Security Experts:

Hackers Exploited Heartbleed Bug to Steal 4.5 Million Patient Records: Report

Earlier this week, Community Health Systems, one of the largest hospital operators in the United States, announced that hackers managed to steal the records of 4.5 million patients.

FireEye-owned Mandiant, known for investigating high-profile breaches, was hired to investigate the incident and believes the attack was the work of a Chinese advanced persistent threat (APT) group.

While no technical details of the attack had previously been disclosed, information security firm TrustedSec, citing sources familiar with the incident, said on Tuesday that the initial attack vector was through the infamous “Heartbleed” vulnerability in OpenSSL, which provided the attackers a way in, eventually resulting in the compromise of patient data.

Cupid

“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation,” TrustedSec wrote in a blog post. “Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.”

While TrustedSec did not share much on the source, the firm is reputable. As background, David Kennedy, TrustedSec's founder and Princial Consultant, formerly worked for the NSA and also served as Chief Security Officer at ATM maker Diebold. He is also founder of the Derbycon conference.

Analysis by SecurityWeek shows the claims made by TrustedSec match up well to previously shared details from an attack that SecurityWeek reported on earlier this year, which leveraged the Heartbleed bug to bypass two-factor authentication and hijack user sessions.

When asked by SecurityWeek if Heartbleed was exploited by attackers to infiltrate the hospital operator, a FireEye spokesperson would neither confirm nor deny the fact, only stating that the security company could not comment on how the adversaries breached the healthcare provider, as it is confidential information from the investigation.

With that said, there are a few reasons that show TrustedSec’s claims are likely correct, and that the Heartbleed vulnerability could very well have been used by attackers to compromise Community Health Systems.

In April 2014, SecurityWeek reported on details of an attack that leveraged the Heartbleed vulnerability against the VPN appliance of a Mandiant customer to hijack multiple active user sessions.

This is likely the attack that TrustedSec is referring to.

The attack started on April 8 and the victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek at the time.

In an 8-K filing with the U.S. Securities and Exchange Commission this week, Community Health Systems said it had been breached in April and then again in June by attackers using "highly sophisticated malware and technology."

The timing and descriptions of the two attacks match up perfectly.

Mandiant explained in its April disclosure that after connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization. This also matches up with the details that TrustedSec’s source offered up.

According to details of the attack shared by Mandiant in April, the following evidence proved the attacker had stolen legitimate user session tokens:

1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.

2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.

3. The timestamps associated with the IP address changes were often within one to two seconds of each other.

4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.

5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.

While it could be purely circumstantial given that a majority of Mandiant’s clients are based in the U.S., as mentioned, a FireEye spokesperson did tell SecurityWeek that the victim was an organization located in the United States. Community Health Systems operates more than 200 hospitals across the United States.

Furthermore, TrustedSec mentioned that Community Health Systems used VPN appliances from Juniper Networks. This also makes sense, as it has been confirmed that multiple products from the networking firm, including some of its VPN offerings, were vulnerable to Heartbleed. Juniper was certainly not the VPN product affected by Heartbleed, however.

While the similarities between the previously described attack against Mandiant’s unnamed US-based customer in April match up well to information provided by Community Health Systems and TrustedSec, it may be purely happenstance, but the facts support claims that Heartbleed could have been what enabled attackers to run off with the personal information on 4.5 million individuals.

According to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, "Stolen keys" obtained via exploiting Heartbleed allow websites to be impersonated and traffic to be decrypted. “With thousands more applications from IBM, Juniper, Cisco, Symantec, McAfee, Intel and many, many more vulnerable to Heartbleed behind proxies and firewalls, the extent of the vulnerability left unremeditated is likely 100x larger than many think," Bocek told SecurityWeek in May.

The vulnerability is "catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it's perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It's very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”

The activities of the threat actors who attacked Community Health Systems appear to be well known by both Mandiant and the federal authorities who investigated the incident. The perpetrators are typically after intellectual property, such as medical device and equipment development data, investigators said.

This is the largest known data breach directly attrtibuted to Heartbleed. In early April, Canadian police arrested and charged a 19-year-old man for stealing the data of 900 Canadian taxpayers' data through an attack that exploited the Heartbleed bug.

According to a recent report from Websense, there has been a significant global spike in malicious activity attempted against hospitals since October 2013. August 2014 has seen a 600 percent increase in such activity compared to the average amount prior to October, according to the firm.

RelatedOrganizations Slow at Patching Heartbleed in VMware Deployments

RelatedHeartbleed Vulnerability Still Beating Strong

RelatedRecovering from Heartbleed: The Hard Work Lies Ahead

Additional Resources:

• Heartbleed Bug Advisory Whitepaper from Accuvant Labs (PDF)

• Is Your Enterprise Managing Certificates? Three Reasons It Should Be.

• Forrester Attacks On Trust Report