data using email forwarding rules.

 

The login info was stolen using phishing messages that redirected the targets to landing pages closely mimicking Microsoft sign-in pages asking them to enter their passwords under a pre-populated username field.

Legacy auth protocols used to bypass MFA

While the use of stolen credentials for compromising inboxes is blocked by enabling multi-factor authentication (MFA), Microsoft also found that the attackers used legacy protocols like IMAP/POP3 to exfil emails and circumvent MFA on Exchange Online accounts when the targets failed to toggle off legacy auth.

 

"Credentials checks with user agent “BAV2ROPC”, which is likely a code base using legacy protocols like IMAP/POP3, against Exchange Online," the researchers said.

 

"This results in an ROPC OAuth flow, which returns an “invalid_grant” in case MFA is enabled, so no MFA notification is sent."

 

The attackers also used the cloud-based infrastructure disrupted by Microsoft to automate operations at scale, "including adding the rules, watching and monitoring compromised mailboxes, finding the most valuable victims, and dealing with the forwarded emails."

 

Microsoft also discovered that the scammers used BEC activity originated from multiple IP address ranges belonging to several cloud providers.

 

They also set up DNS records that almost matched those of their victims so that their malicious activity would blend into pre-existing email conversations and evade detection.

BEC behind almost $2 billion in losses last year

Even though, in some cases, BEC scammers' methods might seem to lack sophistication and their phishing emails malicious in nature to some, BEC attacks have been behind record-breaking financial losses every year since 2018.

 

The FBI 2020 annual report on cybercrime for 2020 listed a record number of more than $1.8 billion adjusted losses reported last year.

 

Last month, Microsoft detected another large-scale BEC campaign that targeted over 120 companies using typo-squatted domains registered just a few days before the attacks began.

 

In March, the FBI also warned of BEC attacks increasingly targeting US state, local, tribal, and territorial (SLTT) government entities, with reported losses ranging from $10,000 up to $4 million from November 2018 to September 2020.

 

In other alerts sent last year, the FBI warned of BEC scammers abusing email auto-forwarding and cloud email services like Microsoft Office 365 and Google G Suite in their attacks.

 

Microsoft is tracking a series of attacks that use SEO poisoning to infect targets with a remote access trojan (RAT) capable of stealing the victims' sensitive info and backdooring their systems.

 

The malware delivered in this campaign is SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.

 

SolarMarker is designed to provide its masters with a backdoor to compromised systems and steal credentials from web browsers.

 

The data it manages to harvest from infected systems is exfiltrated to the command-and-control server. It will also gain persistence by adding itself to the Startup folder and modifying shortcuts on the victims' desktop.

In April, eSentire researchers observed threat actors behind SolarMaker flooding search results with over 100,000 web pages claiming to provide free office forms (e.g., invoices, questionnaires, receipts, and resumes).

 

However, they would instead act as traps for business professionals searching for document templates and infect them with the SolarMaker RAT using drive-by downloads and search redirection via Shopify and Google Sites.

Switches to abuse AWS and Strikingly

In more recent attacks spotted by Microsoft, the attackers have switched to keyword-stuffed documents hosted on AWS and Strikingly, and are now targeting other sectors, including finance and education.

 

"They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware," Microsoft said.

 

"The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from 'insurance form' and 'acceptance of contract' to 'how to join in SQL' and 'math answers'."

Once the victims find one of the maliciously crafted PDFs and open them, they are prompted to download another PDF or DOC document containing the information they are looking for.

Instead of gaining access to the info, they are redirected through multiple websites using .site, .tk, and .ga TLDs to a cloned Google Drive web page where they are served the last payload, the SolarMaker malware.

 

The SolarMaker developers are believed to be Russian-speaking threat actors based on Russian to English translation misspelling, according to Morphisec.

 

The Morphisec researchers also found that many of the malware's C2 servers are located in Russia, although many were no longer active.

 

"The TRU has not yet observed actions-on-objectives following a SolarMarker infection, but suspect any number of possibilities, including ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage or exfiltration operations," eSentire’s Threat Response Unit (TRU) added.

 

Financial software company Intuit has notified TurboTax customers that some of their personal and financial information was accessed by attackers following what looks like a series of account takeover attacks.

 

In a breach notification letter sent to affected customers earlier this month, the company said that this was not a "systemic data breach of Intuit."

 

In account takeover attacks, cybercriminals gain access to their victims' accounts using credentials stolen from other online services following past data breaches.

 

This type of attack works incredibly well against targets who use the same login credentials for multiple sites or services.

