Last month Microsoft announced that it had discovered a vulnerability in remote desktop services that…
First users that reported that something is wrong was “The Register” digital periodical reader named Dan. Installed in his office network safety solutions suddenly started to send signals about suspicious traffic from one of visitors’ laptops. As showed log analysis, device connected to some of the “trash” domains.
Cybersecurity researcher Ryan Niemes also noted strange traffic.
However, Niemes found one thing – suspicious domains had no owner. Researcher bought them and started EC2, aiming investigating, what in reality is going on. With running the netstat team, he saw connection to port 443.
In private letter researcher notified NordVPN developers about his discovery and received three years of free subscription as a gratitude. Developers promised to fix the issue, but after release of updates, suspicious connections did not discontinue. Niemes installed updated version of NordVPN for testing and detected incoming connection that are established by clients with “NordVPN” in user-agent lines.“I registered Letsencrypt certificate and started watching for arrival of log entries” – reported Niemes
Researcher found inside HTTPS-traffic API-requests to other domains.
“POST-requests that I detected are rising concerns, as renewtoken field is unique” – said Niemec.
According to his words, user-agent line and requests disclosed application version, host’s OS compilation and user’s IPv4 address.
As argue in NordVPN, connection to strange domains is a part of blocks bypassing strategy.
Source: www.technadu.com
Kabatibly.co.in is a domain that tries to force you into clik to its browser notifications…
Reditarcet.co.in is a site that tries to force you into subscribing to its browser notifications…
Everestpeak.top is a domain that tries to trick you into subscribing to its browser notifications…
Firm-jawed.yachts is a domain that tries to trick you into subscribing to its browser notifications…
Anapurnatop.top is a domain that tries to trick you into subscribing to its browser notifications…
Boomira.com is a domain that tries to force you into clik to its browser notifications…