Home Blog The NordVPN Breach The NordVPN Breach BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. NordVPN, is a popular virtual private networking (VPN) service that helps encrypt internet traffic and protect online identities. In October 2019 they announced that they were the victim of a data breach, dating back to March 2018. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin up their own servers in an attempt to imitate NordVPN in sophisticated man-in-the-middle (MitM) attacks. According to a statement by NordVPN, the attack occurred in March 2018 at a Finnish data center rented by NordVPN. Apparently, an attacker was able to exploit a vulnerability in a remote management interface utilized by the service provider. The attacker was able to gain full remote access of the compromised server and use that access to steal an expired TLS certificate key that is used to securely connect customers to the company’s web servers. As for any other attacker activity on the system, NordVPN commented: “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.” Even if there is no evidence that the attacker used the stolen certificate to set up a spoofed NordVPN server for use in MitM attacks, it still raises interesting questions about certain “security-related” services. Just because services like VPNs offer security for network traffic in transit and provide some degree of privacy by masking IP addresses, they are ultimately still networks built out of servers, configured by people, running on infrastructures run by third-party suppliers. BlueVoyant Researchers are concerned that several other VPN providers may have been breached around the same time. Similar records posted online suggest that other VPN providers using the same Finnish data center, were susceptible to an attack on the same remote management software. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. NordVPN, is a popular virtual private networking (VPN) service that helps encrypt internet traffic and protect online identities. In October 2019 they announced that they were the victim of a data breach, dating back to March 2018. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin up their own servers in an attempt to imitate NordVPN in sophisticated man-in-the-middle (MitM) attacks. According to a statement by NordVPN, the attack occurred in March 2018 at a Finnish data center rented by NordVPN. Apparently, an attacker was able to exploit a vulnerability in a remote management interface utilized by the service provider. The attacker was able to gain full remote access of the compromised server and use that access to steal an expired TLS certificate key that is used to securely connect customers to the company’s web servers. As for any other attacker activity on the system, NordVPN commented: “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.” Even if there is no evidence that the attacker used the stolen certificate to set up a spoofed NordVPN server for use in MitM attacks, it still raises interesting questions about certain “security-related” services. Just because services like VPNs offer security for network traffic in transit and provide some degree of privacy by masking IP addresses, they are ultimately still networks built out of servers, configured by people, running on infrastructures run by third-party suppliers. BlueVoyant Researchers are concerned that several other VPN providers may have been breached around the same time. Similar records posted online suggest that other VPN providers using the same Finnish data center, were susceptible to an attack on the same remote management software. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more
Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more
Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
