NordVPN hacked - More like FlawedVPN

[yolosnail]

Quote

The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

 

Quote

NordVPN told TechCrunch that one of its data centers was accessed in March 2018. “One of the data centers in Finland we are renting our servers from was accessed with no authorization,” said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider, which NordVPN said it was unaware that such a system existed.

NordVPN did not name the data center provider.

Looks like 'hackers' were able to access one of NordVPN's rented servers without requiring any authorization. They say that while no logs were leaked, it was possible for someone to pretend to be a NordVPN server and collect data that way

 

Quote

NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”

 

As usual, this is the fault of a third party, they found out about it a whole ago but wanted to make sure that they were fully secure before a public announcement.

 

I personally find it quite scary that a company can go around saying they keep your data safe and secure, but rent out servers with security issues that they didn't know about!

 

Source: https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

[mxk]

ironic

[lewdicrous]

Military grade encryption at work.

[rcmaehl]

OOF

[TetraSky]

And some people were giving shit at LTT in the beginning for not choosing NordVPN instead of PIA for their VPN of choice...

Hah.

[yolosnail]

1 minute ago, TetraSky said:

And some people were giving shit at LTT in the beginning for not choosing NordVPN instead of PIA for their VPN of choice...

Hah.

Speaking of bad VPNs... TUNNELBEAR!

[Tieox]

LTT showing what VPN's you should ignore. 

[GrockleTD]

big yikes

[Murasaki]

oh thats gonna sting

[Deli]

Fxxk, it's time to switch. Which VPN service is safer?

[Yebi]

It makes sense that the good old rule that is "everything either has been breached, will be breached, or both" applies to VPNs as well

 

I do wonder about the timeline though.. Surely it shouldn't take 1,5 years to let your customers know they might be in trouble

[Zodiark1593]

It probably would've been prudent to earlier mention a breach was discovered. Details needn't have been released until a fix was issued. Keeping the customerbase in the dark about core functionality is one of the "5 Easy Steps to Piss Off your Customers."

 

[OneGuy83]

it really bugs me that they have known for months and told nobody!

[Taf the Ghost]

So a single location OpenVPN server got compromised for a bit. If that's the least of Nord's worries, they're fine.

[QXC]

https://nordvpn.com/blog/official-response-datacenter-breach/
 

The official response from Nord with more details about the incident. 
 

Quote

The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.

This appears to refute the opening commentary from techcrunch. Or at least attempt to.

[rcmaehl]

40 minutes ago, Queen Chrysallis said:

my nordvpn sub expires in 3 days... what to do, what to do... where to go, where to go?

TOR?

[dfsdfgfkjsefoiqzemnd]

1 hour ago, TetraSky said:

And some people were giving shit at LTT in the beginning for not choosing NordVPN instead of PIA for their VPN of choice...

Hah.

This could have happened to PIA as well.  LTT simply lucked out ... for now. 

[LividPanda]

Here is the source https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt if you want to test it out for yourself. Looks like it was floating around for quite a while before anybody noticed it. If the key was used before it had expired, there would be no warnings. Impersonating a trusted web server would be a gold mine for a sophisticated attacker especially after what Google Project Zero discovered being used out in the wild, potentially leading to full device compromise of a Pixel or Galaxy device. Also VikingVPN and TorGuard were hacked.

 

This tweet aged well:

 

[Arika]

Fail to see how this is Nords fault

 

Quote

by exploiting an insecure remote management system left by the data center provider

 

Never used Finland servers anyway. Nord is still the best performing VPN for my shitty internet 

[Shadow Bullet]

Been with PIA since the start, and it's going to stay that way...

[FezBoy]

2 hours ago, rcmaehl said:

TOR?

You probably already know this, but TOR on its own is a bad idea.  TOR traffic is really obvious, and can be used to identify you, like in the case of this guy who called in a fake bomb threat to get out of finals (Verge link plz don't kill me)  If you don't want that to happen to you, you should use TOR underneath a VPN, like today's sponsor, PIA!

 

Pseudo related:

 

I bet this guy feels like a fool:

(He switched from PIA to Nord)

[ravenshrike]

6 hours ago, LividPanda said:

Here is the source https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt if you want to test it out for yourself. Looks like it was floating around for quite a while before anybody noticed it. If the key was used before it had expired, there would be no warnings. Impersonating a trusted web server would be a gold mine for a sophisticated attacker especially after what Google Project Zero discovered being used out in the wild, potentially leading to full device compromise of a Pixel or Galaxy device. Also VikingVPN and TorGuard were hacked.

 

This tweet aged well:

 

The remote access was removed by the server provider on March 20th 2018. So the people who swiped the cert had all of 3 weeks to watch traffic going through a single Finnish server. In order to subsequently abuse the cert, they would have to separately target individual computers with a MitM attack that were trying to connect to the server in question and not any other server. The scope of this breach is incredibly minor unless you were specifically using a Finnish server between late February and mid March of 2018.

[Founders]

I use ProtonVPN. 

[LividPanda]

1 hour ago, ravenshrike said:

The remote access was removed by the server provider on March 20th 2018. So the people who swiped the cert had all of 3 weeks to watch traffic going through a single Finnish server. In order to subsequently abuse the cert, they would have to separately target individual computers with a MitM attack that were trying to connect to the server in question and not any other server. The scope of this breach is incredibly minor unless you were specifically using a Finnish server between late February and mid March of 2018.

Your explanation and ultimately theirs ignores an entirely separate attack vector. Impersonation of a trusted web server once you have the private keys. Imagine you're running a phishing campaign and the malicious site you set up now isn't just using any old valid TLS certificate but is using NordVPN's valid certificate. That would be an unsophisticated simple attack to harvest credentials from a service that largely trades in fear, uncertainty, and doubt with its customers. Imagine the certificate wasn't expired in the screenshot below and I copied the NordVPN site automatically with the Social Engineering Toolkit and then started sending out emails that have been gathered from previous breaches. How about a dump of users from a private torrent tracker breach? They'd likely be using a VPN service, right?

 

 

I agree the MitM attack would of been a stretch but I think it is burying the lead and isn't what an attacker would actually do at all, they'd go phishing. If you used NordVPN on your phone when this occurred in combination with the link in my first post about a Use-After-Free attack affecting Android phones you now have a very real sophisticated attack chain that isn't purely academic. 

 

People are acting like having an out-of-band management solution you don't know about is a get out of jail free card. NordVPN is ultimately responsible for knowing what is and isn't plugged into their servers. Critical Security Control number one is Inventory of Authorized and Unauthorized Devices. If they failed at doing number 1, what makes you think they're doing 2 through 20? Not to mention the at best dubious ethics of waiting this long to notify people.

[realpetertdm]

11 hours ago, Deli said:

Fxxk, it's time to switch. Which VPN service is safer?

p r i v a t e i n t e r n e t a c c e s s