Hackers violated a server of the popular virtual network provider NordVPN and stolen encryption keys that could be used to decrypt customer segments.
A log of the attacks indicated that the hackers had root access, meaning that they had virtually unlimited control over the server and could read or modify almost any data stored on it. One of the three leaked private keys was used to back up a digital certificate that provided HTTPS encryption for nordvpn.com. The key did not expire until October 201
Based on the command log, another of the leaked secret keys appeared to be backing up a private certification authority that used NordVPN to issue digital certificates. These certificates can be issued to other servers in the NordVPN network or for a variety of other sensitive purposes. The name of the third certificate indicates that it could also be used for many other sensitive purposes, including securing the server compromised by the security breach.
The revelations showed that two competing VPN services, TorGuard and VikingVPN, had surfaced. Also experienced violations of the leaked encryption key. In a statement TorGuard announced that a secret key for a transport-layer security certificate for * .torguardvpnaccess.com was stolen. The theft occurred in 2017 during a server break. The stolen data related to a squid proxy certificate.
TorGuard officials said on Twitter the private key is not on the affected server and attackers could "do nothing with these keys". The Monday statement said TorGuard did not remove the compromised server until the beginning of 2018. TorGuard also learned of VPN violations last May, and in a similar development, we have filed a legal complaint against NordVPN to comment.
One of these keys expired on December 31, 2018, and the other went to the grave on July 10 of the same year, a corporate spokeswoman told me. The purpose of this key was: A cryptography feature known as "Perfect Forward Secrecy "made sure that attackers could not decrypt the traffic by using encrypted packets on their way over the Internet, using hackers leaked keys on their own server to intercept and decrypt data.
It was unclear how long the attackers were present on the server or whether they could use their highly privileged access to commit other serious crimes. Security experts said the seriousness of the server compromise in connection with the theft of keys and the lack of detail by NordVPN raises serious concerns.
Here are some examples from Dan Guido, CEO of the security company Trail of Bits, told me:
Compromised key secrets, such as those stolen by NordVPN, can be used to decode the window between major renegotiations and for others it would have been necessary to spend it. We do not know what happened, what further access was made or what abuse occurred. There are many options once you have access to these types of main secrets and root server access.
Insecure Remote Management
In a statement to reporters, NordVPN officials described the damage done to the attack as limited.  Officials wrote:
The server itself did not contain any user activity logs. None of our applications sends user-created authentication credentials, so users' names and passwords could not be caught either. The exact configuration file found by security researchers on the Internet has not existed since March 5, 2018. This was an isolated incident that did not affect any other data center providers we use.
The security breach was caused by hackers hijacking an insecure remote management system hired by administrators at a data center located in Finland and installed on a NordVPN server. The unnamed data center has installed the vulnerable management system without ever forwarding it to its NorthVPN. NordVPN terminated its contract with the data center after the remote management system surfaced a few months later.
NorthVPN told reporters the breach of security for the first time on Sunday after reports from third parties such as this on Twitter. The statement said that NordVPN officers did not disclose the breach to customers while ensuring that the rest of their network was not vulnerable to similar attacks for seven months after the breach. Company officials wrote:
The expired TLS key was taken at the same time as the data center was being exploited. However, the key might not be used to decrypt the VPN traffic of another server. For the same reason, the only way to abuse website traffic was to perform a personalized and complicated MiTM attack to intercept a single connection trying to access nordvpn.com.
Not as harsh as claims
The suggestion that active man-in-the-middle attacks are complicated or impractical and problematic. Such attacks may be carried out in public networks or by Internet service providers. These are exactly the types of attacks that VPNs should protect against.
"Intercepting TLS traffic is not as difficult as it seems," said a security consultant, who used the hexdefined handle and spent the last 36 hours analyzing the data uncovered in the security breach. "There are tools for that, and I was able to set up a web server with the TLS key with two configuration lines, and the attacker had to be able to intercept the victim's traffic (for example, over public WLAN)."
Also, note that the statement only states that the expired TLS key could not be used to decrypt the VPN traffic of another server. The statement does not mention the other two keys and the type of access they allow. Vulnerability to a private CA can be particularly severe because the attackers might compromise multiple keys generated by the CA.
Put all the eggs in a basket
VPNs put all the Internet traffic of a computer into a basket A single encrypted tunnel that is first decrypted and sent to its final destination after reaching one of the provider's servers. This enables the VPN vendor to see massive amounts of its customers' online habits and metadata, including server IP addresses, SNI information, and any traffic that is not encrypted.
The VPN provider has received recommendations and positive reviews from CNET, TechRadar, and PCMag. But not all were so confident. Kenneth White, a seasoned network engineer specializing in VPNs, has long listed NordVPN and TorGuard as two of the VPNs to be denied, including providing pre-shared keys online.
This is difficult until more information becomes available Specify exactly how people using NordVPN should respond. At a minimum, users should press NordVPN to provide more details about the security breach and keys as well as any other data that has leaked out. Meanwhile, Kenneth White suggested stopping the service altogether.
"I've been recommending against most VPN services from consumers, including NordVPN, for years," he told me. "[The services’] The reaction to an incident and the PR attempt made here have just enforced this belief, ruthlessly putting activists in mortal danger, downplaying the severity of an incident they have not even discovered and where the attackers are did not restrict the administrator. " LXC # God Mode # access. And they only notified customers when reporters asked them to comment. "