news & Analysis
NordVPN, TorGuard hit by Hacks Involving Insecure Servers
The server did not contain user activity logs, but the hacker stole a transport layer Security key, which temporarily opened the door for a 'man in the middle' attack. The hackers may experience also gained root access to the server, enabling them to potentially view and modify VPN traffic.
Michael Kan Icon
October 21, 2019 1:39PM EST
Encryption and VPNs
NordVPN has suffered a hack that may experience allowed a hacker to prospect the customer traffic flowing through a Finland-based VPN server. However, no login credentials were intercepted, the companionship says.
The same hacker also strike competitor VPN providers TorGuard and VikingVPN; TorGuard is downplaying the severity of the hack.
The hacks, which went unnoticed for at least a year, are stirring up certificate doubts about the affected VPN services, which can prevent net service providers from collecting details on your website lookups. in the case of NordVPN, the nag occurred in mar 2018 at a finnish data centre from which NordVPN was renting servers. The attacker gained access to the server by exploiting an insecure remote management system left by the data heart provider spell we were unaware that such a system existed, NordVPN said in a Monday statement.
What was exposed
NordVPN has a strict policy against keeping user traffic logs, so the server itself did not contain any user activity logs, it said. None of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted either.
NordVPN originally told Bloomberg only an estimated 50 to 200 customers were using the affected VPN server. However, the company has backtracked on that statement. It's impossible to tell exactly as such data fare not exist. Numbers, reported by Bloomberg is a raw estimate, a Nordvpn spokesperson told PCMag.
The company, which is based in Panama, has in total over 12 million customers who can connect over 3,000 different company VPN servers across the globe. Nevertheless, the jade appears to have involved the hacker gaining base access to the Finland-based server. This would have allowed the mysterious attacker to potentially view and modify customer traffic.
Although the Finnish data center quietly patched the vulnerability in the same month, the hacker also stole a NordVPN carry layer Security (TLS) key, which was used to encrypt traffic from customer browsers to the company's website and extensions. However, the key was never used to encrypt user traffic on the VPN server, the companion told PCMag.
Stealing the TLS key did open the door for what's called a man in the midriff attack, which can exhibit your traffic, unencrypted, to the hacker. But pulling off such a scheme would necessitate additional steps. This could affect creating a blank NordVPN client or website, and then tricking a user into using it.
The exposed TLS key also expired in October 2018. As a result, using the key certificate would have eventually displayed a warning on the user's computer about the expiration date.
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, import anyone canful just localize up a server with those keys...
View image on TwitterView image on TwitterView image on TwitterView image on Twitter
5:26 am - Oct 20, 2019
Twitter Ads info and privacy
2,920 multitude are talking about this
The source of the hack
News of the cut first emerged over the weekend when a web developer tweeted that a NordVPN TLS key had been circulating on the internet, largely unnoticed. The stolen key was posted in may 2018 by an anonymous user on the forum 8chan, who also claimed to hold hacked servers at TorGuard and VikingVPN.
The same 8chan post also indicates the hacker stole the OpenVPN Certificate Authority (CA) key on gameboard the NordVPN server, which is used to validate the encrypted connections between a VPN server and the user's computer. as a result, the hacker could have used the key to create rogue servers that would have successfully connected to NordVPN's official network. The same rogue servers could also be used for man in the middle attacks to stag on any users who were fooled into connecting to them.
In response to these potential dangers, NordVPN told PCMag: even if the hacker could experience viewed the traffic piece being connected to the server, he could see only what an ordinary ISP (internet service provider) would see, but in no way it could be personalized or linked to a particular user.
While the finnish data center patched the vulnerability with the remote management system on march 20, 2018, it apparently never notified NordVPN about the problem. NordVPN said it learned of the incident a few months ago.
We did not expose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues, the companion said in today's statement. This couldn't be done quickly due to the huge amount of servers and the complexity of our infrastructure.
In answer to the hack, NordVPN has terminated the company's take with the Finnish data center. All servers it had been renting from the heart have also been destroyed. even though only 1 of more than 3,000 servers we had at the time was affected, we are not trying to undermine the severity of the issue, the companion added. We failed by contracting an unreliable server provider and should hold done better to ensure the security of our customers.
However, the finnish data center is disputing it was at fault. The CEO of Creanova, the third-party server provider, has been telling journalists the cut occured thanks to a remote management tool from either HP or Dell, which canful be logged into online. Creanova's CEO also claims NordVPN specifically requested the creature be installed on the server.
Dell's reinforcement page specifically warns the nonpayment login credential on its remote management tool is widely known.
Apparently this is how NordVPN was hacked (Default credentials on an exposed iDRAC web interface)
View image on Twitter
6:10 pm - oct 21, 2019
Twitter Ads info and privacy
294 people are talking about this
In response, NordVPN's spokesperson said: It's not that we didn't know about the solution; we never knew about additional accounts that experience been created and then deleted. The companion also provided a screenshot of the access log for the server.
The TorGuard hack
As for TorGuard, the company also confirmed on Monday it had suffered a hack. However, no certificate authorisation cay for validating encrypted connections was ever stored on gameboard the affected VPN server. We operate this way so if a worst-case scenario occurs and a VPN server is seized or even compromised, no one can tamper with or decrypt user traffic, or launch Man-in-the-Middle attacks on other TorGuard servers, the companionship said in a statement.
It's unclear when the TorGuard cut occurred, but it involved a single server at a third-party provider, which removed the affected hardware in early 2018.
The hacker did steal a TLS key for the domain torguardvpnaccess.com, but it has not been valid for the TorGuard network since 2017, the fellowship says.
TorGuard said it became aware of the nag in May due to the company's ongoing case over an alleged blackjack attempt from NordVPN over how it found TorGuard server configuration files on the internet.
The Fastest VPNs for 2019
The Fastest VPNs for 2019
What Is a VPN, and Why You need One
What Is a VPN, and why You need One
How We test VPNs
How We trial VPNs
Due to the ongoing lawsuit we cannot supply exact details about this specific hosting re-seller or how the aggressor gained unauthorized access, the company said. However, we would like the public to live this server was not compromised externally and there was never a terror to other TorGuard servers or users.
The third VPN provider the hacker listed in the hack, VikingVPN, did not immediately respond to a asking for comment.
Editor's Note: This story has been updated with more information about how the hacker may have also gained theme access to the affected NordVPN server, which reportedly only had 50 to 200 users. NordVPN is now backtracking on the 50 to 200 users estimate. Additional details make been included about the data center provider.