CrashPlan response to industry security incidents

Overview

When other security and technology companies disclose breaches and other security events, we often receive questions about whether those incidents affect CrashPlan products and services. This page provides information about if and how major, widely publicized breaches affect CrashPlan products and services.

CrashPlan constantly reviews and analyzes any security incidents that could impact our customers, products, and services. In addition to the list below, there may be other security incidents that we are reviewing. Because security incident details provide sensitive information that could be used maliciously, we are unable to publish information about every incident we review.

If a security event affects CrashPlan products and services, we contact affected customers and issue a security advisory.

If you have questions or concerns, contact our technical support team.

Chromium vulnerability

October 3, 2023

Incident: On September 6, 2023, Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto reported a vulnerability where the heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 could allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. This vulnerability was filed in the NIST National Vulnerability Database as CVE-2023-4863. Sources reporting on this vulnerability may list CVE-2023-5129, which is a duplicate event that has since been rejected.

CrashPlan Impact: The current version (11.2.0) of the CrashPlan app uses Electron 27.0.2 , which is not affected by this vulnerability.

The CrashPlan security and product teams will continue to monitor risk of this vulnerability and will take action as necessary if additional information is released.

OpenSSL vulnerability

November 1, 2022

Incident: The OpenSSL project team announced two vulnerabilities that they rate as "High." These vulnerabilities are assigned CVE-2022-3786 and CVE-2022-3602. According to the project team, an attacker could send specially-crafted input to a vulnerable OpenSSL-encrypted service, and could crash the service (leading to a denial of service), or possibly result in remote code execution.

CrashPlan impact: CrashPlan does not use affected versions of OpenSSL in our products. As a result, there is no known impact to CrashPlan's products and services from this incident. If you are a CrashPlan customer, no action is required.

We have reviewed our internal corporate environment, and have identified computer systems that use affected versions of OpenSSL. These instances are not accessible from the internet. We are taking the appropriate steps to mitigate these vulnerabilities and will provide additional updates as necessary.

The CrashPlan security and product teams will continue to monitor risk of this vulnerability and will take action as necessary when additional information is released. 

Apache Commons Text vulnerability

November 21, 2022

Update: CrashPlan app version 10.4.1 updates all instances of Apache Commons Text to version 1.10.0

October 19, 2022

Incident: Apache Commons Text is a widely used open-source library focused on algorithms working on strings. Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 1.5 and continuing through 1.9, the set of default instances of org.apache.commons.text.lookup.StringLookupinterpreters included interpolators that could result in arbitrary code execution or contact with remote servers. This vulnerability has been assigned CVE-2022-42889.

CrashPlan impact: CrashPlan uses Commons Text within the CrashPlan cloud and agent. However, the way CrashPlan uses Common Text does not leverage variable interpolation, which is needed for exploitation of this vulnerability. As a further point of mitigation, CrashPlan will update to the latest patched version of Commons Text in future product releases.

The CrashPlan security and product teams will continue to monitor risk of this vulnerability and will take action as necessary if additional information is released.

Atlassian Questions for Confluence app hardcoded password vulnerability

July 22, 2022

Incident: On July 20, 2022, Atlassian published a security advisory for CVE-2022-26138, which details a vulnerability in the Questions for Confluence app that could allow a remote, unauthenticated attacker with knowledge of a hardcoded password to log in to Confluence and access any pages that the confluence-users group has access to.

CrashPlan impact: CrashPlan does not use the Questions for Confluence app. As a result, there is no known impact to CrashPlan’s products, services, or internal corporate environment from this incident.

Atlassian Servlet Filter dispatcher vulnerabilities in multiple products

July 22, 2022

Incident: On July 20, 2022, Atlassian published a security advisory for CVE-2022-26136 and CVE-2022-26137, which  details a vulnerability in multiple Atlassian products that allows a remote, unauthenticated attacker to bypass Servlet Filters used by first- and third-party apps. 

CrashPlan impact: CrashPlan uses Atlassian technology in our internal corporate environment. We have applied the recommended patches to affected Atlassian products. A review of internal security tools and telemetry verified that no anomalies were detected. We are engaging our relevant vendors to ensure they are also promptly remediating.

