NordVPN and TorGuard VPN firms were hacked, threat actors leaked the private keys used to secure their web servers and VPN configuration files.

Hackers have breached the systems used by NordVPN and TorGuard VPN companies and leaked the private keys used to secure their web servers and VPN configuration files.

The information belonging to the NordVPN company that was leaked online were stolen from the server of the VPN provider last year.

So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys… pic.twitter.com/TOap6NyvNy — undefined (@hexdefined) October 20, 2019

The attackers leaked at least three private keys that belong to the company, one from an older NordVPN site certificate and two OpenVPN keys.

The certificate is expired in October 2018, a circumstance that suggests that the hack happened last year, but we cannot exclude that the server was storing the key of an outdated certificate.

After the keys were leaked online, experts pointed out that attackers could set up rogue VPN servers and use them yo carry out MiTM attack on the users’ traffic.

A bigger problem was that they weren't practicing secure PKI management (see https://t.co/5zcYHawEki ) because the CA private key was stupidly on the same server. With that private key, an attacker could easily generate their own server cert/key and MiTM any other server. — ‍ ‍‍‍ᓭ cryptostorm ᓯ (@cryptostorm_is) October 20, 2019

Experts at Golem.de remarked that the expired certificate could be used only to carry out a MiTM attack, but it could not have been used to decrypt the traffic.

“You can not decrypt stored VPN traffic directly with the leaked keys. From the configuration files also shown, it shows that the OpenVPN configuration uses a key exchange with Diffie-Hellman, so that the connections have the so-called forward-secrecy property, which prevents subsequent decryption.” reads the post published by golem.de. “The keys could be used for a man-in-the-middle attack. In addition, it can be assumed that the attacker was able to access traffic during the hack.”

NordVPN confirmed the incident that took place in March 2018 when hackers accessed one of the datacenters in Finland operated by a third-party provider.

“A few months ago, we became aware that, on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.” reads the statement published by the VPN provider. “The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed. The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

The company highlighted that the expired TLS key was stored in the breached datacenter in Finland, it couldn’t possibly have been used to decrypt the VPN traffic of any other server. The only possible way to abuse website traffic was by performing a personalized and sophisticated MiTM attack to intercept a single connection that tried to access nordvpn.com. ù

After the incident, NordVPN immediately launched an investigation and terminated the contract with the server provider.

The incident also impacted other VPN providers using the same data center, such as VikingVPN and TorGuard.

TorGuard was the only VPN provider of the three impacted by the incident to be implementing secure PKI management this means that its main CA key was not on the affected VPN server.

“The single TorGuard server that was compromised was removed from our network in early 2018 and we have since terminated all business with the related hosting reseller because of repeated suspicious activity.” reads a statement published by TorGuard.

“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,”

Pierluigi Paganini

(SecurityAffairs – VPN, hacking)