Mandiant Researchers: Heartbleed Attack Bypasses Multifactor Authentication, Hijacks VPN Sessions

Attackers have developed a way to exploit Heartbleed in an SSL VPN, bypassing multifactor authentication to gain remote access to an organization's internal network, according to researchers at security firm Mandiant, the consulting and incident response arm of network security vendor FireEye.

In a blog post Friday describing the latest Hearbleed attack, Mandiant said it took place April 8 following the disclosure of the OpenSSL vulnerability. An attacker exploited the weakness in a VPN appliance and hijacked multiple active user sessions, said Christopher Glyer and Chris DiGiamo, two Mandiant researchers analyzing the risk.

"The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software," the researchers said.

[Related: Love Hurts: 12 Networking Vendors Hit By Heartbleed ]

The researchers said the attack involved sending repeated malformed heartbeat requests to the Web server running on the VPN device. The attacker was able to obtain active session tokens for authenticated users. Gaining the tokens made the attacker appear legitimate to the VPN appliance and gave the attacker the ability to move laterally to more sensitive systems on the network, according to the researchers.

Solution providers tell CRN that there has been significant effort undertaken in scanning and identifying Web servers that are open to the Heartbleed bug. Other network devices, including SSL VPN appliances, could have fallen lower on the priority list at some organizations, they said. The attack highlights a serious issue that needs to be quickly assessed by IT teams, said Justin Kallhoff, CEO of Lincoln, Neb.-based network security systems integrator Infogressive.

"It's a potential complete nightmare for anyone with a commercial SSL VPN that has the OpenSSL vulnerability," Kallhoff said. "It would open up enterprises of many sizes to a non-authenticated attacker getting logged into the SSL VPN, and bypassing multifactor is an even bigger problem."

Attacks have been difficult for IT teams to detect. According to Mandiant, the VPN exploit method was identified and confirmed by analyzing IDS signatures and VPN logs. The IDS appliance alerted more than 17,000 times to the attack.

Mandiant is recommending organizations check whether their VPN appliance software contains the Heartbleed flaw, implement IDS signatures to identify attacks, and look back on VPN logs to identify repeated IP address changes during a session. Look for "addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period," Mandiant said.

Successful attacks against vulnerable Web servers have been well documented. It took attackers about nine hours to exploit Heartbleed and get private SSL keys, according to a test conducted last week by website security vendor CloudFlare. Meanwhile, the Canada Revenue Agency is dealing with the fallout of a Heartbleed attack that exposed information on 900 Canadian taxpayers. It was the first serious data breach associated with the OpenSSL vulnerability.

PUBLISHED APRIL 18, 2014