Atlassian remote code execution vulnerability

June 21, 2022

Incident: On June 3, 2022, Atlassian published a security advisory for CVE-2022-26134 based on a zero-day exploit Volexity published on June 2, 2022. In affected versions of Confluence Server and Data Center, an Object-Graph Navigation Language (OGNL) injection vulnerability exists that could allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

CrashPlan impact: CrashPlan does use Atlassian technology in our internal corporate environment. We applied the recommended mitigation to address the vulnerability as soon we were made aware of the vulnerability. A review of internal security tools and telemetry verified that no anomalies were detected.

Microsoft Support Diagnostic Tool vulnerability

June 14, 2022

Incident: On Monday, May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. Microsoft's documentations states, "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."

CrashPlan impact: CrashPlan does not use Microsoft Windows or Office in our products. However, CrashPlan does use Microsoft products in our internal corporate environment. We verified that no servers are running Microsoft Office applications. In addition, we removed the registry key where applicable to mitigate these vulnerabilities, as documented in Microsoft's suggested workaround. A review of internal security tools and telemetry verified that no anomalies were detected.

VMware authentication bypass vulnerability

May 23, 2022

Based on guidance provided by CISA, CrashPlan completed an analysis of affected VMware instances in our internal corporate environment. Based on that analysis, CrashPlan applied patches where applicable, conducted a security analysis, and verified that no anomalies were detected.

May 18, 2022

Incident: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. CISA has published Emergency Directive 22-03 in response.

CrashPlan impact: CrashPlan products do not use VMware technology as part of the production environment. However, CrashPlan does use affected VMware technology in our internal corporate environment. These instances are not accessible from the internet. We are taking the appropriate steps to mitigate these vulnerabilities and will provide additional updates as they are available.

F5 remote code execution

May 9, 2022

Incident: On May 4, 2022, F5 announced CVE-2022-1388, which details a critical remote code execution vulnerability in BIG-IP networking devices.

CrashPlan impact: CrashPlan does not use F5 products. As a result, there is no known impact to CrashPlan’s products or services from this incident.

Java Spring Framework vulnerability

March 31, 2022

Incident: A zero-day vulnerability found in the popular Java web application development framework Spring (CVE-2022-22965) puts a wide variety of web apps at risk of remote attack. The vulnerability — referenced as "Spring4Shell" and "SpringShell" by some security firms — can be exploited remotely if a Spring application is deployed to an Apache Tomcat server using a common configuration.

CrashPlan impact: CrashPlan does use Spring in some of our cloud services, but they are not vulnerable to CVE-2022-22965, per the information provided by Spring. In addition, CrashPlan agents do not use Spring at all so are also not affected. As a further point of mitigation, CrashPlan will update to the latest patched version of Spring Boot and the Spring Framework in future product releases.

The CrashPlan security and product teams are continuing to monitor this vulnerability and will take action as necessary if and when additional information is released.

Okta LAPSUS$ hacking group incident

March 25, 2022

We have received confirmation from Okta that CrashPlan is not one of the few customers affected by this incident. As a result, there is no known impact to CrashPlan’s products or services from this incident.

March 22, 2022

Incident: The LAPSUS$ hacking group posted screenshots on Telegram claiming they obtained access to Okta.com Superuser/Admin and various other systems. As of March 22, 2022, Okta has publicly stated the images were related to an incident detected and contained in January 2022. 

CrashPlan impact: We are aware of the current incident reports tied to Okta support user access. While CrashPlan uses Okta for authentication for internal applications, we have confirmed that CrashPlan does not have Okta support access enabled within our environment. As an additional precaution, we also have reviewed logs for the last six months and have not seen any unusual or malicious activity from support users.

Ukraine-Russia war

March 2, 2022

CrashPlan is closely monitoring the cybersecurity implications of the Ukraine-Russia war and will adjust to potential threats to the business as they emerge.