TurboTax accounts hacked using reused credentials

Intuit discovered during a security review that an undisclosed number of TurboTax accounts was breached and customer info was exposed. 

 

The company's investigation revealed that the threat actors used credentials (usernames and passwords) obtained from "a non-Intuit source" to gain access to the accounts.

 

"By accessing your account, the unauthorized party may have obtained information contained in a prior year's tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver's license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return," Intuit explained.

 

"We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information," the company added.

 

After discovering the attacks, Intuit temporarily disabled the breached TurboTax accounts. Users who had their accounts deactivated must contact Intuit's Customer Care department at 1-800-944-8596 and say "Security" when prompted.

 

Afterward, Intuit employees will walk them through an identity verification procedure designed to help reactivate the accounts.

Previous alerts of threat actors taking over TurboTax accounts

This is not the first time attackers have successfully hacked into TurboTax users' accounts and stole financial and personal information.

 

TurboTax customers were previously targeted in at least three other series of account takeover attacks in 2014/2015 and again in 2019.

 

Just as after the previous three incidents, Intuit provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to impacted customers.

 

Intuit and TurboTax spokespersons were not available for comment when contacted by BleepingComputer earlier for further info on the breach dates and the number of impacted accounts.

 

Reports broke yesterday of a massive data breach at Electronic Arts that resulted in the theft of close to 780GB worth of data containing FIFA 21 and Frostbite engine source code. While the code itself isn’t being made available on the web, hackers have reportedly posted screenshots of some of the stolen content as proof of possession. Today, a new report on Motherboard provides more information on how the hack was carried out. It cites statements made to the publication by a “representative for the hackers”.

 

The hackers claim that they started off by purchasing stolen cookies for $10 from the web. These cookies possibly containing Slack login details of EA employees were then used to gain access to a Slack channel, with the hackers likely masquerading as internal employees. The account was then used to reach out to IT Support to request multifactor tokens, saying that they “lost our phone at a party last night”. The tokens were then used to access EA’s corporate network using the employees' credentials.

 

Once inside the network, the bad actors discovered a service that was used by developers to compile games. They then created virtual machines in the server and subsequently gained access to the source code. Motherboard says that the representative has provided screenshots of the Slack chats and various steps of the process to corroborate the claims. Interestingly, the publication says that EA confirmed the “contours of the description of the breach”. However, EA has reiterated that the breach has not resulted in the compromise of any player data.

 

In addition to the game data, the hackers have reportedly also gained access to documentation pertaining to PlayStation VR, digital crowds in FIFA, and AI in games, among other details. The publication adds that Sony has not responded to requests for comment.

 

McDonald's, the largest fast-food chain globally, has disclosed a data breach after hackers breached its systems and stole information belonging to customers and employees from the US, South Korea, and Taiwan.

 

As the world's global foodservice retailer, McDonald's serves almost hundreds of millions of customers every day in more than 39,000 locations in over 100 countries, including roughly 14,000 restaurants in the US alone.

No customer payment information exposed

Today, the company said that threat actors breached its systems in multiple markets worldwide, as discovered following an investigation conducted by external security consultants.

 

McDonald's also told US employees that the attackers could only steal business contact info belonging to US employees and franchises that wasn't personal or sensitive, as first reported by WSJ.

 

The threat actors also stole personal information (including names, emails, phone numbers, and addresses) from customers in South Korea and Taiwan,

 

However, the number of customer documents exposed in the incident was small, and the breach did not impact customers' payment info in any way.

 

"While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data," McDonald's said in a statement to BleepingComputer.

 

"Based on our investigation, only Korea and Taiwan had customer personal data accessed, and they will be taking steps to notify regulators and customers listed in these files.

 

"No customer payment information was contained in these files. In the coming days, a few additional markets will take steps to address files that contained employee personal data. "

 

The fast-food chain is currently notifying affected customers and relevant authorities in all impacted markets.

McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense. These tools allowed us to quickly identify and contain recent unauthorized activity on our network. A thorough investigation was conducted, and we worked with experienced third parties to support this investigation. — McDonald's

Not the first rodeo

This is not the first time McDonald's had to deal with a security incident in recent years.

 

In 2017, the company was forced to fix a cross-site scripting (XSS) vulnerability affecting its official website and exposing customers' plain text passwords.

 

As revealed by security researcher Tijme Gommers who discovered the bug, attackers could've exploited the security flaw by crafting a malicious link.

