NordVPN blames datacentre provider for server breach

Consumer virtual private network (VPN) service provider NordVPN has admitted that it fell victim to a breach of its systems in March 2018 when a server held in a Finnish datacentre was accessed without authorisation through an exploit in a remote management system, but claimed that its former datacentre provider was at fault.

The affected server was built and added to NordVPN’s list on 31 January 2018. On 20 March that year, the datacentre provider noticed the vulnerability and deleted the remote management account, but did so without notifying NordVPN, whose technicians only found out that there had been an issue “a few months ago”, according to a blog post disclosing the incident. The firm immediately took action to audit its server estate and accelerate its encryption.

NordVPN said an expired TLS [transport layer security] key was taken at the same time as the datacentre provider was hacked. However, it insisted the key could not possibly have been used to decrypt VPN traffic on any other server and, similarly, the only possible way to target legitimate traffic would have been to perform a personalised and highly complex man-in-the-middle attack to target a single connection accessing NordVPN’s website – something that did not happen.

“One isolated datacentre in Finland was accessed without authorisation,” said NordVPN spokesperson Daniel Markuson in a blog post disclosing the incident. “This was done by exploiting a vulnerability of one of our server providers that hadn’t been disclosed to us. No user credentials have been intercepted.

“No other server on our network has been affected. The affected server does not exist any more and the contract with the server provider has been terminated.”

Markuson added: “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge number of servers and the complexity of our infrastructure.”

NordVPN said the server did not contain any user activity logs, and because none of its applications send user-created credentials for authentication, it was impossible to compromise any customer data.

“Even though only one of more than 3,000 servers we had at the time was affected, we are not trying to undermine the severity of the issue,” said Markuson. “We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers.

“We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty programme. We will give our all to maximise the security of every aspect of our service, and next year we will launch an independent external audit of all our infrastructure to make sure we did not miss anything else.”

As a result of the breach, NordVPN has already started work on creating a process to move all its servers to RAM, which will complete in 2020, and has put in place new standards and checks for all the third-party service providers it engages.

Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi, said rapidly growing VPN providers building their businesses on consumer privacy concerns will naturally need TLS certificates to act as machine identities to authorise connections and encryption, and establish trust between machines.

But this made firms such as NordVPN a very tempting targets for hackers, he said. “Machine identities are extremely valuable targets for cyber criminals and large enterprises often have tens of thousands of machine identities they need to protect,” said Bocek.

“These breaches will become more common in the future. It is imperative that organisations have the agility to automatically replace every key and certificate that may have been exposed in breaches. Quickly replacing machine identities is the reliable way to ensure privacy and security in a world where businesses run and depend on the cloud.

“This capability is especially critical in large enterprises that have tens of thousands of machine identities that must be protected against attackers.”