back to article Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool

NordVPN spent today attempting to downplay a security breach in which someone sneaked into one of its servers for purposes unknown. Here's what we know: miscreants were able to exploit a poorly secured remote-management system, built into the server and understood to be iLO or iDRAC, to gain control of the box in March 2018. …

  1. Wellyboot Silver badge

    Security..Hah!

    If you aren't the hardware OS admin & don't control physical access to the hardware you can't claim it's secure.

    Nord are renting server time from 3rd party server farms to host VPNs because to do it properly would cost too much in buildings, hardware & staff. Beancounters strike again.

    1. jake Silver badge

      Re: Security..Hah!

      Indeed. 3,000 physical servers world-wide, most rented from third parties, with gawd/ess know who for employees and who has physical access.

      Pick 3.000 people at random. How many are dishonest or can be persuaded to become dishonest with (im)proper application of cash?

  2. Blockchain commentard

    Fortunately, if you're on the train, you are secure. What, their TV adverts aren't to be believed? Shock, horror.

  3. Mike007

    "Even if a hacker could have viewed the traffic while being connected to the server, he could only see what an ordinary ISP would see"

    Which is not a problem because... wait, what is their entire sales pitch based on again?

  4. tiggity Silver badge

    tweet hubris

    of the most classic kind

    1. Sir Runcible Spoon

      Re: tweet hubris

      If they hadn't tweeted that boast, would they have been told of the breach?

      1. maffski

        Re: tweet hubris

        They knew about the breach. It was their customers that didn't know.

        But they were just about to tell them. No really.

  5. Anonymous Coward
    Anonymous Coward

    So what's the fundamental difference between NordVPN and TOR ?

    #justaskin'

    1. Anonymous Coward
      Anonymous Coward

      Re: So what's the fundamental difference between NordVPN and TOR ?

      TOR has many exit nodes supplied by TLA's

  6. MMR

    FI

    <quote>According to NordVPN's official statement on the affair, the server was rented and based in a data center in Finland.</quote>

    Haha, why am I not surprised? Speaking from personal experience, not just NordVPN...

    You don't put the words "secure" and "Finland" in one sentence. Their (Finn's) attutide towards data security is years behind and in some cases non-existant. In some companies you'll find private data on Sharepoint (or any other collaboration platform) with no lock down. They have no idea what an IT security audit is. When you politely raise this with your manager they'll brush you off. It is assumed that data is accessed only by people who are meant to see it. They are basically heavily relying on "trust". While this may work perfectly fine inside Finland it's not how the rest of the world (or IT) works.

    If someone tells you your data is stored/managed in Finland - run as far as you can.

    1. Killfalcon

      Re: FI

      But the vendor gave me a free bucket!

  7. Anonymous Coward
    Anonymous Coward

    a poorly secured remote-management system

    it's like a "leading bank", flooding the internets with ads, regularly paying "experts" and "independent sites" to extol their "world-class" security, and then, claiming that a small hole that mysteriously appeared at the back of their "totally safe" safe was actually too small for a human hand to fit through, so worry not, nothing to see here, move along, nothing to see...

  8. Alister

    So Creanova had remote management accounts called "admin" and "support". Excellent, no hacker would ever think of looking for those.

    1. Sir Runcible Spoon

      It does seem odd that a NordVPN system audit would not flag such accounts, assuming they run them

  9. tallenglish

    I dont get how the box itself was compromised

    From what I know of iLo/iDrac you can only get to a login prompt on the box (like ssh or rdp connection to gui) after connecting to the iLo, or do things like reboot the server or destroy the raid array, etc not direct access to a root level account.

    So how did they also gain what sounds like root access to the host server as well? That sounds like not only did NordVPN not do basic security (like locking down via ACL and removing common usernamed admin accounts), but their own server (which should be using TACAC+), also had crap security as well.

    They were just begging to be pwnd, and NordVPN sound like they are run by a group of security noobs.

    1. steviebuk Silver badge

      Re: I dont get how the box itself was compromised

      Having only discovered iDrac early in the year, as far as I'm aware, and as the hosting provider claims, you can either have iDrac available at all times or only when requested. Its a little board inside a blade with its own OS. So you can then do whatever you want to the blade. So I'm assuming someone got in somewhere to get the idrac login. Then from there they can do whatever they want. Although I'm assuming whatever was then installed on the blade also had a compromised account. Or they just used the exploit to get the details for all the accounts. But as Nord rented this, they surely should of turned on logs so they could see all new accounts that got created in idrac. Or have someone connect to them daily to check if any accounts having been created overnight. Clearly they did neither. I blame Nord for not checking and now attempting to blame the provider that they rented a server from because they are too cheap to buy their own.

      This is the same NordVPN (who I'm with since Christmas) that claims they work with Amazon Prime. But fuck me if I can get it to work. Netflix is fine, so I can now watch Cheers but Amazon Prime can see I'm on Nord all the time and then won't play anything.

      1. TonyJ Silver badge

        Re: I dont get how the box itself was compromised

        Interesting - in my recent attempts, Netfix pops up a message about using a VPN and won't play.

