Mandiant: Heartbleed Leads to Attack

Attackers Exploited Flaw One Day After Its Disclosure
Mandiant: Heartbleed Leads to Attack

Within one day of the disclosure of the flaw known as Heartbleed, an attacker posing as an authorized user tunneled into the computer system of a major corporation, exploiting the vulnerability in the OpenSSL protocol, the breach detection firm Mandiant says.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

The April 18 announcement from Mandiant follows reports of at least two other breaches tied to Heartbleed. Canadian authorities arrested a teenager this week for his alleged role in exploiting the vulnerability to steal data from the Canada Revenue Agency website. And in the UK, the website Mumsnet forced all of its users to change their passwords after it discovered that a cyber-attacker had taken advantage of the Heartbleed bug to access data from users' accounts.

Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as e-mail, instant messaging and some VPNs (see Heartbleed Bug: What You Need to Know).

Break-In Described

A Mandiant blog reports that beginning on April 8, the day after the flaw was revealed, an attacker leveraged the Heartbleed vulnerability against a virtual private network appliance at one of the vendor's corporate clients and repeatedly sent malformed "heartbeat" requests to the secure Web server running on the VPN device, which used a vulnerable version of OpenSSL. That enabled the attacker to obtain active session tokens for authenticated users.

A heartbeat implementation verifies that a connection remains open by sending an arbitrary message and receiving a response to it.

A Mandiant spokeswoman declined to identify the breached corporation. She says the assailant or assailants tried about 1,000 times before successfully capturing passwords to commandeer user sessions by exploiting the flaw.

Bypassing Multifactor Authentication

"With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated," according to the Mandiant blog.

Researchers at Mandiant say the attack bypassed the corporation's multi-factor authentication as well as the VPN client software used to validate that systems connecting to the VPN are owned by the corporation and running specific security software.

Mandiant says it identified and confirmed the exploit method by analyzing intrusion detection system signatures and VPN logs. The victim organization implemented a set of signatures to identify Heartbleed network activity. The intrusion detection system presented more than 17,000 alerts during the intrusion. The source of the heartbeat response was the organization's internal secure sockets layer VPN device, the breach detection vendor says.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network