NordVPN Says Server Compromised Due to MisconfigurationSecurity Expert Says Attacker Would Have Had 'God Mode' on VPN Node
Virtual private network provider NordVPN says an error by a data center provider in Finland allowed an attacker to gain control of a server, but it says its broader service was not hacked. One security expert, however, says the attacker would have had "God mode" on one VPN node.
See Also: 2020 Cyberthreat Defense Report
NordVPN's disclosure only came after information surfaced on Twitter on Sunday that the popular VPN provider and possibly others had experienced serious security incidents.
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys... pic.twitter.com/TOap6NyvNy— undefined (@hexdefined) October 20, 2019
NordVPN says it "learned about the vulnerability the data center had [a] few months back." It says it initially chose not to publicly disclose the exploit "because we had to make sure that none of our infrastructure would be prone to similar issues." It didn't disclose the data center at issue.
"The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed," the company says. "We failed by contracting [an] unreliable service provider and must have done better to ensure the security of our customers."
Expert: Hack is More Serious
Security issues involving VPNs tend to strike a nerve because a compromise could potentially reveal someone's internet activity. There's also a dose of irony in that VPN services often tout their security advantages in marketing materials, and VPN providers aggressively compete for business.
1/3 In response to the TechCrunch article: a server was hacked, the service was not.— NordVPN (@NordVPN) October 21, 2019
None of the information available on one server can be used to decrypt the traffic of any other.
But the company's explanation fell flat for some, who warned that the material posted on Twitter points to a far direr situation - a compromised VPN node with full access by the attacker, writes Kenn White, a security expert and co-director of the Open Crypto Audit Project.
Missed detail in some of the online debate: based on the dumped pastebins, the Nord VPN not-a-hacker had full remote admin on their Finland node LXC containers. That's God Mode folks. And they didn't log and didn't detect it. I'd treat their all claims with great skepticism.— Kenn White (@kennwhite) October 21, 2019
VPNs tunnel internet traffic between a user and a data center before it is routed to a destination. A user's ISP only sees encrypted web traffic, which offers greater privacy. Also, VPNs usually resolve DNS queries, again shielding those from the local ISP, which may offer a privacy advantage. But the privacy advantages hinge on the security of the VPN provider.
VPNs also mask a device's real IP addresses, instead displaying to a service the IP address of the VPN service. Most VPN providers offer a menu of data centers around the world to connect with, which allows people to access geo-blocked content or restricted services. VPNs are also popular in places where governments may censor content or monitor internet browsing, but they're not foolproof either, because they can be blocked.
NordVPN says it has terminated its contract with the data center provider and "shredded all servers we had been renting from them."
The server in question was illegally accessed in March 2018. The server had been allocated to NordVPN in January 2018. The data center provider noticed it had left an insecure remote management system on the server and deleted it on March 20, 2018, but did not tell NordVPN, the company says.
A few months ago, NordVPN says its technical team discovered the undisclosed account. It says it held off notifying users while it audited its entire network. The server did not store user activity logs nor authentication credentials, it says.
"Once we found out about the incident, we immediately launched a thorough audit to check out the entire infrastructure," it says. "We double-checked that no other server could possibly be exploited this way and started creating a process of moving all of our servers to RAM, which is to be completed next year."
Also, a private TLS key for NordVPN's website was leaked. The key was taken at the same time as the server was exploited. That would have allowed an attacker to set up a spoofed website that appeared to be nordvpn.com or conduct man-in-the-middle attacks.
"However, the key couldn't possibly have been used to decrypt the VPN traffic of any other server," NordVPN says. "On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM [man-in-the-middle] attack to intercept a single connection that tried to access nordvpn.com."
As far as remediation, the company says it has undergone an application security audit, is working on a second no-logs audit and plans an external audit of its infrastructure next year. It also plans to start a bug bounty program.
Other VPN Hacks?
As NordVPN's problems became public, it appeared other VPN providers may have experienced trouble as well. A Twitter user going by the nickname cryptostorm tweeted an archived link to the notorious message board 8chan that had similar sensitive data for TorGuard and VikingVPN.
I've also confirmed that that TorGuard was compromised, this TLS certificate for *.torguardvpnaccess.com was leaked: https://t.co/k4RRFatVoF (expired Oct 2018).— undefined (@hexdefined) October 21, 2019
There's also an OpenVPN server key.
(Again, someone gained root access on the server)
On Monday, TorGuard, which is based in Orlando, Fla., says that a single server "that was compromised was removed from our network in early 2018, and we have since terminated all business with the related hosting reseller because of repeated suspicious activity."
The reseller was Collective 7, a hosting company based in Canada. That hosting company's name is revealed in a federal lawsuit TorGuard filed in Florida in June against NordVPN over alleged blackmail claims.
TorGuard alleges that in cooperation with Collective 7, NordVPN threatened to release "confidential and trade secret information," the lawsuit says. TorGuard alleges that NordVPN wanted it to push one of its VPN affiliates, Tom Spark Reviews, "to remove negative content from YouTube regarding their own VPN brand," according to a blog post. TorGuard also alleges that NordVPN orchestrated a distributed denial-of-service attack against it intended to disrupt sales.
TorGuard maintains that despite the hacked server "TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident," it says in the Monday blog post.
VikingVPN officials could not be immediately reached for comment.