Attackers Exploit Heartbleed Vulnerability to Circumvent Multi-factor Authentication on VPNs and Hijack Active User Sessions
After details of the critical “Heartbleed” vulnerability in OpenSSL emerged earlier this month, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.
In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.
Originally, one of the key concerns about the vulnerability was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed. As it turns out, through an experiment setup by CloudFlare, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit.
Now, according to researchers at Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”
The attack started on April 8 and the victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek.
According to Mandiant, the following evidence proved the attacker had stolen legitimate user session tokens:
1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.
2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.
3. The timestamps associated with the IP address changes were often within one to two seconds of each other.
4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
Additional details and actionable advice are available from Mandiant.
The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”
While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.
It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”
The NSA has denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.
Earlier this week, Canadian police arrested and charged a 19-year-old man for stealing the data of 900 Canadian taxpayers’ data through an attack that exploited the Heartbleed bug.
Additional Resources:
• Is Your Enterprise Managing Certificates? Three Reasons It Should Be.
• Forrester Attacks On Trust Report

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Check Point to Acquire SASE Security Firm Perimeter 81 for $490 Million
- Rapid7 Announces Layoffs, Office Closings Under Restructuring Plan
- Horizon3 AI Raises $40 Million to Expand Automated Pentesting Platform
- Watch Now: Cloud & Data Security Summit Sessions
- Watch on Demand: 2023 CISO Forum Sessions
- Virtual Event Today: CISO Forum 2023 – Register to Join
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
Latest News
- Motel One Discloses Ransomware Attack Impacting Customer Data
- Android’s October 2023 Security Updates Patch Two Exploited Vulnerabilities
- Cybersecurity M&A Roundup: 28 Deals Announced in September 2023
- Companies Address Impact of Exploited Libwebp Vulnerability
- Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw
- European Telecommunications Standards Institute Discloses Data Breach
- Number of Internet-Exposed ICS Drops Below 100,000: Report
- Johnson Controls Ransomware Attack Could Impact DHS
