A targeted attack against an unnamed organization exploited the Heartbleed OpenSSL vulnerability to hijack web sessions conducted over a virtual private network connection.
Incident response and forensics firm Mandiant shared some details on a recent investigation of an incident that began April 8, one day after Heartbleed was publicly disclosed. Mandiant said the attackers exploited the security vulnerability in OpenSSL running in the client’s SSL VPN concentrator to remotely access active sessions.
This is just the latest in an escalating series of attacks leveraging Heartbleed, which is a problem in OpenSSL’s heartbeat functionality, which if enabled, returns 64KB of memory in plaintext to any client or server requesting a connection. Already, there have been reports of attackers using Heartbleed to steal user names, session IDs, credentials and other data in plaintext. Late last week came the first reports of researchers piecing together enough information to successfully reproduce a private SSL key.
Earlier this week, researchers in Sweden were able to exploit Heartbleed to extract private keys over OpenVPN, an open source VPN software package.
Mandiant said the attacker was able to steal active user session tokens in order to bypass the organization’s multifactor authentication and VPN client software used to validate the authenticity of systems connecting to network resources.
“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” wrote Mandiant investigators Christopher Glyer and Chris DiGiamo. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.”
Since Heartbleed exploits return only 64KB of memory for each heartbeat request, attackers would need to replay an attack over and over to steal any worthwhile data. In this case, Mandiant said an IDS signature specifically written for Heartbleed triggered more than 17,000 alerts during the attack.
While heartbeat requests don’t leave a trace, Mandiant said it was able to find evidence of the attacks not only from the IDS alerts, but also from the company’s VPN logs. Specifically, it said a malicious IP address triggered the IDS alerts as the attacker tried to reach the company’s SSL VPN. The key evidence was in the VPN logs, which showed active VPN connections changing rapidly—sometimes within seconds of each other—between the attacker’s IP address and the user’s legitimate one; geographically too, the IP addresses were distant, Mandiant said, and they belonged to different ISPs. Mandiant said it was also able to correlate those IDS alerts with the connection changes in the VPN logs.
“Once connected to the VPN, the attacker attempted to move laterally and escalate their privileges with the Heartbleed bug,” Glyer and DiGiamo wrote.