Heartbleed Attack Targeted Enterprise VPN

Attack spotted using the OpenSSL Heartbleed bug to steal session tokens and bypass two-factor authentication.

Now theres live proof the Heartbleed bug can be exploited, not just to steal private SSL keys stored on a server, but also to retrieve VPN session tokens.
Researchers at Mandiant -- now part of threat intelligence firm FireEye -- on Friday revealed that they spotted a successful VPN-targeting attack that began April 8. That was just one day after OpenSSL issued a public security advisory about a TLS heartbeat read overrun in its open-source SSL and TLS implementation.
The flaw, later dubbed Heartbleed, was quickly tapped by a VPN-targeting attacker. The attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users, said Mandiant technical director Christopher Glyer and senior consultant Chris DiGiamo in a
blog post
. With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
The researchers declined to name the organization that was targeted, but said the attackers aims didnt appear to be academic. Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, they said.
But many businesses might not know that attackers could
exploit Heartbleed to grab legitimate VPN session tokens
, which also allowed the attacker to bypass the organizations two-factor authentication system, as well as a check -- built into the VPN client software -- meant to ensure that prescribed security software was running on the client. To date, much of the discussion on the Internet has focused on an attacker using the vulnerability to steal private keys from a Web server, and less on the potential for session hijacking, the Mandiant researchers said.
Even so, a related warning was sounded April 8, when the first
proof-of-concept exploit
for stealing private SSL keys via the Heartbleed bug was published -- in the form of a Python script -- which led Web application penetration tester Matthew Sullivan to warn about the potential for session-token-stealing attacks to occur. The currently available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack of a logged-in user, he said in a
blog post
.
Such an attack, Sullivan added, could also bypass the need for an attacker to provide authentication credentials, and could be used against any Web service that uses cookies to track the session state -- almost every site on the Internet. Furthermore, related attacks might be tough to spot. The only way to detect this type of attack is to check the source IPs of traffic for each and every request.
In the case of the VPN exploit detailed by Mandiant, the intrusion apparently came to light after the targeted organization added intrusion detection system (IDS) signatures designed to spot signs of Heartbleed-related exploits on the network. Mandiant said it later verified the intrusion by reviewing both IDS signatures and VPN logs.
With the right IDS signatures in place, this intrusion was apparently tough to miss, with Mandiant noting that the organizations related IDS signature alerted over 17,000 times during the intrusion, with all alerts pointing to its internal SSL VPN appliance. As that suggests, exploiting the Heartbleed bug to retrieve a legitimate session token or private key may require an extended effort that takes hours to unfold. In our experience, an attacker will likely send hundreds of attempts because the vulnerability only exposes up to 64KB of data from a random section of memory, said Mandiant.
To guard against Heartbleed attacks -- against VPN systems or otherwise -- Mandiant recommended updating vulnerable VPN systems as soon as possible. To date, many sites have already
rushed to patch the Heartbleed bug
, although some large vendors have yet to compile definitive lists of all products that are vulnerable or release-related patches.
According to a
DarkReading flash poll
, as of Friday, 60 percent of respondents said theyve installed Heartbleed fixes on servers, although only about 40 percent said theyd replace digital certificates, and just 30 percent planned to force users to change their passwords.
Mandiant also suggested reviewing logs for signs of previous intrusions, which could be indicated by any VPN session in which a sessions IP address changed rapidly between two IP addresses -- one of which might be legitimate, and the other controlled by an attacker. It is common for an IP address to legitimately change during a session, but from our analysis it is fairly uncommon for the IP address to repeatedly change back and forth between IP addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period.
Finally, Mandiant recommended businesses add IDS signatures designed to spot Heartbleed-related activity. But while such signatures may make VPN session token attacks easy to spot, they wont unearth all types of Heartbleed-related exploits. For example, the
Heartleech proof-of-concept attack software
posted to GitHub last week by Robert David Graham, CEO of Errata Security, is designed to evade detection by Snort IDS rules, while using an autopwn process to automate the process of stealing SSL keys.
Go away from your computer for many hours, and when you come back, youll have the key, Graham said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Heartbleed Attack Targeted Enterprise VPN