NordVPN Breached for a Year; Firm Waits 7 More Months to Disclose

At least one server in NordVPN’s fleet was “accessed” in March 2018. It took until March of this year to spot the compromise.

NordVPN blames the third party it rented the server from. The third party, Creanova, denies fault, implying that NordVPN is clueless how to manage a hosted server.

But why are we only hearing about it now, a further seven months after detection? In today’s SB Blogwatch, we lose trust.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Giant Art.

Very VPN. Wow.

What’s the craic, Zack? Mister Whittaker reports, “NordVPN confirms it was hacked”:

 It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN. [It] is likely to cause alarm that hackers may have been in a position to access some user data.

NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”

It’s also believed several other VPN providers may have been breached around the same time.

And Shaun Nichols adds, “Row erupts over who to blame”:

 Here’s what we know: miscreants were able to exploit a poorly secured remote-management system, built into the server and understood to be iLO or iDRAC, to gain control of the box in March 2018. They were able to gain access to the LXC containers running on the machine, and its OpenVPN software files and cryptography keys, it is claimed.

This means whoever broke in may have snooped on NordVPN subscribers’ non-HTTPS web traffic, DNS lookups, and similar unprotected connections. … NordVPN is a rather popular VPN provider: roughly 12 million netizens route their internet traffic via NordVPN’s 3,000 or so servers.

The server at the heart of this brouhaha was spun up in January 2018, we’re told. The insecure remote management interface was spotted and disabled by the server’s owners on March 20.

NordVPN did not identify the data center server host in question, though we understand it to be Finnish outfit Creanova. [It said] the blame lays squarely with NordVPN for not locking down the remote management interface, which NordVPN was apparently aware of.

O RLY? NordVPN’s Daniel Markuson tells quite a different story—“Why the NordVPN network is safe”:

 The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed.

Once we found out about the incident, we immediately launched a thorough internal audit. … We double-checked that no other server could possibly be exploited this way. … We have also raised the bar for all datacenters we work with.

The data center noticed the vulnerability they had left and deleted the remote management account without notifying us. … When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider.

We are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider. … We learned important lessons about security, communication, and marketing.

So that’s OK then? Will Strafach—@chronic—excoriates thuswise:

 I find their response problematic and unfortunate, as they are an otherwise respectable leader in the industry. [It] raises some serious questions about information security policies and standards at NordVPN.

This “management system” is likely referring to IPMI. … If so, I am baffled to hear that NordVPN did not know it existed. A provider of safe passage for user network traffic is responsible for knowing how an adversary could gain access to that traffic.

NordVPN should be able to clearly explain what happened on that server. Was an OS reinstall attempted via IPMI? What did the attacker access? What commands did they run? Is there a system in place to keep track of this information?

Their rationale for delaying disclosure sounds like “we had no idea about IPMI access on other servers.” If they found out only “a few months ago” they should explain how they found out, as that would indicate they did not find out through any internal monitoring system.

What NordVPN refers to as an an “undisclosed remote management system” is in fact disclosed on the provider’s front page. … Minimizing and deflecting blame [is] not a good look.

Is it common to have these management interfaces enabled? buildbuildbuild says yes:

 IPMI does not have to be open to the internet to be open to a wide audience. Many of these out of band management interfaces are hosted on an internal network, but not isolated by customer.

Cheap datacenters are favored by VPN providers for their unlimited bandwidth and lax abuse policies. Many of them allow access to IPMI only over a VPN, but do not isolate each customer’s IPMI to a customer VLAN. I personally know at least three large budget datacenters which allow all customers access to each others’ “private” IPMI IP addresses.

Follow the money. Wellyboot kicks off—“Security? Hah!”:

 If you aren’t the hardware OS admin & don’t control physical access to the hardware you can’t claim it’s secure. Nord are renting server time from 3rd party server farms to host VPNs because to do it properly would cost too much.

Beancounters strike again.

So rasengan summarizes the options:

 This is either criminal negligence, “security theater”, or both.

What of the risks? DogDude barks, “VPN’s are NOT safe”:

 I don’t know why so many people suddenly think that VPN’s are some kind of safety measure. All a VPN accomplishes is piping all of your data through a central point, that you hope you can trust. It’s also one (large) additional place where your data can be scooped up.

I would never use a VPN that I didn’t explicitly own.

And ohazi puts it more strongly:

 Nobody should be using a VPN provider, full-stop. It is structurally impossible for anyone to verify their claims, they have more incentive to lie than your ISP does, and they’re cheap and easy to set up, so the industry is a cesspool.

You should assume that all of them are behaving badly.

Meanwhile, rho is free of ideas:

 I have no idea why this dumb idea has gotten so popular.

And Finally:

Dutch Giant Art

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Maria Ly (cc:by)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 544 posts and counting.See all posts by richi

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)