Servers belonging to the NordVPN and TorGuard VPN companies were hacked and hackers stole and leaked the private keys associated with certificates used to secure their web servers and VPN configuration files.
Over the weekend, the security researcher @hexdefined tweeted NordVPN, of which we are an affiliate, as its private keys were publicly leaked on the Internet.
If this certificate has now expired, it could have helped an intruder to build a plausible page that impersonates NordVPN using their certificate if it was used before expiry. More sophisticated hackers could also have used this key to listen to encrypted communications with the man in the middle assault (MiTM).
Hexdefined photos were shared to demonstrate how a fake page could have been created on a NordVPN certificate.
Servers for NordVPN, TorGuard, and possibly VikingVPN hacked
Apart from the website certificate, the OpenVPN provider’s CryptoStorm. Twitter account has a link to 8ch posting where a hacker claims to have full root access to NordVPN, TorGuard and VikingVPN servers.
The attacker was able to steal OpenVPN keys and setup files as illustrated in the image below the NordVPN hack. CryptoStorm.is claimed that by stealing these keys, it could have allowed an attacker to decrypt traffic at the time of the hack.
Unfortunately, NordVPN hasn’t been alone. This same 8chan post also refers to the performance of hacks on a server belonging to TorGuard where a Squid proxy certificate and OpenVPN keys and configuration files are stolen.
Finally, a third link goes to an alleged hack of a server owned by VikingVPN where the attacker stole OpenVPN keys and configuration files.
NordVPN and TorGuard make claims
Although VikingVPN has not replied to any of our questions, both NordVPN and TorGuard have issued statements.
According to a statement issued by NordVPN, the intruder was able to gain access to their databases through an outdated remote management system deployed by their datacenter.
“We became aware that on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization. The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed. The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. The exact configuration file found on the internet by security researchers ceased to exist on March 5, 2018. This was an isolated case, and no other datacenter providers we use have been affected.”
NordVPN also claims that the attacker’s TLS key has expired and that, contrary to what Cryptostorm.io said, at the time of the attack VPN traffic was not decrypted.
In a TorGuard claim, the VPN provider says that since they use’ stable PKI security,’ this intrusion has not affected any of its VPN clients and their CA key has not been stolen since they have not been on the compromised network.
“TorGuard was the only one using secure PKI management, meaning our main CA key was not on the affected VPN server.”
We also note that the stolen TLS certificate for*.torguardvpnaccess.com is for “a squid proxy certificate that hasn’t worked on the TorGuard network since 2017.” Although they aren’t explaining how the server was hacked, they say that the reseller has been renting a server with “repeated suspicious activities” and no longer works on the site.
TorGuard further confirmed that the compromised database is linked to a lawsuit they brought against NordVPN in 2019.
“TorGuard first became aware of this disclosure during May of 2019 and in a related development we filed a legal complaint against NordVPN in the Middle District of Florida on June 27, 2019.”
Further information can be found on TorGuard and NordVPN.
As mentioned above, VikingVPN has not answered our database queries.
Always declare you can’t be hacked
With the use of these certificates to carry out a MiTM attack on TorGuard and NordVPN visitors, we have learned that nothing is unhackable over time.
In reality, anyone who says they are unhackable or are immune to hackers is easily proven false.
It was shown clearly, because the launch of this VPN hacking escape was only a few hours after NordVPN decided to run a Twitter ad that said “No hacker can steal your online life.”