Heartbleed Attacks Still Actively Targeting Vulnerable Servers, Says IBM


The Heartbleed bug, the open-source vulnerability believed to have been behind the breach of possibly millions of leaked records at Community Health Systems, is being actively targeted by criminals despite widespread availability of patches for error-prone devices.

IBM’s managed security services arm witnesses about 7,000 attacks a day attempting to target the flawed OpenSSL encryption protocol implementation. The good news is that most network security appliance makers and antivirus can detect and block the attacks, according to the IBM X-Force quarterly threat intelligence report (.PDF), released this week.

When Heartbleed was disclosed in April IBM said it saw attacks attempting to exploit the flaw peak at 300,000 in a 24-hour period on April 15, five days after the initial disclosure. The OpenSSL was used in a wide variety of commercial and open-source Web servers, firewalls, routers and other networking gear.  Vendors have provided patches, but IBM’s report found that 30 percent of potentially vulnerable servers remain unpatched.

[Related: Heartbleed Attack Linked To Community Health Systems Breach]

“So far, the disclosure of the Heartbleed vulnerability in the OpenSSL library has been the biggest event to hit the security industry in 2014,” IBM said in its report. “The bug permitted unauthenticated access from servers and clients alike.”

Development of exploit code targeting the Heartlbeed bug was easy, as evidenced by the release of the exploit code just a day after the disclosure, IBM said.

Solution providers tell CRN that they had initially been working with customers to identify systems that were potentially exposed to the bug. Some clients needed to deploy workarounds and notify customers and business partners to change their passwords, said Justin Flynn, a  consultant and network security specialist with Chicago-based solution provider Burwood Group. Most businesses can detect attempts to exploit the flaw, he said. Once vendors issued updates, solution providers also helped test and deploy patches.

“I haven’t seen anyone get hit by it recently,” Flynn said. “This breach is a case where we see the attack works and it should be a wake-up call to organizations that may have not fully assessed their impact to it.”

Attackers struck at Heartbleed in the Community Health Systems breach, gaining access to internal systems and eventually to a server containing data on up to 4.5 million patients. The company acknowledged the breach last week, indicating that criminals accessed patient names, addresses, birth dates, Social Security numbers and, in some cases, telephone numbers and the names of employers or guarantors. Not all patients were affected by the security incident, it said.

The company was the target of a sophisticated attack originating from China and is working with law enforcement to investigate the incident, said Andi Bosshart, corporate compliance and privacy officer, in a message to customers on the company’s website. It has added audit and surveillance technology to detect unauthorized intrusions, adopted encryption, and is requiring users to change their access passwords, Bosshart said in the message.

PUBLISHED AUG. 26, 2014