Update: The Heartbleed OpenSSL vulnerability is now the centerpiece of the Community Health Systems data breach.
Dave Kennedy, CEO of security consultancy TrustedSec, said yesterday that three sources close to the CHS investigation told him that a Heartbleed exploit was the hackers’ initial way in and led ultimately to the theft of credentials and personal information belonging to 4.5 million patients.
“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation,” Kennedy wrote in a blog post.
Kennedy said the attackers found a Juniper device still vulnerable to Heartbleed and were able to steal credentials from its memory and use them to access the Community Health Systems network through a virtual private network.
Once in, the attackers were able to pivot from one network resource to another until they landed on the patient records stored in a database, Kennedy said.
“This is no surprise as when given internal access to any computer network, it is virtually a 100 percent success rate at breaking into systems and furthering access,” Kennedy said.
Community Health Systems said in an SEC 8-K filing this week that hackers accessed the health care network in April and again in June. CHS said it was working with law enforcement and had hired forensics firm Mandiant to handle the internal investigation and remediation. Mandiant’s report pinned the attack on an APT group from China it calls APT 18, also known as Dynamite Panda by security firm CrowdStrike.
Heartbleed was discovered on April 7 and Juniper issued new releases and updates on April 8, 9 and 11. Heartbleed is the nickname for a vulnerability in the OpenSSL heartbeat functionality that returned 64KB of memory in plaintext to any client or server requesting a connection. Quickly, exploits were developed that replayed attacks over and over until enough data was gleaned from memory to piece together credentials or even private SSL keys.
“The time between 0-day (the day Heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organization where monitoring and detection become essential elements of it security program,” Kennedy said. “Having the ability to detect and respond to an attack when it happens is key to enacting incident response and mitigating the threat quickly. What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.”
On April 18, Mandiant reported that one of its customers was victimized in a targeted attack starting on April 8 when hackers exploited Heartbleed to hijack web sessions over a VPN connection. The hackers were able to remotely access active sessions by stealing active user session tokens in order to bypass two-factor authentication.
“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” wrote Mandiant investigators Christopher Glyer and Chris DiGiamo in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.”
It is unknown whether Community Health Systems is the unnamed Mandiant customer, but the timing and similar circumstances do make for an interesting coincidence.
If true, this is the first major breach reported to have exploited Heartbleed. The Chinese attackers implicated by Mandiant generally target aerospace, defense and other industry verticals including health care, Mandiant managing director Charles Carmakal told Threatpost. Generally APT gangs, however, chase intellectual property rather than personal data such as Social Security numbers and personal information.
A Mandiant spokesperson said today the company could not comment on the TrustedSec report.
Community Health Systems said the data lost in the breach included non-medical patient identification data related to its physician practice operations. The 4.5 million victims were patients who were referred to or received services from physicians tied to Community Health Systems, the company said in its SEC filing. No credit card, medical or clinical information was lost, the company said, adding that the data is considered protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires breach victims to notify affected patients; it said it carries cyber and privacy liability insurance protecting it from losses.
While the loss of patient data is significant, experts speculate the hackers may have been after intellectual property tied to medical device development. Hospital networks have also been under intense scrutiny from the security research community.
This article was updated Aug. 25 with clarification from Juniper that it patched Heartbleed within a day of its disclosure.