Cybercrime , Fraud Management & Cybercrime , Governance

NordVPN Says Server Compromised Due to Misconfiguration

Security Expert Says Attacker Would Have Had 'God Mode' on VPN Node
NordVPN Says Server Compromised Due to Misconfiguration
Photo: NordVPN

Virtual private network provider NordVPN says an error by a data center provider in Finland allowed an attacker to gain control of a server, but it says its broader service was not hacked. One security expert, however, says the attacker would have had "God mode" on one VPN node.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

NordVPN's disclosure only came after information surfaced on Twitter on Sunday that the popular VPN provider and possibly others had experienced serious security incidents.

NordVPN says it "learned about the vulnerability the data center had [a] few months back." It says it initially chose not to publicly disclose the exploit "because we had to make sure that none of our infrastructure would be prone to similar issues." It didn't disclose the data center at issue.

"The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed," the company says. "We failed by contracting [an] unreliable service provider and must have done better to ensure the security of our customers."

Expert: Hack is More Serious

Security issues involving VPNs tend to strike a nerve because a compromise could potentially reveal someone's internet activity. There's also a dose of irony in that VPN services often tout their security advantages in marketing materials, and VPN providers aggressively compete for business.

But the company's explanation fell flat for some, who warned that the material posted on Twitter points to a far direr situation - a compromised VPN node with full access by the attacker, writes Kenn White, a security expert and co-director of the Open Crypto Audit Project.

VPNs tunnel internet traffic between a user and a data center before it is routed to a destination. A user's ISP only sees encrypted web traffic, which offers greater privacy. Also, VPNs usually resolve DNS queries, again shielding those from the local ISP, which may offer a privacy advantage. But the privacy advantages hinge on the security of the VPN provider.

VPNs also mask a device's real IP addresses, instead displaying to a service the IP address of the VPN service. Most VPN providers offer a menu of data centers around the world to connect with, which allows people to access geo-blocked content or restricted services. VPNs are also popular in places where governments may censor content or monitor internet browsing, but they're not foolproof either, because they can be blocked.

Audits Underway

NordVPN says it has terminated its contract with the data center provider and "shredded all servers we had been renting from them."

The server in question was illegally accessed in March 2018. The server had been allocated to NordVPN in January 2018. The data center provider noticed it had left an insecure remote management system on the server and deleted it on March 20, 2018, but did not tell NordVPN, the company says.

A few months ago, NordVPN says its technical team discovered the undisclosed account. It says it held off notifying users while it audited its entire network. The server did not store user activity logs nor authentication credentials, it says.

"Once we found out about the incident, we immediately launched a thorough audit to check out the entire infrastructure," it says. "We double-checked that no other server could possibly be exploited this way and started creating a process of moving all of our servers to RAM, which is to be completed next year."

Also, a private TLS key for NordVPN's website was leaked. The key was taken at the same time as the server was exploited. That would have allowed an attacker to set up a spoofed website that appeared to be nordvpn.com or conduct man-in-the-middle attacks.

"However, the key couldn't possibly have been used to decrypt the VPN traffic of any other server," NordVPN says. "On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM [man-in-the-middle] attack to intercept a single connection that tried to access nordvpn.com."

As far as remediation, the company says it has undergone an application security audit, is working on a second no-logs audit and plans an external audit of its infrastructure next year. It also plans to start a bug bounty program.

Other VPN Hacks?

As NordVPN's problems became public, it appeared other VPN providers may have experienced trouble as well. A Twitter user going by the nickname cryptostorm tweeted an archived link to the notorious message board 8chan that had similar sensitive data for TorGuard and VikingVPN.

On Monday, TorGuard, which is based in Orlando, Fla., says that a single server "that was compromised was removed from our network in early 2018, and we have since terminated all business with the related hosting reseller because of repeated suspicious activity."

The reseller was Collective 7, a hosting company based in Canada. That hosting company's name is revealed in a federal lawsuit TorGuard filed in Florida in June against NordVPN over alleged blackmail claims.

TorGuard alleges that in cooperation with Collective 7, NordVPN threatened to release "confidential and trade secret information," the lawsuit says. TorGuard alleges that NordVPN wanted it to push one of its VPN affiliates, Tom Spark Reviews, "to remove negative content from YouTube regarding their own VPN brand," according to a blog post. TorGuard also alleges that NordVPN orchestrated a distributed denial-of-service attack against it intended to disrupt sales.

TorGuard maintains that despite the hacked server "TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident," it says in the Monday blog post.

VikingVPN officials could not be immediately reached for comment.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.