NordVPN and TorGuard talked about compromise, and attackers could have access to servers and allegedly to user data from several months to several years.
As practice proved for many times, any product should not be advertised as “unbreakable” as such high-profile statements rarely end well. Another confirmation of this was the case with the VPN provider NordVPN, which recently posted a bold advertisement on Twitter, which stated that no hacker could steal user’s online life if used their VPN.
Firstly, due to such high-profile statements, the company has been criticized. In response to this message, an information security specialist known as hexdefined noticed on Twitter that NordVPN was compromised because private keys (including OpneVPN and for the certificate of the company’s official website) were stolen and publicly available on the Internet.
“So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys…”, — wrote hexdefined on Twitter.
Although the certificate has already expired, ending in October 2018, before it expired, attackers could create a convincing site posing as NordVPN, and also use keys, for example, to organize MitM attacks and “listen” for encrypted connections.
After the publication of the hexdefined message on the network, a link also appeared to 8chan, where an unknown person in May 2018 boasted that he had root access to the NordVPN, TorGuard and VikingVPN servers.
OpenVPN provider CryptoStorm.is reported that this allowed an attacker to steal OpenVPN keys and configuration files, which is shown in the image below. Also, CryptoStorm.is emphasized that key theft could allow an attacker to decrypt traffic during the hack.
According to a message on 8chan, the cracker also managed to compromise TorGuard (by stealing the Squid proxy certificate, OpenVPN keys and configuration files) and VikingVPN (by stealing OpenVPN keys and configuration files).
NordVPN representatives reported that the incident took place in March 2018. However, one of the data centers in Finland, where the company rented servers, turned out to be available without authorization (at present, the contract with these service providers has already been terminated). As a result, the attacker really gained access to the server “using an insecure remote control system.”
The company claims that they did not report this incident before, since specialists had not been aware of this oversight of the service provider for a long time, and then “had to make sure that the infrastructure could not be exposed to other similar problems.” The corresponding check took a lot of time “due to the huge number of servers and the complexity of the infrastructure”. The statement also emphasizes that the company’s other servers were not affected, as well as user credentials.
“The server did not contain any user activity logs, since none of our applications transmit user credentials used for authentication, so usernames and passwords could not be intercepted”, — NordVPN said.
Interestingly, according to The Register, the data center was fined by the Finnish company Creanova. Its head Niko Viskari told reporters that the blame for what happened lies entirely with NordVPN itself, as the company did not block the remote control interface, which was well known and even used. According to him, NordVPN had security problems, which, however, did not worry the company.
In turn, TorGuard representatives confirmed the fact that the secret key for the *.torguardvpnaccess.com TLS certificate associated with the Squid proxy certificate (which has been invalid on the TorGuard network since 2017) has been compromised and stolen. The company claims that they learned about the incident only in May 2019, while the only server that was hosted by a hosting intermediary was hacked, and this happened back in 2017.
At the same time, the TorGuard statement emphasizes that the company was the only one of the three affected providers who used PKI, that is, the main CA key was not located on the vulnerable server and was not stolen, and the stolen key was useless for crackers.