Sandisk, Sony, and, Lexar, and almost all other storage devices, come with an encryption solution preloaded, and that software is primarily developed by a third-party vendor named ENC Security.
ENC Security is a Dutch company boasting 12 million users worldwide, and the company’s marketing materials claim it provides “military-grade data protection” tools through its ever-popular DataVault encryption software.
Unfortunately, it has been revealed that ENC Security has been leaking certificate and configuration files for more than a dozen months—as was discovered by a research team from Cybernews.
Cybernews researcher Martynas Vareikis explained, “The data that was leaking for over a year is nothing less than a goldmine for threat actors.”
The company’s news bulletin on the issue states that the leak occurred due to a misconfiguration on the part of a third-party supplier, and that ENC resolved the issue immediately after the company was notified.
How it Came to Light
The exposed data included public and private keys stored in .pem format, licensing payment API keys, HMAC message authentication codes, and Simple Mail Transfer Protocol (SMTP) credentials for sales channels, among other things. This data was available on the misconfigured server from May 2021 through November 2022.
Bad actors could exploit the aforementioned data for a variety of cyberattacks—from phishing to ransomware—including via the creation of sales communications to phish clients using fake invoices or by sending malware using ENC's email addresses, which many customers would trust.
Ransomware operators exploit .pem files – the keys left inside could result in unauthorized access or even a server takeover, which could be a massive breach of ENC's security and—if download files were replaced with infected copies—its customers, partners, and vendors. ECN Security says its products are downloaded over 2,000 times monthly.
Response Efforts and Vendor Security Management
ENC's security team is trying to assert that it has taken rapid action, saying “At ENC Security we take the security and protection of our data seriously. Every finding is thoroughly researched and remediated with appropriate measures. Relevant measures are taken when required, amongst which security measures, informing customers and further enhancing security.”
This event highlights the need for more effective vendor security management than is performed by most companies, even today. Supply chain attacks are becoming more and more prevalent and represent right targets for threat actors ranging from nation states to organized crime.
Webcheck Security specializes in development of security programs that include appropriate vendor security management. Our experts in security consulting will provide you with the guidance you need to secure your supply chain. Contact Webcheck today to learn more about our service offerings and address your security needs.