Home / Industry

Post NordVPN Data Exposure: Using Domain Threat Intelligence to Prevent MitM Attacks

NordVPN admitted last month that its data center located in Finland was hacked on March 5, 2018. While the virtual private network (VPN) service provider claimed it learned of the incident as early as April 13, 2019, it only confirmed the compromise last month after reports that its expired Transport Layer Security (TLS) certificate and its private key were leaked. The extent of the intrusion is detailed in this dumped Pastebin log. As shown, the hacker obtained full remote administrative access to NordVPN’s node containers. Here are the implications of the breach:

  • With the private key, an attacker could create his own server in NordVPN’s network, and launch man-in-the-middle (MitM) attacks.
  • Since the hacker had root access, he could have maliciously intercepted and modified user traffic.
  • The provider did not enable reneg-sec, so even though it uses encryption, one-hour-old traffic at the time of the hack could easily have been decrypted.

NordVPN released an official statement in response to the uproar and claimed that no user credentials and activity logs were stolen. It also stated that there were no signs that the hacker monitored user traffic. However, it did admit that the TLS keys can be used to launch a targeted and sophisticated MitM attack on a user in some circumstances.

It’s also important to note that TorGuard recently suffered a similar data breach incident, bringing to light the possibility that other VPN providers could be vulnerable.

Our Investigative Tool: Threat Intelligence Platform

When a service that promises to protect user data and identity gets hacked, the incident highlights the increasing boldness and sophistication of attackers. With the possibility of MitM attacks as a result of TLS certificate and private key exposure, what can help stop adversaries from launching attacks on any VPN service providers’ clients?

Domain threat intelligence is a possible line of defense to consider. Threat Intelligence Platform (TIP), for instance, can assess the integrity of a domain before it is allowed to connect to a computer or server that houses confidential data.

NordVPN could, for instance, run its domain through TIP to identify vulnerabilities, misconfigurations, and open ports that attackers can exploit.

The results showed that its site has redirects. To ensure its domain’s integrity, it needs to check that these redirects do not lead to malicious sites or hosts. Attackers are known for using redirects to obtain data they are not authorized to view to their own servers or sites.

The domain analysis also gave out several Secure Sockets Layer (SSL) warnings that may be worth looking into. NordVPN can, for instance, consider setting its HTTP Public Key Pinning (HPKP) headers to protect against impersonation by attackers using wrongly issued or fraudulent certificates. It can also set its TLSA parameters to bind X.509 certificates to Domain Name System (DNS) names using DNS Security Extensions (DNSSEC).

A check on its mail servers also warned that Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is not configured. When properly set up, this email validation system can provide an extra layer of defense against spoofing. It’s intended to combat specific techniques often used in phishing and spam attacks such as forging senders’ addresses.

Apart from identifying potential security gaps in its IT infrastructure, NordVPN can also use a domain threat intelligence platform to authenticate logins to its systems that contain sensitive client and employee data. Quick queries on the tool can help it spot unauthorized users on its network.

* * *

NordVPN is confident that none of its users’ credentials, activity logs, or traffic have been compromised as a result of the data breach. However, we live in a world where cybersecurity is only as strong as your ability to detect threats early.

Preparing for a cyber attack by taking into account all possible attack vectors is, therefore, a must. By using domain threat intelligence obtained through tools such as Threat Intelligence Platform, security teams can better detect threats in real-time, thereby strengthening their organizations’ security posture.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign