NordVPN hacked, hackers gained access to the server by exploiting a flaw in remote management system provided by the Finland based datacenter.

According to NordVPN report, the breach was learned in March 2018, hackers gained access to servers through a remote management system that can be accessed with no authorization.

Once the breach was learned, the company launched an internal audit to check the entire infrastructure and to double-checked no other servers compromised in the way.

NordVPN Spokesperson said, ” We started creating a process to move all of our servers to RAM, which is to be completed next year. We have also raised the bar for all datacenters we work with. Now, before signing up with them, we make sure that they meet even higher standards.”

Expired TLS key

The breach was learned on March 20, 2018, and the VPN giant disclosed the issue only after check that other server locations are not vulnerable to such issues.

The affected server was built on January 31, 2018, NordVPN said that the “datacenter has data center noticed the vulnerability they had left and deleted the remote management account without notifying us on March 20, 2018. Our techs found that the server provider had had the undisclosed account a few months ago.”

Researchers found expired NordVPN public keys are leaked.

So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys… pic.twitter.com/TOap6NyvNy — undefined (@hexdefined) October 20, 2019

Attackers took the expired TLS key from the server, “the key couldn’t possibly have been used to decrypt the VPN traffic of any other server,” NordVPN said.

Also, the company confirms the affected server doesn’t have any user activity logs and no applications send credentials to the server for authentication, so no credentials or other servers are not affected.

“When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them.”

According to w3techs’s report, more than 55% of websites use HTTPS protocols, by having the VPN encryption key attackers can only decrypt the extra layer of protection and not possible to decrypt the HTTPS traffic.

“On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access.”

NordVPN said that the company was preparing for a bug bounty program to maximize security among all the services.

https://t.co/maZBOR6FVD is the source. Also includes some hacks of VikingVPN and TorGuard. VikingVPN also wasn't practicing secure PKI management. TorGuard was though. The last link in that post appears to be 8chan itself, which had a .bash_history exposed. — ‍ ‍‍‍ᓭ cryptostorm ᓯ (@cryptostorm_is) October 21, 2019

Likely other VPN providers such as VikingVPN and TorGuard also suffered a breach last year.

You can follow us on Linkedin, Twitter, Facebook for daily Cyber Security and hacking news updates.