NordVPN TorGuard Hit By Hacks Involving Insecure Servers

From Valentino Fans
Jump to: navigation, search

NordVPN has suffered a breach that may have allowed a hacker to view the customer traffic flowing through a Finland-based VPN server. However, no login credentials were intercepted, the company says.



The same hacker also hit rival VPN providers TorGuard and VikingVPN; TorGuard is downplaying the severity of the breach.



The hacks, which went unnoticed for at least a year, are stirring up security doubts about the affected VPN services, which can prevent internet service providers from collecting details on your website lookups. In the case of NordVPN, the breach occurred in March 2018 at a Finnish data center from which NordVPN was renting servers. "The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed," NordVPN said in a Monday statement(Opens in a new window).



What was exposed



NordVPN has a strict policy(Opens in a new window) against keeping user traffic logs, so "the server itself did not contain any user activity logs," it said. "None of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted either."



NordVPN originally told(Opens in a new window) Bloomberg only an estimated 50 to 200 customers were using the affected VPN server. However, the company has backtracked on that statement. "It's impossible to tell exactly as such data do not exist. Numbers, reported by Bloomberg is a raw estimate," a Nordvpn spokesperson told PCMag.



The company, which is based in Panama, has in total over 12 million customers who can connect over 3,000 different company VPN servers across the globe. Nevertheless, the breach appears to have involved the hacker gaining root access to the Finland-based server. This would have allowed the mysterious attacker to potentially view and modify customer traffic.



Although the Finnish data center quietly patched the vulnerability in the same month, the hacker also stole a NordVPN Transport Layer Security (TLS) key, which was used to encrypt traffic from customer browsers to the company's website and extensions. However, the key was never used to encrypt user traffic on the VPN server, the company told PCMag.



Stealing the TLS key did open the door for what's called a "man in the middle attack," which can expose your traffic, unencrypted, to the hacker. But pulling off such a scheme would require additional steps. This could involve creating a dummy NordVPN client or website, and then tricking a user into using it.



The exposed TLS key also expired in October 2018. As a result, using the key certificate would have eventually displayed a warning on the user's computer about the expiration date.



So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys... pic.twitter.com/TOap6NyvNy(Opens in a new window)



The source of the breach



News of the breach first emerged over the weekend when a web developer tweeted(Opens in a new window) that a NordVPN TLS key had been circulating on the internet, largely unnoticed. The stolen key was posted in May 2018 by an anonymous user on the forum 8chan, who also claimed(Opens in a new window) to have breached servers at TorGuard and VikingVPN.



The same 8chan post also indicates the hacker stole the OpenVPN Certificate Authority(Opens in a new window) (CA) key on board the NordVPN server, which is used to validate the encrypted connections between a VPN server and the user's computer. As a result, the hacker could have used the key to create rogue servers that would have successfully connected to NordVPN's official network. The same rogue servers could also be used for man in the middle attacks to spy on any users who were fooled into connecting to them.



In response to these potential dangers, NordVPN told PCMag: "Even if the hacker could have viewed the traffic while being connected to the server, he could see only what an ordinary ISP (internet service provider) would see, but in no way it could be personalized or linked to a particular user."



While the Finnish data center patched the vulnerability with the remote management system on March 20, 2018, it apparently never notified NordVPN about the problem. NordVPN said it learned of the incident a few months ago.



"We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues," the company said in today's statement. "This couldn't be done quickly due to the huge amount of servers and the complexity of our infrastructure."



In response to the breach, NordVPN has terminated the company's contract with the Finnish data center. All servers it had been renting from the center have also been destroyed. "Even though only 1 of more than 3,000 servers we had at the time was affected, we are not trying to undermine the severity of the issue," the company added. "We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers."



However, the Finnish data center is disputing it was at fault. The CEO of Creanova, the third-party server provider, has been telling(Opens in a new window) journalists the breach occured thanks to a remote management tool from either HP or Dell, which can be logged into online. Creanova's CEO also claims NordVPN specifically requested the tool be installed on the server.



Dell's support page specifically warns(Opens in a new window) the default login credential on its remote management tool is widely known.



Apparently this is how NordVPN was hacked (Default credentials on an exposed iDRAC web interface) pic.twitter.com/09QCYQvBYX(Opens in a new window)



In response, NordVPN's spokesperson said: "It's not that we didn't know about the solution; we never knew about additional accounts that have been created and then deleted." The company also provided a screenshot of the access log for the server.



Recommended by Our Editors



The TorGuard breach



As for TorGuard, the company also confirmed on Monday it had suffered a breach. However, no Certificate Authority key for validating encrypted connections was ever stored on board the affected VPN server. "We operate this way so if a worst-case scenario occurs and a VPN server is seized or even compromised, no one can tamper with or decrypt user traffic, or launch Man-in-the-Middle attacks on other TorGuard servers," the company said in a statement(Opens in a new window).



It's unclear when the TorGuard breach occurred, but it involved a single server at a third-party provider, which removed the affected hardware in early 2018.



The hacker did steal a TLS key for the domain torguardvpnaccess.com, but it has not been valid for the TorGuard network since 2017, the company says.



TorGuard said it became aware of the breach in May due to the company's ongoing lawsuit(Opens in a new window) over an alleged blackmail attempt from NordVPN over how it found(Opens in a new window) TorGuard server configuration files on the internet.



"Due to the ongoing lawsuit we cannot provide exact details about this specific hosting re-seller or how the attacker gained unauthorized access," the company said. "However, we would like the public to know this server was not compromised externally and there was never a threat to other TorGuard servers or users."



The third VPN provider the hacker listed in the breach, VikingVPN, did not immediately respond to a request for comment.



Editor's Note: This story has been updated with more information about how the hacker may have also gained root access to the affected NordVPN server, which reportedly only had 50 to 200 users. All about private wow servers NordVPN is now backtracking on the 50 to 200 users estimate. Additional details have been included about the data center provider.