Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool NordVPN spent today attempting to downplay a security breach in which someone sneaked into one of its servers for purposes unknown. Here's what we know: miscreants were able to exploit a poorly secured remote-management system, built into the server and understood to be iLO or iDRAC, to gain control of the box in March 2018. …
If you aren't the hardware OS admin & don't control physical access to the hardware you can't claim it's secure.
Nord are renting server time from 3rd party server farms to host VPNs because to do it properly would cost too much in buildings, hardware & staff. Beancounters strike again.
<quote>According to NordVPN's official statement on the affair, the server was rented and based in a data center in Finland.</quote>
Haha, why am I not surprised? Speaking from personal experience, not just NordVPN...
You don't put the words "secure" and "Finland" in one sentence. Their (Finn's) attutide towards data security is years behind and in some cases non-existant. In some companies you'll find private data on Sharepoint (or any other collaboration platform) with no lock down. They have no idea what an IT security audit is. When you politely raise this with your manager they'll brush you off. It is assumed that data is accessed only by people who are meant to see it. They are basically heavily relying on "trust". While this may work perfectly fine inside Finland it's not how the rest of the world (or IT) works.
If someone tells you your data is stored/managed in Finland - run as far as you can.
it's like a "leading bank", flooding the internets with ads, regularly paying "experts" and "independent sites" to extol their "world-class" security, and then, claiming that a small hole that mysteriously appeared at the back of their "totally safe" safe was actually too small for a human hand to fit through, so worry not, nothing to see here, move along, nothing to see...
From what I know of iLo/iDrac you can only get to a login prompt on the box (like ssh or rdp connection to gui) after connecting to the iLo, or do things like reboot the server or destroy the raid array, etc not direct access to a root level account.
So how did they also gain what sounds like root access to the host server as well? That sounds like not only did NordVPN not do basic security (like locking down via ACL and removing common usernamed admin accounts), but their own server (which should be using TACAC+), also had crap security as well.
They were just begging to be pwnd, and NordVPN sound like they are run by a group of security noobs.
Having only discovered iDrac early in the year, as far as I'm aware, and as the hosting provider claims, you can either have iDrac available at all times or only when requested. Its a little board inside a blade with its own OS. So you can then do whatever you want to the blade. So I'm assuming someone got in somewhere to get the idrac login. Then from there they can do whatever they want. Although I'm assuming whatever was then installed on the blade also had a compromised account. Or they just used the exploit to get the details for all the accounts. But as Nord rented this, they surely should of turned on logs so they could see all new accounts that got created in idrac. Or have someone connect to them daily to check if any accounts having been created overnight. Clearly they did neither. I blame Nord for not checking and now attempting to blame the provider that they rented a server from because they are too cheap to buy their own.
This is the same NordVPN (who I'm with since Christmas) that claims they work with Amazon Prime. But fuck me if I can get it to work. Netflix is fine, so I can now watch Cheers but Amazon Prime can see I'm on Nord all the time and then won't play anything.
Usually these remote management systems function as emulated local keyboard + monitor, and can mount disk images as virtual USB drives, enabling full remote reinstall of the OS. This can be used to boot a live image and from there you can mount the internal drives and look at what's on them. Access to the ILO is pretty close to having physical access to the machine.
I'm wondering how an attacker got access though the management system.
Although they could have easily got access to the machine's console, surely they'd have still needed a user account on that machine? (or an LDAP/Domain account). Did a legitimate user leave their console session logged in?
An attacker could force the machine to boot from an iso and thereby get access to the server's drives, (if they weren't using disk encryption), but surely they'd have monitoring that would have noticed the machine resetting?
As far as I know, HP's iLo doesn't give you access to the host machine's networking, possibly DRAC does these days (been a while since I used it). So I don't see that as an attack method.
This post has been deleted by its author
One out of 3000 servers with improperly audited security, audit's are usually wide sweeping events which by design delve deep to scrutinise infrastructure, especially security audit's.
Given they never picked up on common out-of-band management and boot loader hardware & associated software installed on the machine by the manufacturer their audit (as well as pre-purchase/rental) policy must be completely lacking and not fit for purpose.
I'd hedge a bet that the majority of the 3000 servers they rent/own come with out of band management pre-installed by the manufacturer (whether enabled or not) and that there was also more than one out of 3000 servers with the same lacklustre security audit done on it, my bet is wholly reliant on said black-hat's publishing details they find floating around of any further deeds that may have occured.
Now to sit back and bathe in the glory of thousands of Youtube channels releasing apology videos for their paid endorsement of Nord's Virtual Public Network
Given they never picked up on common out-of-band management and boot loader hardware & associated software installed on the machine by the manufacturer their audit (as well as pre-purchase/rental) policy must be completely lacking and not fit for purpose.
When it comes to large data centres, getting inside to perform your own security audit may not exactly be an easy thing, and keeping someone onsite 24/7 to make sure there's no future issues?
One would expect that data centres, given the high level of trust placed in them and the "never again" many of their customers will choose should they be found to screw up, would put in plenty of decent practices themselves and alert their customers to any potential risks (eg leaving a management tool running when it should be closed down).
I suspect a bit of fail all round, but that the data centre company aren't crying foul at the early termination of contract - either Nord weren't at fault for the breach, or Nord were a bit of a pain to deal with the the DC are glad to be shot of them.
If Nord is true to their claims of changing the way they build their servers to prevent such problems, and are true to their claims of no data logging and vpn chains etc, then even with such a breach they're not likely to expose that important data their customers use.
(I will have to contact them about that bug bounty though, I have something in mind I think should be fixed)
Will come in handy when you need to prove who did/didn't know what.
That said,
We bring [iLO or iDRAC] ports up when we get requests from clients, and shut them down when they are done using this tools. NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders."
Does still sound like the host made the mistake - if Nord weren't using the management tool then the tool shouldn't have been running, unless the attacker(s) happened to use a window when the tool was up for Nord's use.
My suspicion would lean largely towards one miscreant within the hosting company, perhaps even someone 'working from home' with less-than-ideal setups.
Wow. First NordVPN tells its customer that it doesn't keep logs, but then after contacting the author of the article, provides the author with logs which are reprinted toward the end of the article. It seems that Nord can't keep it's stories straight. I'd steer clear of any organization that seems to have a problem with the truth...
Wow. First NordVPN tells its customer that it doesn't keep logs,
Wow. A whole lot of fail in your post.
No, NordVPN do not say they don't keep any logs whatsoever. What they do say is they don't log customer activities. Other logs (or forms of logs) must obviously be kept, eg accounting records of who has paid their bill, and likely logs of which server is responding or acting in an unusual manner. Logs of what work has been done on their systems and what the result of said work is.
So logs from a management console they weren't aware was active? As a privacy-loving customer of theirs I don't have the slightest problem with that.
Makes me wonder where you were coming from to post as you did. I'm kinda leaning towards "You're a trolling shill for one of their competitors" hoping to catch out a few of NordVPN's potential customers? Hoping for people who's reading skills are so cold they'll never "go critical" ever?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
