NordVPN Hacked: Another One Bites the Dust?
In the latest of scandals, NordVPN is up in flames on Twitter and Reddit, as news breaks out about them being hacked. For a service touting itself as a security maximalist for the longest; the irony has created an environment of cold burns for Nord’s users.
Before I go into the details, I’d like to mention that BestVPN.co has removed the provider from our recommended listings, until we do not receive a proper answer (one that makes sense) from Nord regarding this awful incident.
Some Background into the NordVPN Hack
The news typically gained prominence, following TechCrunch’s post “NordVPN confirms it was hacked“. However, the discussion and allegations began from Twitter; after NordVPN itself invited trouble by triggering the InfoSec community.
This tweet was pretty much all it took for the provider to get into the spotlight of the wrong people. Soon after it going live, the twitter user @le_keksec gave a reply indicating that NordVPN may have been hacked at some point, as their private keys were leaked.
Keksec verified that this was not their work, and these private keys were just floating around unnoticed on the internet (wow).
They even shared the link to the private keys via share.dmca , after which the twitter user @hexdefined verified that NordVPN had indeed been compromised. He even released the cert that matches the private key: https://crt.sh/?id=10031443
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys… pic.twitter.com/TOap6NyvNy
— undefined (@hexdefined) October 20, 2019
As I delved deeper into the issue, it came to light that NordVPN had employed the incredibly weak 2048 bit Diffie-Hellman Params, and that traffic during the hack could have been decrypted for at least an hour, affecting over 50-200 Nord users.
I’ve seen that leak too, they were using 2048-bit dh params, but without setting reneg-sec it defaults to 1 hour. So at the time of the hack, traffic up to an hour ago could have been decrypted.
— ᓭ cryptostorm ᓯ (@cryptostorm_is) October 20, 2019
Following all these “accusations” on Twitter, NordVPN released a series of three tweets, claiming that their marketing department got ahead of themselves with the overstatement above, and that they will provide an official statement soon.
After these tweets, NordVPN released their official statement, wherein they state that the breach only affected “A SINGLE SERVER” and not the entire service, followed by claims that TechCrunch’s “assumptions” are inaccurate.
The Blame Game Between Nord and Creanova (Data Center)
This is one reason why none of their VPN users were affected by this breach and their CA key was not stolen, as it was not present on the compromised server.
https://t.co/maZBOR6FVD is the source. Also includes some hacks of VikingVPN and TorGuard. VikingVPN also wasn’t practicing secure PKI management. TorGuard was though. The last link in that post appears to be 8chan itself, which had a .bash_history exposed.
— ᓭ cryptostorm ᓯ (@cryptostorm_is) October 21, 2019
However, we will talk about that later, as right now NordVPN’s response needs to be addressed. They stated, “We became aware that on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.
The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed.”
Apparently this is how NordVPN was hacked (Default credentials on an exposed iDRAC web interface) pic.twitter.com/09QCYQvBYX
— Nathan 🏳️🌈 (@NathOnSecurity) October 21, 2019
NordVPN said that soon after this incident they launched a thorough internal audit and created a process to move all of their servers to a RAM infrastructure, similar to ExpressVPN’s TrustedServer infrastructure and technology.
Reading the official statement, there were two takeaways; NordVPN only confirmed news about the hack after it was discovered on Twitter (violating GDPR’s data breach policy), and they put much of the blame on the third-party data center, Creanova!
Nord violated the GDPR by confirming the breach on October 20th, when it actually occurred in March 2018. Secondly, the put the blame on Creanova, which claims that NordVPN is the one that is actually careless about security.
After the statement above spread like wildfire, NordVPN hit back at Creanova with proof that the remote management software (the hackers eventually breached) was installed without their knowledge.
Who’s the One Actually at Fault?
As a VPN reviewer , I consider this situation incredibly alarming and would place more accountability at the hands of Nord, especially when you factor in its main selling point; how secure their product is (and how it was positioned top at CNet, PCMag, and TechRadar).
Not to mention, they were also previously involved in a lawsuit filed by TorGuard, following a bug bounty program. Apparently, Nord threatened one of TorGuard’s affiliate to take down negative connotations about their product, after identifying a vulnerability.
“However much you deny the truth, the truth goes on existing.” – George Orwell pic.twitter.com/tKRvLFtJFE
— TorGuard (@TorGuard) June 27, 2019
As such, this may make one wonder, whether NordVPN has only focused on its branding (even getting mentioned by Think With Google), without prioritizing on aspects of security, despite marketing it rigorously for the same.
Also, a fair warning to others working in the cyber-security industry, NEVER advertise that you can’t be hacked. Twitterati’s will drag you through the mud for such sweeping statements. My sympathies for the marketing department of NordVPN.