 

When clicked by a target, it would extract and decrypt password data from a local cookie and send it to the attacker in cleartext.

 

Extracting any user's passwords was possible because McDonald's stored password information in a cookie file protected using the same key and initialization vector for all users.

 

In related news, gaming giant Electronic Arts (EA) also confirmed on Thursday that threat actors hacked its network and stole "a limited amount of code and related tools."

 

Update: Added McDonald's statement.

The Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to BleepingComputer.com.

 

This morning, BleepingComputer received an anonymous tip pretending to be from the FBI that contained a password and a link to a password-protected ZIP file.

 

This file claimed to be the "Decryption Keys Ransomware Avaddon," and contained the three files shown below.

After sharing the files with Fabian Wosar of Emsisoft and Michael Gillespie of Coveware, they confirmed that the keys are legitimate.

 

Using a test decryptor shared with BleepingComputer by Emsisoft, I decrypted a virtual machine encrypted today with a recent sample of Avaddon.

In total, the threat actors sent us 2,934 decryption keys, where each key corresponds to a specific victim.

 

Emsisoft is working on a free decryptor with these keys, and it should be available within the next 24 hours, if not sooner.

 

While it doesn't happen often enough, ransomware groups have previously released decryption keys to BleepingComputer and other researchers as a gesture of goodwill when they shut down or release a new version.

 

In the past, decryption keys have been released for TeslaCrypt, Crysis, AES-NI, Shade, FilesLocker, Ziggy, and FonixLocker.

Avaddon shuts down ransomware operation

Avaddon launched its operation in June 2020 through a phishing campaign that contained a winking smiley, shown below.

Over time, Avaddon has grown into one of the larger ransomware operations, with the FBI and Australian law enforcement recently releasing advisories related to the group.

 

At this time, all of Avaddon's Tor sites are inaccessible, indicating that the ransomware operation has likely shut down.

 

Furthermore, ransomware negotiation firms and incident responders saw a mad rush by Avaddon over the past few days to finalize ransom payments from existing unpaid victims.

 

Coveware CEO Bill Siegel has told BleepingComputer that Avaddon's average ransom demand was around $600k.

 

However, over the past few days, Avaddon has been pressuring victims to pay and accepting the last counteroffer without any push back, which Siegel states is abnormal.

 

It is not clear why Avaddon shut down, but it was likely caused by the increased pressure and scrutiny by law enforcement and governments worldwide after recent attacks against critical infrastructure.

 

"The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope some others go down too," Emsisoft threat analyst Brett Callow told BleepingComputer.

 

With the recent attacks against Colonial Pipeline and JBS, ransomware has become a priority of the US government.

 

As most of the larger ransomware operations are believed to be operated within Russia or other CIS countries, President Biden will be discussing these recent ransomware attacks with Russian President Vladimir Putin at the June 16 Geneva summit.

 

The former chief operating officer of Securolytics, a network security company providing services for the health care industry, was charged with allegedly conducting a cyberattack on Georgia-based Gwinnett Medical Center (GMC).

 

45-year-old Vikas Singla supposedly disrupted the health provider's Ascom phone service and network printer service and obtained information from a Hologic R2 Digitizer digitizing device in September 2018.

 

According to the US Department of Justice press release, Singla conducted the cyberattack partially "for purpose of commercial advantage and private financial gain" per the indictment.

 

"This cyberattack on a hospital not only could have had disastrous consequences, but patients' personal information was also compromised," said Special Agent in Charge Chris Hacker of the FBI's Atlanta Field Office. 

 

"The FBI and our law enforcement partners are determined to hold accountable, those who allegedly put people's health and safety at risk while driven by greed."

Facing many years in prison if found guilty

The Securolytics executive was charged with 17 counts of intentional damage to a protected computer, each of the counts carrying a maximum penalty of 10 years in prison.

 

He was also charged with one count of obtaining information by computer from a protected computer, which carries a maximum penalty of five years in prison.

 

"Criminal disruptions of hospital computer networks can have tragic consequences," added Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department's Criminal Division.

 

"The department is committed to holding accountable those who endanger the lives of patients by damaging computers that are essential in the operation of our health care system."

 

A Securolytics spokesperson was not available for comment when contacted by BleepingComputer earlier today.

 

According to multiple media reports, GMC investigated a security breach in 2018 after some of its patients' started surfacing online.

 

"Gwinnett Medical Center recently discovered a security incident. At this time, we are continuing to investigate the issue [...] I can confirm that patient care activities have not been impacted," a GMC spokesperson told ZDNet at the time.