        1. steviebuk Silver badge

          Re: I dont get how the box itself was compromised

          I'm doing the Netflix watching on my Samsung S8 with an older client (there appears to be an updated Netflix client, which I'll now avoid incase its the new client that will block Nord).

    2. Degenerate Scumbag

      Re: I dont get how the box itself was compromised

      Usually these remote management systems function as emulated local keyboard + monitor, and can mount disk images as virtual USB drives, enabling full remote reinstall of the OS. This can be used to boot a live image and from there you can mount the internal drives and look at what's on them. Access to the ILO is pretty close to having physical access to the machine.

  10. phuzz Silver badge

    iLO/DRAC

    I'm wondering how an attacker got access though the management system.

    Although they could have easily got access to the machine's console, surely they'd have still needed a user account on that machine? (or an LDAP/Domain account). Did a legitimate user leave their console session logged in?

    An attacker could force the machine to boot from an iso and thereby get access to the server's drives, (if they weren't using disk encryption), but surely they'd have monitoring that would have noticed the machine resetting?

    As far as I know, HP's iLo doesn't give you access to the host machine's networking, possibly DRAC does these days (been a while since I used it). So I don't see that as an attack method.

    1. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    If only there was a company who could protect us from intruders hacking and spying on our internet access...

    Hang on a mo, wasn't there an ad on the TV the other day... now if I could only remember the name of the outfit...

  12. uro

    One out of 3000 servers with improperly audited security, audit's are usually wide sweeping events which by design delve deep to scrutinise infrastructure, especially security audit's.

    Given they never picked up on common out-of-band management and boot loader hardware & associated software installed on the machine by the manufacturer their audit (as well as pre-purchase/rental) policy must be completely lacking and not fit for purpose.

    I'd hedge a bet that the majority of the 3000 servers they rent/own come with out of band management pre-installed by the manufacturer (whether enabled or not) and that there was also more than one out of 3000 servers with the same lacklustre security audit done on it, my bet is wholly reliant on said black-hat's publishing details they find floating around of any further deeds that may have occured.

    Now to sit back and bathe in the glory of thousands of Youtube channels releasing apology videos for their paid endorsement of Nord's Virtual Public Network

    1. Kiwi

      Given they never picked up on common out-of-band management and boot loader hardware & associated software installed on the machine by the manufacturer their audit (as well as pre-purchase/rental) policy must be completely lacking and not fit for purpose.

      When it comes to large data centres, getting inside to perform your own security audit may not exactly be an easy thing, and keeping someone onsite 24/7 to make sure there's no future issues?

      One would expect that data centres, given the high level of trust placed in them and the "never again" many of their customers will choose should they be found to screw up, would put in plenty of decent practices themselves and alert their customers to any potential risks (eg leaving a management tool running when it should be closed down).

      I suspect a bit of fail all round, but that the data centre company aren't crying foul at the early termination of contract - either Nord weren't at fault for the breach, or Nord were a bit of a pain to deal with the the DC are glad to be shot of them.

      If Nord is true to their claims of changing the way they build their servers to prevent such problems, and are true to their claims of no data logging and vpn chains etc, then even with such a breach they're not likely to expose that important data their customers use.

      (I will have to contact them about that bug bounty though, I have something in mind I think should be fixed)

  13. Kiwi

    be anal about keeping emails etc...

    Will come in handy when you need to prove who did/didn't know what.

    That said,

    We bring [iLO or iDRAC] ports up when we get requests from clients, and shut them down when they are done using this tools. NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders."

    Does still sound like the host made the mistake - if Nord weren't using the management tool then the tool shouldn't have been running, unless the attacker(s) happened to use a window when the tool was up for Nord's use.

    My suspicion would lean largely towards one miscreant within the hosting company, perhaps even someone 'working from home' with less-than-ideal setups.

  14. NunyaB

    Wow. First NordVPN tells its customer that it doesn't keep logs, but then after contacting the author of the article, provides the author with logs which are reprinted toward the end of the article. It seems that Nord can't keep it's stories straight. I'd steer clear of any organization that seems to have a problem with the truth...

    1. Kiwi
      FAIL

      Wow. First NordVPN tells its customer that it doesn't keep logs,

      Wow. A whole lot of fail in your post.

      No, NordVPN do not say they don't keep any logs whatsoever. What they do say is they don't log customer activities. Other logs (or forms of logs) must obviously be kept, eg accounting records of who has paid their bill, and likely logs of which server is responding or acting in an unusual manner. Logs of what work has been done on their systems and what the result of said work is.

      So logs from a management console they weren't aware was active? As a privacy-loving customer of theirs I don't have the slightest problem with that.

      Makes me wonder where you were coming from to post as you did. I'm kinda leaning towards "You're a trolling shill for one of their competitors" hoping to catch out a few of NordVPN's potential customers? Hoping for people who's reading skills are so cold they'll never "go critical" ever?

  15. MadMic
    WTF?

    Did someone just leak a username?

    "19779","Informational","03/20/2018 07:25","03/20/2018 07:25","1","User support deleted by creanova."

    Assuming that's the iLo / iDrac logs then "support" was deleted by "creanova"... Thanks for the root account name guys!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like