Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

NordVPN, TorGuard, and VikingVPN VPN providers disclose security breaches

NordVPN and TorGuard VPN firms were hacked, threat actors leaked the private keys used to secure their web servers and VPN configuration files.  Hackers have breached the systems used by NordVPN and TorGuard VPN companies and leaked the private keys used to secure their web servers and VPN configuration files.  The information belonging to the NordVPN company […]

nordvpn hacked

NordVPN and TorGuard VPN firms were hacked, threat actors leaked the private keys used to secure their web servers and VPN configuration files. 

Hackers have breached the systems used by NordVPN and TorGuard VPN companies and leaked the private keys used to secure their web servers and VPN configuration files. 

The information belonging to the NordVPN company that was leaked online were stolen from the server of the VPN provider last year.

The attackers leaked at least three private keys that belong to the company, one from an older NordVPN site certificate and two OpenVPN keys.

The certificate is expired in October 2018, a circumstance that suggests that the hack happened last year, but we cannot exclude that the server was storing the key of an outdated certificate.

After the keys were leaked online, experts pointed out that attackers could set up rogue VPN servers and use them yo carry out MiTM attack on the users’ traffic.

Experts at Golem.de remarked that the expired certificate could be used only to carry out a MiTM attack, but it could not have been used to decrypt the traffic.

“You can not decrypt stored VPN traffic directly with the leaked keys. From the configuration files also shown, it shows that the OpenVPN configuration uses a key exchange with Diffie-Hellman, so that the connections have the so-called forward-secrecy property, which prevents subsequent decryption.” reads the post published by golem.de. “The keys could be used for a man-in-the-middle attack. In addition, it can be assumed that the attacker was able to access traffic during the hack.”

nordvpn hacked

NordVPN confirmed the incident that took place in March 2018 when hackers accessed one of the datacenters in Finland operated by a third-party provider.

“A few months ago, we became aware that, on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.” reads the statement published by the VPN provider. “The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed. The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

The company highlighted that the expired TLS key was stored in the breached datacenter in Finland, it couldn’t possibly have been used to decrypt the VPN traffic of any other server. The only possible way to abuse website traffic was by performing a personalized and sophisticated MiTM attack to intercept a single connection that tried to access nordvpn.com. ù

After the incident, NordVPN immediately launched an investigation and terminated the contract with the server provider.

The incident also impacted other VPN providers using the same data center, such as VikingVPN and TorGuard.

TorGuard was the only VPN provider of the three impacted by the incident to be implementing secure PKI management this means that its main CA key was not on the affected VPN server.

“The single TorGuard server that was compromised was removed from our network in early 2018 and we have since terminated all business with the related hosting reseller because of repeated suspicious activity.” reads a statement published by TorGuard.

“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VPN, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]