A confirmed hack on VPN provider NordVPN and two others has highlighted a key danger for anyone using hosted services: insecurities in the digital supply chain.
NordVPN is a VPN service that offers businesses and consumers two things: the chance to appear as though they’re in a different country, and the ability to encrypt their internet traffic. VPNs like this aren’t just for consumers wanting access to regionally-restricted content (people outside the UK wanting to get BBC iPlayer, for example). They’re also useful for people who don't trust the privacy of their immediate internet connection, or who want to route around censorship. Users could range from someone behind China’s golden shield firewall, through to someone worried about the security of public Wi-Fi.
NordVPN is incorporated in Panama, which doesn't have any data retention laws. That helps it to maintain its no-logging policy, which is important for very privacy-conscious users. However, over the weekend, things exploded with the news that one of the company’s servers in Finland had been compromised.
New Zealand-based security researcher @hexdefined helped break the news on Twitter:
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys... pic.twitter.com/TOap6NyvNy
— undefined (@hexdefined) October 20, 2019
In an official statement, the company revealed that an attacker had stolen a TLS key from the server. What’s interesting is the cause of the breach. NordVPN did what it could to secure its service, but its Finnish datacenter provider (which it has since terminated) didn’t. The hacker got in through an unsecured remote management system at the datacenter, the VPN provider said.
NordVPN built the server and added it to its global list of 3000 servers on January 31 2018. The hacker took advantage of the security hole and swiped the key in March 2018. The datacenter provider noticed and deleted the remote management account on March 20 without telling NordVPN.
NordVPN explained that the hack only affected one server, and that it couldn’t be used to decrypt the traffic on any other server. However, that means an attacker could have decrypted sessions with the Finnish server.
The company downplayed the significance of that. “The only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com,” it said.
A person could have mounted a man-in-the-middle attack without triggering any warnings if they did so before the TLS key expired, pointed out @hexdefined. The TLS key expired on October 7 2018.
A NordVPN spokesperson told us: “The malicious actor has gotten root access to that single server out of more than 3000 we had back then. However, even if a hacker could have viewed the traffic while being connected to the server, he could only see what an ordinary ISP would see, but in no way, [sic] it could be personalized or linked to the particular username or email. Historical VPN traffic could not be monitored.”
NordVPN wasn't the only company to suffer a hack. A post on 8chan leaked what appeared to be stolen keys from two other services: Viking VPN and TorGuard. Viking didn’t respond to our queries, but TorGuard posted a public statement explaining that its breach happened in 2017 and was discovered in early 2018. The key stored on the server, which was used for a caching proxy service, was retired in 2017, it said.
The breaches are linked, according to TorGuard CEO Benjamin Van Pelt. “So far, evidence appears to point to a single hosting reseller that has worked with multiple VPN providers including TorGuard, NordVPN and Viking,” he told Infosecurity. “This hosting reseller has in the past resold servers from all data centers affected by this disclosure. This was not an external hack, but rather an unauthorized remote logon by someone with close access to this web host's internal system.”
This just goes to show that your attack surface extends beyond your own infrastructure. When protecting your systems, it pays to properly audit your service providers and their partners to ensure that they haven't left any loose ends for attackers to exploit. VPN providers, which have to deal with multiple infrastructure partners and resellers across many regions, are a great example of how difficult this can become.