Log4j library vulnerability

Summary 

  • Date: December 10, 2021 - February 2, 2022
  • Organization / Product: Apache Log4j
  • Incident: Apache announced multiple vulnerabilities within the Log4j library. 
  • Affected CrashPlan components:
    • CrashPlan cloud: Updated Log4j from 2.15.0 to 2.17.1 on January 26, 2022
    • CrashPlan app: Updated Log4j from 2.16.0 to 2.17.1 on January 18, 2022
    • CrashPlan User Directory Sync (UDS): Updated Log4j from 2.15.0 to 2.17.1 on February 2, 2022

Previous industry incidents 

Date Organization / Product Incident CrashPlan impact
July 2, 2021 Kaseya VSA remote management service

Kaseya was struck by a ransomware attack, which spread to an estimated 1,500 businesses around the world. It is believed that attackers exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company says is used by 35,000 customers. 

CrashPlan does not use Kaseya products. There is no known impact to CrashPlan’s products or services as a result of this attack.
June 30, 2021 Microsoft Windows Print Spooler service

A vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service, known colloquially as PrintNightmare, allows an attacker to remotely execute code with system level privileges. A threat actor exploiting this vulnerability can compromise the entire identity infrastructure of a targeted organization.

 

References:

CrashPlan products are not vulnerable to this threat. If you are a CrashPlan customer, your CrashPlan environment is not affected.

 

However, CrashPlan does use affected Microsoft Windows technology in our internal corporate environment. We have taken the appropriate steps to mitigate this vulnerability.

 

Between June 30 and July 9, CrashPlan took the following actions:   

  • June 30 - Disabled Print Spooler functionality where possible on impacted devices, including putting in place file system access restrictions for one server where the spooler service was operationally necessary
  • July 6 - Updated system monitor configurations and logging
  • July 8 - Applied Microsoft patches 
  • July 9 - Configured registry settings via group policy for disabling point and print
April 20, 2021 Pulse Connect Secure (PCS 9.0R3 and higher)

A vulnerability was discovered in Pulse Connect Secure (PCS). This vulnerability includes an authentication bypass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.

CrashPlan does not use Pulse Connect Secure. There is no known impact to CrashPlan’s products or services as a result of this vulnerability disclosure.
April 20, 2021 SonicWall Email Security

Three zero-day vulnerabilities in SonicWall’s Email Security (ES) product were found exploited in the wild. These vulnerabilities were executed together to obtain administrative access and carry out code execution on a SonicWall ES device. 

CrashPlan does not use SonicWall Email Security. There is no known impact to CrashPlan’s products or services as a result of this vulnerability disclosure.
March 10, 2021 F5 Networks BIG-IP and BIG-IQ F5 announced 21 CVEs, including four critical vulnerabilities. These vulnerabilities could allow for remote command execution. Alongside disclosure of the vulnerabilities, F5 Networks issued patches for both the BIG-IP and BIG-IQ platforms CrashPlan does not use F5 Networks’ BIG-IP or BIG-IQ. There is no known impact to CrashPlan’s products or services as a result of this incident.
March 8, 2021 Verkada

An entity calling itself APT69420 claims to have gained unauthorized global access to Verkada’s security camera and facial recognition system. The third-party was able to view video feeds and facial recognition data for numerous large customers of Verkada’s surveillance system product. This breach was independently verified by Bloomberg and involved access using a super-user account.

CrashPlan does not use Verkada. There is no known impact to CrashPlan’s products or services as a result of this incident.
March 2, 2021 Microsoft Exchange

Microsoft announced that hackers working on behalf of the Chinese government were actively exploiting 0-day vulnerabilities in on-premises Microsoft Exchange servers.

 

Microsoft issued emergency patches and urged all customers with on-premises Exchange to immediately patch their systems.

 

The Exchange vulnerabilities have been assigned the following CVEs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858CVE-2021-27065.

CrashPlan does not use Microsoft Exchange. There is no known impact to CrashPlan’s products or services as a result of this incident.
February 1, 2021 Accellion FTA Accellion identified a concerted cyber-attack against their legacy FTA product. Accellion patched the actively exploited vulnerabilities and worked until January 2021 to identify and patch additional undiscovered vulnerabilities.

CrashPlan does not use Accellion technologies. There is no known impact to CrashPlan’s products or services as a result of this incident.

December 13, 2020 SolarWinds Malware inserted into a service that provided software updates for the Orion platform CrashPlan does not use SolarWinds Orion. There is no known impact to CrashPlan’s products or services as a result of this incident.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more