Attackers Exploit Heartbleed Vulnerability to Circumvent Multi-factor Authentication on VPNs and Hijack Active User Sessions
After details of the critical “Heartbleed” vulnerability in OpenSSL emerged earlier this month, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.
In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can't specify what kind of data to obtain from the computer's memory or reliably get the same kind of information each time, the attack depends on luck and timing.
Originally, one of the key concerns about the vulnerability was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed. As it turns out, through an experiment setup by CloudFlare, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit.
Now, according to researchers at Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”
The attack started on April 8 and the victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek.
According to Mandiant, the following evidence proved the attacker had stolen legitimate user session tokens:
1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.
2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.
3. The timestamps associated with the IP address changes were often within one to two seconds of each other.
4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
Additional details and actionable advice are available from Mandiant.
The vulnerability is "catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”
While it's perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.
It's very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”
The NSA has denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," an NSA spokeswoman said.