There have been successful attacks exploiting the Heartbleed bug, researchers said.
One particular attack involved the exploitation of the Heartbleed vulnerability in a SSL VPN concentrator, a device that handles a large number of incoming VPN tunnels, said researchers at security firm Mandiant in a blog post.
“Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions. Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” said researchers Christopher Glyer and Chris DiGiamo in the blog.
“With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”
The Hearbleed bug was a part of the attack because the victim organization implemented a set of IDS signatures to identify Heartbleed network activity, and the IDS alerts triggered over 17,000 times. Also, the VPN logs showed VPN connections of multiple users speedily “flip flopping” between users’ IP address and malicious IP addresses tied to different ISPs.
They found the attack in its later stages, when the attacker tried to “move laterally and escalate his/her privileges within the victim organization.”
The researchers have several recommendations for organizations worrying about being hit with this type of exploit: Patch/upgrade your infrastructure, implement appropriate network intrusion detection signatures to spot the attacks, and check out VPN logs “for instances where the IP address of a session changed quickly and repeatedly between two IP addresses from different network blocks, geographic locations, or from different service providers.”