Analysis NordVPN spent today attempting to downplay a security breach in which someone sneaked into one of its servers for purposes unknown.
Here’s what we know: miscreants were able to exploit a poorly secured remote-management system, built into the server and understood to be iLO or iDRAC, to gain control of the box in March 2018. They were able to gain access to the LXC containers running on the machine, and its OpenVPN software files and cryptography keys, it is claimed. The TLS certificate, since expired, for the nordvpn.com website was also stolen from the system.
This means whoever broke in may have snooped on NordVPN subscribers’ non-HTTPS web traffic, DNS lookups, and similar unprotected connections, running through that particular compromised machine. Up to about 200 people may have used the node; NordVPN doesn’t know for sure because it doesn’t log the activities of its users. Meanwhile, the TLS certificate could have been used to create a spoof nordvpn.com website to capture usernames and passwords in a classic miscreant-in-the-middle attack.
For the uninitiated, NordVPN is a rather popular VPN provider: roughly 12 million netizens route their internet traffic via NordVPN’s 3,000 or so servers, which are scattered across the planet. The users’ connections to websites and other services thus appear to originate from the VPN provider’s boxes. It’s useful for getting around web filters – for example, if you want to access content that’s limited to just the US, you can make your connections appear from systems in America – and give yourself a little extra privacy. The connections between your computer or phone and NordVPN’s nodes are encrypted.
Can we talk about the little backdoors in data center servers, please?
Over the weekend, the VPN biz tweeted a now-deleted boast that “Ain’t no hacker can steal your online life. (If you use VPN).” In response, a hacker group calling itself KekSec revealed that some other miscreants had broken into one of the company’s boxes, and leaked various files, including an OpenVPN configuration and associated private key. A spokesperson for NordVPN confirmed the hacked server was indeed an exit node in its network, and that whoever was lurked on the machine could have snooped on packets flowing out of it.
“Even if a hacker could have viewed the traffic while being connected to the server, he could only see what an ordinary ISP would see, but in no way, it could be personalized or linked to the particular username or email,” NordVPN’s PR person told us.
“Historical VPN traffic could not be monitored.”
According to NordVPN’s official statement on the affair, the server was rented and based in a data center in Finland. Someone was able to gain control of the Linux-powered box via an unprotected remote management interface provided by the server’s owner: it is alleged this interface was effectively kept secret from the VPN provider, meaning it had no way of knowing this box was at risk. This management interface gives whoever wields it full control of the system: think of it as God mode.
“The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed,” NordVPN’s Daniel Markuson claimed in the aforementioned statement, emitted on Monday.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.
“Once we found out about the incident, we immediately launched a thorough internal audit to check our entire infrastructure. We double-checked that no other server could possibly be exploited this way and started creating a process to move all of our servers to RAM, which is to be completed next year. We have also raised the bar for all data centers we work with. Now, before signing up with them, we make sure that they meet even higher standards.”
The server at the heart of this brouhaha was spun up in January 2018, we’re told. The insecure remote management interface was spotted and disabled by the server’s owners on March 20 “without notifying” NordVPN, according to Markuson. The VPN provider’s techies became aware of the server compromise at that time, though kept quiet about the security hole – apparently to carry out that “thorough internal audit.” The server was also disabled, and the hosting contract canceled. It is believed the break-in occurred once sometime in March 2018, before the 20th of that month. The leaked configuration files and keys are now invalid.
“To recap, in early 2018, one isolated data center in Finland was accessed without authorization,” Markuson added. “That was done by exploiting a vulnerability of one of our server providers that hadn’t been disclosed to us. No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated.”
Not so fast
NordVPN did not identify the data center server host in question, though we understand it to be Finnish outfit Creanova, which rents out Dell and HP machines. Its CEO Niko Viskari told The Register the blame lays squarely with NordVPN for not locking down the remote management interface, which NordVPN was apparently aware of: “They even used this tool sometimes,” the chief exec claimed.
“Yes, we can confirm they were our clients,” Viskari continued. “And they had a problem with their security because they did not take care of it themselves.
“All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.
“We have many clients, and some large VPN service providers among them, who take care of their security very strongly. They pay more attention to this than NordVPN, and ask us to put iLO or iDRAC remote-access tool inside private networks or shut down access to this tool until they need it. We bring [iLO or iDRAC] ports up when we get requests from clients, and shut them down when they are done using this tools. NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders.”
Oh, those accounts
As we were preparing to publish this article, NordVPN got back to us and clarified that while it was aware of remote-management interfaces, it wasn’t aware of an insecure account created by Creanova in the management system of the server it was renting – an account exploited by miscreants to hack the box.
“We have intrusion-detection systems, but unfortunately, we didn’t know about undisclosed accounts used to access the remote server management system left by [Creanova],” NordVPN’s PR person told us. “One such account was used to access our server by a malicious actor. It’s not that we didn’t know about the solution; we never knew about additional accounts that have been created and then deleted.”
We’re told that this is what NordVPN saw in its logs:
"19779","Informational","03/20/2018 07:25","03/20/2018 07:25","1","User support deleted by creanova.", "19778","Informational","03/20/2018 07:25","03/20/2018 07:25","1","User admin deleted by creanova."
NordVPN was thus apparently unaware of these management accounts, allegedly created by Creanova, and at least one was seized by hackers to break into its system, we’re told. Meanwhile, NordVPN is working to set up a bug bounty, to reward those who privately disclose security flaws in its gear. ®
Hat tip to TechCrunch for first reporting the server compromise.
What next after Netezza?