The Network: A nationwide health insurance provider
The Expectation: The health insurance provider uses an antivirus that provides antivirus, anti-phishing and cloud-powered scanning, and its systems were apparently trying to fetch AV updates.
The Catch: EventTracker found that two inside systems were sending passwords with weak encryption to two outside IP addresses (220.127.116.11 and 18.104.22.168). When resolved, these outside IP addresses were found to belong to an antivirus provider. Sure enough, such “enterprise” accounts have been hacked and the passwords posted.
The potential danger to the health insurance provider is that an attacker now knows they use eset and downloads updates via http. If their DNS got poisoned, then the AV provider’s *.com could be pointed to a hacker site and the inside machines would cheerfully download malware.
The Lesson: It’s surprising (and sad!) that a major antivirus firm does not require https for this type of update. Unfortunately, their client, the health insurance provider, can do little more to demand that the AV provider offer https for downloads.