Attackers have developed a way to exploit Heartbleed in an SSL VPN, bypassing multifactor authentication to gain remote access to an organization's internal network, according to researchers at security firm Mandiant, the consulting and incident response arm of network security vendor FireEye.
In a blog post Friday describing the latest Hearbleed attack, Mandiant said it took place April 8 following the disclosure of the OpenSSL vulnerability. An attacker exploited the weakness in a VPN appliance and hijacked multiple active user sessions, said Christopher Glyer and Chris DiGiamo, two Mandiant researchers analyzing the risk.
"The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software," the researchers said.
[Related: Love Hurts: 12 Networking Vendors Hit By Heartbleed ]
The researchers said the attack involved sending repeated malformed heartbeat requests to the Web server running on the VPN device. The attacker was able to obtain active session tokens for authenticated users. Gaining the tokens made the attacker appear legitimate to the VPN appliance and gave the attacker the ability to move laterally to more sensitive systems on the network, according to the researchers.
Solution providers tell CRN that there has been significant effort undertaken in scanning and identifying Web servers that are open to the Heartbleed bug. Other network devices, including SSL VPN appliances, could have fallen lower on the priority list at some organizations, they said. The attack highlights a serious issue that needs to be quickly assessed by IT teams, said Justin Kallhoff, CEO of Lincoln, Neb.-based network security systems integrator Infogressive.
"It's a potential complete nightmare for anyone with a commercial SSL VPN that has the OpenSSL vulnerability," Kallhoff said. "It would open up enterprises of many sizes to a non-authenticated attacker getting logged into the SSL VPN, and bypassing multifactor is an even bigger problem."
Attacks have been difficult for IT teams to detect. According to Mandiant, the VPN exploit method was identified and confirmed by analyzing IDS signatures and VPN logs. The IDS appliance alerted more than 17,000 times to the attack.
Mandiant is recommending organizations check whether their VPN appliance software contains the Heartbleed flaw, implement IDS signatures to identify attacks, and look back on VPN logs to identify repeated IP address changes during a session. Look for "addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period," Mandiant said.
Successful attacks against vulnerable Web servers have been well documented. It took attackers about nine hours to exploit Heartbleed and get private SSL keys, according to a test conducted last week by website security vendor CloudFlare. Meanwhile, the Canada Revenue Agency is dealing with the fallout of a Heartbleed attack that exposed information on 900 Canadian taxpayers. It was the first serious data breach associated with the OpenSSL vulnerability.
PUBLISHED APRIL 18, 2014
related stories
Video
trending stories
sponsored resources

OutSystems
Modern Application Development 360

Symantec
Symantec Business Security Learning Center

HP Amplify™ - A Simplified Global Program for the Customer-Driven Digital Age
HP Inc.

BlackBerry
BlackBerry Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

NPD
Industry Trends 360

Products of the Year Showcase

Cysurance
Cyber Insurance 360

StorageCraft
Disaster Recovery Learning Center

APC by Schneider Electric
IoT Platforms 360

EPOS
EPOS

Smart 3rd Party
3rd Party Maintenance 360

WatchGuard
WatchGuard

Spectrum Partner Program
Spectrum Partner Program

ADT
Network Security 360

Tenable
Cyber Risk 360

Wasabi
Wasabi

Dell Technologies
Dell Technologies Server Learning Center

HubStor
Cloud Backup 360

Carbonite
Cloud Storage 360

Comcast
Comcast Business Learning Center

Trend Micro
Managed Security 360

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Veeam
Veeam

Webroot
Webroot Learning Center

Application Integration 360

APC by Schneider Electric
APC LEARNING CENTER
