NordVPN Hacked, Making MSSPs’ Jobs Harder

While virtual private networks (VPNs) are regularly under attack by the likes of China and Russia, it’s disconcerting to see a powerhouse like NordVPN actually breached. Incredibly, the often top-ranked VPN followed a week’s worth of rumors with confirmation today that it was breached.

“We became aware that on March 2018, one of the data centers in Finland we had been renting our servers from was accessed with no authorization. The attacker gained access to the server by exploiting an insecure remote management system left by the data-center provider while we were unaware that such a system existed,” said the company in its official blog on the matter.

A hacker and web developer known as @hexdefined on Twitter tweeted, “Whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it).” The same source also tweeted that TorGuard was also compromised and there was also an OpenVPN server key in that hack.

I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it).

Why was this never detected?

— undefined (@hexdefined) October 21, 2019

Venafi’s Kevin Bocek

“VPN providers have grown rapidly because of the growing need for privacy. VPN cloud providers require TLS certificates that act as machine identities to authorize connection, encryption and establish trust between machines,” explained Kevin Bocek, vice president of security strategy and threat intelligence at machine identity protection provider Venafi.

The exposed expired internal private key “potentially allowed anyone to spin out their own servers imitating NordVPN,” according to a TechCrunch report.

MSSPs are likely to find it harder to advise clients on how to protect their mobile and remote workforces using unsecured internet connections now that VPNs have been breached too. However, NordVPN assures its customers that no other servers were affected, nor were any user activity logs or user-created credentials for authentication – such as usernames and passwords – taken.

Still, it strikes some as strange that internal and external audits didn’t catch this server vulnerability.

The company regularly seeks third-party audits. A recent one was an application security audit. Independent auditor VerSprite conducted the three-phased application penetration test.

NordVPN’s Laura Tyrell

“This audit made our apps even stronger. After the initial Application Penetration Test, our developer team followed the auditor’s recommendations and implemented a few changes,” said Laura Tyrell, head of public relations at NordVPN. “We’re keeping our pledge and intend to regularly audit our service in the future to help verify our systems match the highest standard.”

And last year, NordVPN retained PricewaterhouseCoopers (pwc), a Big 4 auditing firm, to audit its no-logs policy.

But security professionals are wary of assurances of any kind, even from outside auditors. After all, NordVPN, by its own admission, did not know about this server vulnerability until it was breached. What else does it not know about its own operations? But remember that this is true of almost every company in every industry. In any case, this type of attack will continue against a wide variety of companies using the cloud.

“Machine identities are extremely valuable targets for cybercriminals and large enterprises often have tens of thousands of machine identities they need to protect. These breaches will become more common in the future. It is imperative organizations have the agility to automatically replace every key and certificate that may have been exposed in breaches,” said Bocek.