Connect with us

Hi, what are you looking for?



Heartbleed Vulnerability Not Targeted by Attackers Prior to Disclosure: Researchers

A team of researchers say they believe the infamous Heartbleed bug was not the target of widespread attacks before it was publicly disclosed in April.

A team of researchers say they believe the infamous Heartbleed bug was not the target of widespread attacks before it was publicly disclosed in April.

In a paper titled ‘The Matter of Heartbleed’, researchers from the University Illinois; University of Michigan; Purdue University; University of California, Berkeley; EECS and the International Computer Science Institute examined the impact of the Heartbleed vulnerability. The bug, since patched, existed in the implementation of the Heartbeat extension in certain versions of OpenSSL, and allowed attackers to read sensitive memory from vulnerable servers.

While Heartbleed may be well-known to both attackers and the OpenSSL user community today, the researchers found no evidence the bug was being exploited before it was revealed publicly five months ago.

“We investigated the attack landscape, finding no evidence of large-scale attacks prior to the public disclosure, but vulnerability scans began within 22 hours,” according to the paper. “We observed post-disclosure attackers employing several distinct types of attacks from 692 sources, many coming from Amazon EC2 and Chinese ASes [autonomous systems].”

Advertisement. Scroll to continue reading.

What the researchers did find was a mixed bag in terms of responses by affected organizations. Their investigation revealed that within the first 24 hours, all but five of the Alexa Top 100 sites were patched, and that within 48 hours all of the vulnerable hosts in the top 500 were patched.

“While popular sites responded quickly, we observe that patching plateaued after about two weeks, and [three percent] of HTTPS sites in the Alexa Top 1 Million remained vulnerable almost two months after disclosure,” the researchers wrote.

The researchers tested for the Heartbleed bug by modifying the ZMap tool to send Heartbeat requests with no payload or padding and with the length field set to zero. The vulnerable versions of OpenSSL sent a response containing only padding instead of dropping the request as they should.

“In addition to tracking vulnerable servers, we analyzed who was scanning for the Heartbleed vulnerability by examining network traffic collected from passive taps at Lawrence Berkeley National Laboratory (LBNL), the International Computer Science Institute (ICSI), and the National Energy Research Scientific Computing Center (NERSC), as well as a honeypot operated by a colleague on Amazon EC2,” according to the paper.

“LBNL’s network spans two /16s, one /20 and one /21,” according to the paper. “The institute frequently retains extensive packet traces for forensic purposes, and for our purposes had full traces available from February–March 2012, February–March 2013, and January 23–April 30 2014. ICSI uses a /23 network, for which we had access to 30-days of full traces from April 2014. NERSC has a /16 network, for which we analyzed traces from February to April 2014. The EC2 honeypot provided full packet traces starting in November 2013.”

An examination of all four networks found no evidence of any exploit attempts up through April 7, 2014.

“The first activity we observed originated from a host at the University of Latvia on April 8, starting at 15:18 UTC (21 hours 29 minutes after public disclosure), targeting 13 hosts at LBNL,” according to the researchers. “This first attack was unusual in that it sent both unencrypted (pre-handshake) and encrypted (post-handshake) Heartbleed exploit packets to each host, likely trying to gauge the effectiveness of both approaches. We observed scanning of the other two networks within a few more hours.”

In total, the team observed 5,948 attempts to exploit the vulnerability from 692 distinct hosts. These connections targeted a total of 217 hosts, and seven attackers successful completed 103 exploit attempts against 12 distinct hosts excluding the intentionally-vulnerable honeypot.

The full paper can be read here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.