A team of researchers say they believe the infamous Heartbleed bug was not the target of widespread attacks before it was publicly disclosed in April.
In a paper titled ‘The Matter of Heartbleed’, researchers from the University Illinois; University of Michigan; Purdue University; University of California, Berkeley; EECS and the International Computer Science Institute examined the impact of the Heartbleed vulnerability. The bug, since patched, existed in the implementation of the Heartbeat extension in certain versions of OpenSSL, and allowed attackers to read sensitive memory from vulnerable servers.
While Heartbleed may be well-known to both attackers and the OpenSSL user community today, the researchers found no evidence the bug was being exploited before it was revealed publicly five months ago.
“We investigated the attack landscape, finding no evidence of large-scale attacks prior to the public disclosure, but vulnerability scans began within 22 hours,” according to the paper. “We observed post-disclosure attackers employing several distinct types of attacks from 692 sources, many coming from Amazon EC2 and Chinese ASes [autonomous systems].”
What the researchers did find was a mixed bag in terms of responses by affected organizations. Their investigation revealed that within the first 24 hours, all but five of the Alexa Top 100 sites were patched, and that within 48 hours all of the vulnerable hosts in the top 500 were patched.
“While popular sites responded quickly, we observe that patching plateaued after about two weeks, and [three percent] of HTTPS sites in the Alexa Top 1 Million remained vulnerable almost two months after disclosure,” the researchers wrote.
The researchers tested for the Heartbleed bug by modifying the ZMap tool to send Heartbeat requests with no payload or padding and with the length field set to zero. The vulnerable versions of OpenSSL sent a response containing only padding instead of dropping the request as they should.
“In addition to tracking vulnerable servers, we analyzed who was scanning for the Heartbleed vulnerability by examining network traffic collected from passive taps at Lawrence Berkeley National Laboratory (LBNL), the International Computer Science Institute (ICSI), and the National Energy Research Scientific Computing Center (NERSC), as well as a honeypot operated by a colleague on Amazon EC2,” according to the paper.
“LBNL’s network spans two /16s, one /20 and one /21,” according to the paper. “The institute frequently retains extensive packet traces for forensic purposes, and for our purposes had full traces available from February–March 2012, February–March 2013, and January 23–April 30 2014. ICSI uses a /23 network, for which we had access to 30-days of full traces from April 2014. NERSC has a /16 network, for which we analyzed traces from February to April 2014. The EC2 honeypot provided full packet traces starting in November 2013.”
An examination of all four networks found no evidence of any exploit attempts up through April 7, 2014.
“The first activity we observed originated from a host at the University of Latvia on April 8, starting at 15:18 UTC (21 hours 29 minutes after public disclosure), targeting 13 hosts at LBNL,” according to the researchers. “This first attack was unusual in that it sent both unencrypted (pre-handshake) and encrypted (post-handshake) Heartbleed exploit packets to each host, likely trying to gauge the effectiveness of both approaches. We observed scanning of the other two networks within a few more hours.”
In total, the team observed 5,948 attempts to exploit the vulnerability from 692 distinct hosts. These connections targeted a total of 217 hosts, and seven attackers successful completed 103 exploit attempts against 12 distinct hosts excluding the intentionally-vulnerable honeypot.
The full paper can be read here.