https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/
By Dan Goodin
Ars Technica
10/21/2019
Hackers breached a server used by popular virtual network provider NordVPN
and stole encryption keys that could be used to mount decryption attacks
on segments of its customer base.
A log of the commands used in the attack suggests that the hackers had
root access, meaning they had almost unfettered control over the server
and could read or modify just about any data stored on it. One of three
private keys leaked was used to secure a digital certificate that provided
HTTPS encryption for nordvpn.com. The key wasn't set to expire until
October 2018, some seven months after the March 2018 breach. Attackers
could have used the compromised certificate to impersonate the nordvpn.com
website or mount man-in-the-middle attacks on people visiting the real
one. Details of the breach have been circulating online since at least May
2018.
Based on the command log, another of the leaked secret keys appeared to
secure a private certificate authority that NordVPN used to issue digital
certificates. Those certificates might be issued for other servers in
NordVPN's network or for a variety of other sensitive purposes. The name
of the third certificate suggested it could also have been used for many
different sensitive purposes, including securing the server that was
compromised in the breach.
The revelations came as evidence surfaced suggesting that two rival VPN
services, TorGuard and VikingVPN, also experienced breaches the leaked
encryption keys. In a statement, TorGuard said a secret key for a
transport layer security certificate for *.torguardvpnaccess.com was
stolen. The theft happened in a 2017 server breach. The stolen data
related to a squid proxy certificate.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
