The NordVPN Breach

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

NordVPN, is a popular virtual private networking (VPN) service that helps encrypt internet traffic and protect online identities. In October 2019 they announced that they were the victim of a data breach, dating back to March 2018. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin up their own servers in an attempt to imitate NordVPN in sophisticated man-in-the-middle (MitM) attacks. According to a statement by NordVPN, the attack occurred in March 2018 at a Finnish data center rented by NordVPN. Apparently, an attacker was able to exploit a vulnerability in a remote management interface utilized by the service provider. The attacker was able to gain full remote access of the compromised server and use that access to steal an expired TLS certificate key that is used to securely connect customers to the company's web servers. As for any other attacker activity on the system, NordVPN commented: "The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN." Even if there is no evidence that the attacker used the stolen certificate to set up a spoofed NordVPN server for use in MitM attacks, it still raises interesting questions about certain "security-related" services. Just because services like VPNs offer security for network traffic in transit and provide some degree of privacy by masking IP addresses, they are ultimately still networks built out of servers, configured by people, running on infrastructures run by third-party suppliers. BlueVoyant Researchers are concerned that several other VPN providers may have been breached around the same time. Similar records posted online suggest that other VPN providers using the same Finnish data center, were susceptible to an attack on the same remote management software.