VPN provider NordVPN revealed yesterday that a third-party server located in Finland it had been leasing was accessed in March 2018.The company said
the intruder was able to acquire an expired TLS key from the server, but
otherwise no other data was endangered. The access was accomplished through an
insecure remote management system account that the datacenter had added without
informing NordVPN and while the datacenter deleted the user accounts that the
intruder had exploited it did not inform the company of the incident at the
time it happened.The company
declared this an isolated incident and no other servers or datacenters were
affected.“The
intruder did not find any user activity logs because they do not exist. They
did not discover users’ identities, usernames, or passwords because none of our
applications send user-created credentials for authentication,” NordVPN said in
a statement.The comprised
TLS key could be used in an attack, but only against a specific target where
the attacker has access to the victim’s device or network, which the company
said would be very difficult to conduct.NordVPN said
it delayed making the breach public until after its investigation was completed
and improved security measures were in place.“We want our
users and the public to accurately understand the scale of the attack and what
was and was not at risk. The breach affected one of over 3,000 servers we had
at the time for a limited time period, but that’s no excuse for an egregious
mistake that never should have been made,” NordVPN said.CyberGRX CEO
Fred Kneip said it is imperative that organizations both large and small that work
with third-party contractors continuously manage these relationships.“As seen
most recently with the NordVPN and Autoclerk breaches, if you don't know which
third parties present the greatest risk to your data, your digital ecosystem
becomes a major vulnerability that is just waiting to be exploited,” he said.The company
gave no indication who might have been behind the attack, but Tyler Reguly,
manager of security R&D at Tripwire, theorized a nation-state actor could
have a reason to do so. He cited company programs designed to ensure internet
access that might upset some governments.“Additionally,
on the Nord side, they have their social responsibility programs that includes
services like free emergency VPNs to bypass censorship and discounted VPNs for
not-for-profits. When you consider both aspects of this, it makes NordVPN an
interesting target for nation-states that rely heavily on censorship,” Reguly
said.
Compliance Management, Privacy, Threat Management, Vulnerability Management
NordVPN confirms 2018 breach
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



