Pulling back the curtain on VPN breaches: they're supply chain attacks

(Image credit: Shutterstock)
About the author

Brendon Macaraeg is Director of Product Marketing at Signal Sciences. Previously with CrowdStrike and Symantec, he focused on evangelizing and marketing security offerings. 

Consider the “supply chain” attack. Many VPN vendors rely on a third-party data centers for compute resources which introduces risk, so VPN providers end up relying on the data center vendor to follow best practices for security resilience. 

While it’s understandable that the data center vendor would use a remote management system to monitor and maintain the servers they resell for use by other companies, such systems can be abused by attackers. When combined with user accounts that are dormant but still valid, attackers can gain access through brute-force attacks and then gain access to systems/hosts in the target environment.

Take the case of NordVPN: An attacker gained root access to one of NordVPN’s thousands of servers by exploiting an insecure remote management system used by the data center provider, which NordVPN claims it was unaware of. 

NordVPN says that while the attackers could have used the private keys to intercept and view traffic for some of its customers’ traffic, the attackers would have been limited to eavesdropping on communications routing through just one of the company’s servers.

But with access to that remote management system, most likely an Intelligent Platform Management Interface (IPMI), the attacker could have access to install a traffic logger, for example. There is a definite risk to any NordVPN customer who’s VPN sessions utilized the compromised server.

Deep dive into NordVPN's vulnerability

The compromised server was provided by Oy Creanova Hosting Solutions Ltd., which according to its website offers remote management (IPMI). NordVPN cannot claim ignorance about the use of remote management by the data center provider and has recognized publicly that it “should have done more to filter out unreliable server providers and ensure the security of [its] customers.”

VPN and Remote Desktop Protocol (RDP) accounts have been the causes of data breaches for years. Many businesses have seen attackers exfiltrate millions of customer payment card records when their hacked IT contractors or payment processors used the same remote access credentials (the Hilton and Trump Hotel breaches are notable examples of this attack scenario).

It’s often said that security is about “people, process and tools” that comprise an organization's security posture and resulting resilience. For any organization, relying on third-parties to provide services or infrastructure to run their business introduces risk: as customers of the infrastructure providers, organizations rely on them to have the necessary people (with knowledge and skills) to follow good process and utilize securing tooling effectively. To reduce risk, organizations should engage annual audits that include infrastructure provided by the third-party vendor as well as anyone or anything with access to it. 

(Image credit: NordVPN)

Learn from NordVPN

All too often organizations rely on their third-party vendors to have good security hygiene and be following cybersecurity best practices but your company’s security shouldn’t only fall on their shoulders: your organization is responsible for it, too.

Here’s what to takeaway from this breach and how to implement these lessons moving forward:

Third-party relationships introduce significant risk. 

Companies should not assume that their supply chain vendors are taking all necessary precautions against unauthorized access. Risk can be introduced by third-party vendors who are not following best practices or have gaps in their own security operations such as not auditing their login credentials and deleting dormant accounts or following good PKI management processes. Tactics like using compromised remote desktop software/management credentials to remotely access other hosts on the target network or introducing point of sale (POS) malware exploit poor security processes and inadequate user authentication management.

Any organization with a distributed business model must assess security processes at third-party provided infrastructure or field offices to prevent unauthorized access. 

The franchise model, for example, is highly susceptible to intrusions since enterprise security is dependent on both the IT systems in place and the security practices (or lack thereof) at the franchisee level of operations. One example is hospitality and hotel chains, which often rely on third-party payment processors that leverage remote access/management tools with weak or exposed credentials. This practice introduces risk that could be reduced or eliminated by forced rotation of credential passwords and auditing and deleting dormant accounts.

Practice secure PKI management. 

While the TLS certificate that the attacker took over was expired, it should have been outright revoked. (In the case of the TorGard breach, however, this practice was in place). 

Use network monitoring tools to stay one step ahead. 

Could NordVPN have prevented this? If they were managing their server instances in the data center directly themselves (one presumes they are, as offering encrypted network connectivity to end users is their primary business), they could have used network monitoring tools to detect unusual and unexpected activity by the remote management system and question their data center provider about it. 

Responsibility lies with the VPN service provider. 

Even with an SLA in place, this is true about the ultimate responsibility--and the related security precautions and procedures. A regular audit of their environment as part of an overall security assessment combined with penetration testing and other security exercises would go a long way towards building security resilience.

  • We've also highlighted the best VPN services of 2019
Brendon Macaraeg

Brendon Macaraeg is Director of Product Marketing at Signal Sciences. Previously with CrowdStrike and Symantec, he focused on evangelizing and marketing security offerings. Outside of work, Brendon keeps busy with his wife and kids enjoying outdoor activities.