Popular VPN service provider NordVPN announced on Monday that one of its data centres located in Finland was infiltrated by hackers who exploited an insecure remote management system used by the data centre provider to gain access in March 2018.
Use of the said insecure remote management system was not authorised by NordVPN and the company was not aware of the fact that the system existed. However, once the VPN service provider gained knowledge of the intrusion, it confirmed that the intrusion did not affect any other data centre, shredded all the servers provided by the data centre provider, and terminated its contract with the provider.
NordVPN said that the intrusion in March 2018 did not impact customer data as the server did not contain any user activity logs and also did not contain usernames or passwords of people who used its services. However, hackers were able to gain access to an expired TLS key as a result of their intrusion.
NordVPN confirms server breach did not impact user data or credentials
"The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com," the company said.
"To recap, in early 2018, one isolated datacenter in Finland was accessed without authorisation. This was done by exploiting a vulnerability of one of our server providers that hadn’t been disclosed to us.
"No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated," it added, confirming that the server breach brought no benefit to the hackers behind it.
NordVPN's statement came in response to a series of posts on Twitter made by one @hexdefined who claimed that a server breach that took place on September 2017 affected three VPN service providers- NordVPN, TorGuard, and VikingVPN.
The Twitter user claimed that while hackers obtained both OpenVPN keys and expired keys belonging to NordVPN, they also gained access to the TLS certificate for torguardvpnaccess[.]com as well as an OpenVPN server key.
TorGuard said stolen TLS certificate was rendered invalid in 2017
In response, TorGuard said in a blog post that its main CA key was not on the affected VPN server as the company practised secure public key infrastructure (PKI) management. It added that the affected VPN server was removed from the company's network in early 2018 after it terminated all business with the related hosting reseller "because of repeated suspicious activity".
"The TLS certificate for *.torguardvpnaccess.com on the affected server is a squid proxy cert which has not been valid on the TorGuard network since 2017. TorGuard’s squid proxy TLS cert was upgraded to SHA256 at that time and the affected SHA1 TLS cert removed from browser apps and retired immediately. Even though the affected SHA1 TLS cert did not expire until October 2018, this has not been in use since 2017 and is not valid on the TorGuard proxy network.
"TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol," it added.
Kevin Bocek, VP security strategy & threat intelligence at Venafi, said that VPN providers have grown rapidly because of the growing need for privacy. VPN cloud providers require TLS certificates that act as machine identities to authorise connection, encryption and establish trust between machines.
However, the same machine identities are also extremely valuable targets for cyber criminals and as a result, these breaches will become more common in the future.
"It is imperative organisations have the agility to automatically replace every key and certificate that may have been exposed in breaches. Quickly replacing machine identities is the reliable way to ensure privacy and security in a world where businesses run and depend on the cloud This capability is especially critical in large enterprises that have tens of thousands of machine identities that must be protected against attackers," he added.