Internet thieves don’t represent something unusual these days. But even if we learn to protect ourselves against them, they still come up day by day with new malicious and ingenious ways to attack. Their latest evil scheme was bursting through a server used by the virtual network provider NordVPN and stealing encryption keys that could be used to mount decryption attacks on segments of its customer base.
A log of the commands from the attack is claiming that the hackers managed to gain root access, which in a more accessible English means that things are looking pretty bad. The thieves have great control over the server, which means they can see and modify plenty of data from it.
Similar theft happened in 2017
Only two years ago, two rival VPN services, TorGuard and VikingVPN, also experienced a theft of their encryption keys. TorGuard said in an official statement that a secret key for a transport layer security certificate for *.torguardvpnaccess.com was stolen.
TorGuard officials somehow excused themselves by also stating that the hackers couldn’t anyway be doing anything with the stolen keys, and that the private key wasn’t on the compromised server. Even more, the company didn’t remove the attacked server until the first several months of 2018.
Concerns are arising
Dan Guido, the CEO of security firm Trail of Bits, said:
“Compromised master secrets, like those stolen from NordVPN, can be used to decrypt the window between key renegotiations and impersonate their service to others… I don’t care what was leaked as much as the access that would have been required to reach it. We don’t know what happened, what further access was gained, or what abuse may have occurred. There are many possibilities once you have access to these types of master secrets and root server access.”
However, officials from Nord VPN are suggesting that it’s not a big issue what just happened to them:
“The server itself did not contain any user activity logs… None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. The exact configuration file found on the internet by security researchers ceased to exist on March 5, 2018. This was an isolated case, no other datacenter providers we use have been affected.”
Are YOU also worried about such kind of attacks?