Analysis NordVPN spent today trying to downplay a security breach in which someone sneaked into one of its servers for unknown purposes.
Here's what we know: miscreants were able to exploit a poorly secured remote management system, built into the server and understood to be iLO or iDRAC, to gain control of the box in March 2018. They were able to gain access to the LXC containers running on the machine, and its OpenVPN software files and cryptography keys, it is claimed. The TLS certificate, since expired, for the nordvpn.com website was also stolen from the system.
This means whoever broke in may have snooped on NordVPN subscribers' non-HTTPS web traffic, DNS lookups, and similar unprotected connections, running through that particular compromised machine. Up to about 200 people may have used the node; NordVPN does not know for sure because it does not log the activities of its users. Meanwhile, the TLS certificate could have been used to create a spoof nordvpn.com website to capture usernames and passwords in a classic miscreant-in-the-middle attack.
For the uninitiated, NordVPN is an increasingly popular VPN provider: roughly 12 million netizens route their internet traffic via NordVPN's 3,000 or so servers, which are scattered across the planet. The users' connections to websites and other services thus appear to originate from the VPN provider's boxes. It's useful for getting around web filters – for example, if you want to access content that's restricted to just the US, you can make your connections appear from systems in America – and give yourself a little extra privacy. The connections between your computer or phone and NordVPN's nodes are encrypted.
Can we talk about the little backdoors in data center servers, please?
Over the weekend, the VPN biz tweeted a now-deleted boast that "Ain't no hacker can steal your online life. (If you use VPN)." In response, a hacker group calling itself KekSec revealed that some other miscreants had broken into one of the company's boxes, and leaked various files, including an OpenVPN configuration and associated private key. A spokesperson for NordVPN confirmed that the hacked server was indeed an exit node in its network, and that anyone who was lurking on the machine could have snooped on packets flowing out of it.
"Even if a hacker could have viewed the traffic while connected to the server, he could only see what an ordinary ISP would see, but in no way could it be personalized or linked to that particular username or email," NordVPN's PR person told us.
"Historical VPN traffic could not be monitored."
According to NordVPN's official statement on the affair, the server was rented and based in a data center in Finland. Someone was able to gain control of the Linux-powered box through an unprotected remote management interface provided by the server's owner: it was alleged that this interface was effectively kept secret from the VPN provider, meaning it had no way of knowing this box was at risk . This management interface gives whoever wields it complete control of the system: think of it as God mode.
"The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while unaware that such a system existed," NordVPN's Daniel Markuson claimed in an affirmative statement, released on Monday.
"The server itself does not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords have been intercepted either.
"Once we found out about the incident, we immediately launched a thorough internal audit to check our entire infrastructure. We double-checked that no other server could possibly be exploited this way and began creating a process to move all of our servers to RAM, which is to be completed next year. We've also raised the bar for all the data centers we work with. Now, before signing up with them, make sure they meet even higher standards. "
The server at the heart of this brouhaha was spun up in January 2018, we're told. The insecure remote management interface was spotted and disabled by server owners on March 20 "without notifying" NordVPN, according to Markuson. The VPN provider's techies became aware of the server compromising at the time, though kept quiet about the security hole – apparently carrying out that "thorough internal audit." The server was also disabled, and the hosting contract canceled. It is believed the break-in occurred sometime in March 2018, before the 20th of that month. The leaked configuration files and keys are now invalid.
"To recap, in early 2018, one isolated data center in Finland was accessed without authorization," Markuson added. "That was done by exploiting a vulnerability of one of our server providers that had not been disclosed to us. No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist and the contract with the server provider has been terminated. "
Not so fast
NordVPN did not identify the data center server host in question, although we understand it to be Finnish outfit Creanova, which rents out Dell and HP machines. Its CEO Niko Viskari told The Register the blame lays squarely with NordVPN for not locking down the remote management interface that NordVPN was apparently aware of: "They even used this tool sometimes," the chief exec claimed.
"Yes, we can confirm they were our clients," Viskari continued. "And they had a problem with their security because they didn't take care of it themselves.
"All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security issues from time to time, as almost all software in the world. We have patched this tool as new firmware was released from HP or Dell.
"We have many clients, and some large VPN service providers among them, who take care of their security very strongly. They pay more attention to this than NordVPN, and ask us to put iLO or iDRAC remote-access tools inside private networks or shut down. down access to this tool until they need it [iLO or iDRAC] ports up when we receive requests from clients, and shut them down when they are done using these tools. NordVPN doesn't seem to pay much attention to security, and somehow try to put this on our shoulders. "
Oh, those accounts
As we were preparing to publish this article, NordVPN came back to us and clarified that while it was aware of remote-management interfaces, it was not aware of an insecure account created by Creanova in the server management system it was renting – an account exploited by miscreants to hack the box.
"We have intrusion-detection systems, but unfortunately we didn't know about undisclosed accounts used to access the remote server management system left by [Creanova], "NordVPN's PR person told us." One such account was used to access our server by a malicious actor. It's not that we didn't know about the solution; we never knew about additional accounts that were created and then deleted. "
We're told that this is what NordVPN saw in its logs:
"19779", "Informational", "03/20/2018 07:25", "03/20/2018 07:25", "1", "User support deleted by creanova.", "19778", "Informational", "03/20/2018 07:25", "03/20/2018 07:25", "1", "User admin deleted by creanova."
NordVPN was thus apparently unaware of these management accounts, allegedly created by Creanova, and at least one was hacked by hackers to break into its system, we're told. Meanwhile, NordVPN is working to set up a bug bounty to reward those who privately disclose security flaws in its gear. ®
Hat tip to TechCrunch for first reporting the compromise server.
Serverless Computing London – 6-8 Nov 2019