CyberTech

Level 23
Verified
The vulnerability wasn’t immediately disclosed because NordVPN needed to make sure none of their other servers were prone to similar issues. This “couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure,” we’re told.

Virtual private network service provider NordVPN on Monday said it has learned of a security issue involving a datacenter partner.

As the timeline goes, the single affected server was built and added to NordVPN’s server list in Finland on January 31, 2019. At some point, an attacker gained access to the server via an insecure remote management system left behind by the datacenter. “We were unaware that such a system existed,” said NordVPN blog editor Daniel Markuson.

The datacenter reportedly noticed the vulnerability and deleted the remote management account without notifying NordVPN on March 20, 2018.

Markuson said the VPN provider learned of the vulnerability “a few months back” and promptly terminated all contracts with the company. They also launched an internal audit to check their entire infrastructure, conducted an application security audit and started a process to move all of their servers to RAM.

Markuson said the expired TLS key taken when the server was exploited couldn’t have been used to decrypt the VPN traffic of any other server. “On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM (man-in-the-middle) attack to intercept a single connection that tried to access nordvpn.com.”

Furthermore, NordVPN said that no user credentials were taken and that the server did not contain any user activity logs.

NordVPN said it is now holding their datacenter partners to “even higher standards” and is working on a bug bounty program.
 

Slyguy

Level 43
"This was done through an insecure remote management system account that the datacenter had added without our knowledge. "

Betting it was an intelligence op. Probably going after some specific users and their activity. With VPN's the compromise is almost always going to be with the datacenter, servers or nodes in front of the data center. This is why intelligence doesn't really fret about (most) VPN services for the most part. Be careful what service you use, and also be wary of the datacenter where the VPN is hosted. (Think Pionen or something)
 

Umbra

Level 11
Verified
"This was done through an insecure remote management system account that the datacenter had added without our knowledge. "

Betting it was an intelligence op. Probably going after some specific users and their activity. With VPN's the compromise is almost always going to be with the datacenter, servers or nodes in front of the data center. This is why intelligence doesn't really fret about (most) VPN services for the most part. Be careful what service you use, and also be wary of the datacenter where the VPN is hosted. (Think Pionen or something)
It could, but it also could been from hackers. They use virtual servers on shared physical ones, obviously you can't expect security if the others who you share with have weak security standards...
 

Umbra

Level 11
Verified
They could at least inform users about it to change passwords. But no, lets be quite and hope it won't come out
it is bad advertisement if they did, and Nord especially put all its resources on advertising how good and secure they are, you see them everywhere, even on reviews made by some pseudo-experts rating their VPN high while bashing others.
 

computer man

Level 1
If Nord's security is all they claim it is, then this would be impossible as well as the hacking from a year and a half ago the neglected to tell anyone about. This kind of thing is striclty the result of incompetence on the part of Nord's security team, or they just don't care which is equally possible.
 

Logical0z

New Member
techcrunch blew it out of proportion, because they are owned by other vpn company, which are apparently competitors to nord. anyway, i'm using other provider, but once it happened, i came across a very small website (never heard of it before) with a very neutral and explaining article - maybe someone will find it interesting to read about it