The 8chan discussion started on 5-3-2018, yes, but that's the US month-day-year format (3rd May), not European day-month-year (5th March), as NordVPN initially believed. That's interesting, but there's some confusion over times. Later our configuration was changed, so the config file would have looked differently.' The exposed configuration file indicated the attack happened on the same day, the company went on: 'March 5th was the last day when such configuration file existed. NordVPN initially told us: 'We believe that the discussion on 8chan was the cause for someone to start looking for vulnerabilities of different VPN service providers, and that discussion started on March 5th.' When did the hack occur, then? That's where the picture gets murky. NordVPN's details didn't include any dating information. That's either a very speedy hack, or the user already knew the vulnerability for each provider. That suggests the user hadn't just found these somewhere, or got them from someone else he saw the thread and grabbed live server information almost immediately. Scanning the text, we noticed the VikingVPN (opens in new tab) and TorGuard (opens in new tab) links appeared to show session connection times and some file information from Thursday May 3rd, the day the 8chan discussion began. Mullvad and cryptostorm got an approving 'good choice!', but NordVPN, TorGuard and VikingVPN got a 'lol, no', with links to evidence showing hacked server details from each provider: configuration files, private keys, basic session details and more. Critical Security Control number one is Inventory of Authorized and Unauthorized Devices. If they failed at doing number 1, what makes you think they're doing 2 through 20? Not to mention the at best dubious ethics of waiting this long to notify people.On May 3rd, 2018, a user on the 8chan message board started a discussion (opens in new tab) asking for VPN recommendations, and other users began adding their favorites: NordVPN, Mullvad, TorGuard, VikingVPN, cryptostorm and more.Īt 20:46, another user made a post commenting on these suggestions. NordVPN is ultimately responsible for knowing what is and isn't plugged into their servers.
#Nordvpn hacked free
People are acting like having an out-of-band management solution you don't know about is a get out of jail free card.
#Nordvpn hacked android
If you used NordVPN on your phone when this occurred in combination with the link in my first post about a Use-After-Free attack affecting Android phones you now have a very real sophisticated attack chain that isn't purely academic. I agree the MitM attack would of been a stretch but I think it is burying the lead and isn't what an attacker would actually do at all, they'd go phishing.
#Nordvpn hacked torrent
How about a dump of users from a private torrent tracker breach? They'd likely be using a VPN service, right? Imagine the certificate wasn't expired in the screenshot below and I copied the NordVPN site automatically with the Social Engineering Toolkit and then started sending out emails that have been gathered from previous breaches. That would be an unsophisticated simple attack to harvest credentials from a service that largely trades in fear, uncertainty, and doubt with its customers. Imagine you're running a phishing campaign and the malicious site you set up now isn't just using any old valid TLS certificate but is using NordVPN's valid certificate. Impersonation of a trusted web server once you have the private keys. Your explanation and ultimately theirs ignores an entirely separate attack vector. The scope of this breach is incredibly minor unless you were specifically using a Finnish server between late February and mid March of 2018.
In order to subsequently abuse the cert, they would have to separately target individual computers with a MitM attack that were trying to connect to the server in question and not any other server. So the people who swiped the cert had all of 3 weeks to watch traffic going through a single Finnish server. The remote access was removed by the server provider on March 20th 2018.
#Nordvpn hacked full
Impersonating a trusted web server would be a gold mine for a sophisticated attacker especially after what Google Project Zero discovered being used out in the wild, potentially leading to full device compromise of a Pixel or Galaxy device. Also VikingVPN and TorGuard were hacked. If the key was used before it had expired, there would be no warnings. Looks like it was floating around for quite a while before anybody noticed it. Here is the source if you want to test it out for yourself.
0 kommentar(er)
