VPN provider NordVPN revealed yesterday that a third-party server located in Finland it had been leasing was accessed in March 2018.
The company said the intruder was able to acquire an expired TLS key from the server, but otherwise no other data was endangered. The access was accomplished through an insecure remote management system account that the datacenter had added without informing NordVPN and while the datacenter deleted the user accounts that the intruder had exploited it did not inform the company of the incident at the time it happened.
The company declared this an isolated incident and no other servers or datacenters were affected.
“The intruder did not find any user activity logs because they do not exist. They did not discover users’ identities, usernames, or passwords because none of our applications send user-created credentials for authentication,” NordVPN said in a statement.
The comprised TLS key could be used in an attack, but only against a specific target where the attacker has access to the victim’s device or network, which the company said would be very difficult to conduct.
NordVPN said it delayed making the breach public until after its investigation was completed and improved security measures were in place.
“We want our users and the public to accurately understand the scale of the attack and what was and was not at risk. The breach affected one of over 3,000 servers we had at the time for a limited time period, but that’s no excuse for an egregious mistake that never should have been made,” NordVPN said.
CyberGRX CEO Fred Kneip said it is imperative that organizations both large and small that work with third-party contractors continuously manage these relationships.
“As seen most recently with the NordVPN and Autoclerk breaches, if you don't know which third parties present the greatest risk to your data, your digital ecosystem becomes a major vulnerability that is just waiting to be exploited,” he said.
The company gave no indication who might have been behind the attack, but Tyler Reguly, manager of security R&D at Tripwire, theorized a nation-state actor could have a reason to do so. He cited company programs designed to ensure internet access that might upset some governments.
“Additionally, on the Nord side, they have their social responsibility programs that includes services like free emergency VPNs to bypass censorship and discounted VPNs for not-for-profits. When you consider both aspects of this, it makes NordVPN an interesting target for nation-states that rely heavily on censorship,” Reguly said.