Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Heartbleed Attack Targeted Enterprise VPN

Attack spotted using the OpenSSL Heartbleed bug to steal session tokens and bypass two-factor authentication.

Now there's live proof the Heartbleed bug can be exploited, not just to steal private SSL keys stored on a server, but also to retrieve VPN session tokens.

Researchers at Mandiant -- now part of threat intelligence firm FireEye -- on Friday revealed that they spotted a successful VPN-targeting attack that began April 8. That was just one day after OpenSSL issued a public security advisory about a "TLS heartbeat read overrun" in its open-source SSL and TLS implementation. 

The flaw, later dubbed "Heartbleed," was quickly tapped by a VPN-targeting attacker. "The attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," said Mandiant technical director Christopher Glyer and senior consultant Chris DiGiamo in a blog post. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

The researchers declined to name the organization that was targeted, but said the attacker's aims didn't appear to be academic. "Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization," they said.

But many businesses might not know that attackers could exploit Heartbleed to grab legitimate VPN session tokens, which also allowed the attacker to bypass the organization's two-factor authentication system, as well as a check -- built into the VPN client software -- meant to ensure that prescribed security software was running on the client. "To date, much of the discussion on the Internet has focused on an attacker using the vulnerability to steal private keys from a Web server, and less on the potential for session hijacking," the Mandiant researchers said. 

Even so, a related warning was sounded April 8, when the first proof-of-concept exploit for stealing private SSL keys via the Heartbleed bug was published -- in the form of a Python script -- which led Web application penetration tester Matthew Sullivan to warn about the potential for session-token-stealing attacks to occur. "The currently available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack of a logged-in user," he said in a blog post.

Such an attack, Sullivan added, could also bypass the need for an attacker to provide authentication credentials, and could be used against "any Web service that uses cookies to track the session state -- almost every site on the Internet." Furthermore, related attacks might be tough to spot. "The only way to detect this type of attack is to check the source IPs of traffic for each and every request." 

In the case of the VPN exploit detailed by Mandiant, the intrusion apparently came to light after the targeted organization added intrusion detection system (IDS) signatures designed to spot signs of Heartbleed-related exploits on the network. Mandiant said it later verified the intrusion by reviewing both IDS signatures and VPN logs.

With the right IDS signatures in place, this intrusion was apparently tough to miss, with Mandiant noting that the organization's related IDS signature "alerted over 17,000 times during the intrusion," with all alerts pointing to its internal SSL VPN appliance. As that suggests, exploiting the Heartbleed bug to retrieve a legitimate session token or private key may require an extended effort that takes hours to unfold. "In our experience, an attacker will likely send hundreds of attempts because the vulnerability only exposes up to 64KB of data from a random section of memory," said Mandiant.

To guard against Heartbleed attacks -- against VPN systems or otherwise -- Mandiant recommended updating vulnerable VPN systems as soon as possible. To date, many sites have already rushed to patch the Heartbleed bug, although some large vendors have yet to compile definitive lists of all products that are vulnerable or release-related patches.

According to a DarkReading flash poll, as of Friday, 60 percent of respondents said they've installed Heartbleed fixes on servers, although only about 40 percent said they'd replace digital certificates, and just 30 percent planned to force users to change their passwords.

Mandiant also suggested reviewing logs for signs of previous intrusions, which could be indicated by any VPN session in which a session's IP address changed rapidly between two IP addresses -- one of which might be legitimate, and the other controlled by an attacker. "It is common for an IP address to legitimately change during a session, but from our analysis it is fairly uncommon for the IP address to repeatedly change back and forth between IP addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period."

Finally, Mandiant recommended businesses add IDS signatures designed to spot Heartbleed-related activity. But while such signatures may make VPN session token attacks easy to spot, they won't unearth all types of Heartbleed-related exploits. For example, the "Heartleech" proof-of-concept attack software posted to GitHub last week by Robert David Graham, CEO of Errata Security, is designed to evade detection by Snort IDS rules, while using an "autopwn" process to automate the process of stealing SSL keys. 

"Go away from your computer for many hours, and when you come back, you'll have the key," Graham said. 

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andymuz
50%
50%
andymuz,
User Rank: Apprentice
4/3/2020 | 11:38:43 AM
Re: Bigger Heartbleed problem

This is a really useful article on VPNs. I have recently come across a site that has lots of VPN Reviews https://www.comparemyvpn.com as well as the latest deals offers and VPN advice.

Kevinsk
50%
50%
Kevinsk,
User Rank: Apprentice
10/27/2018 | 5:21:10 PM
Re: get the best vpn service with waselpro
What do you think about proxy sites instead of using VPN app or software?
JeffreyNarcor
50%
50%
JeffreyNarcor,
User Rank: Apprentice
3/23/2017 | 12:23:45 PM
Re: Bigger Heartbleed problem
Hello,

You could be using IPSec in order to solve this issue or use a VPN that runs a fixed version of Open VPN.

You can read about it : https://anonymster.com/what-best-vpn-protocol/

 
JessicaP494
50%
50%
JessicaP494,
User Rank: Apprentice
7/6/2014 | 1:42:27 AM
get the best vpn service with waselpro
you can surf the internet and blocked websites verey easy with waselprovpn service , you can speed up ypur internet programs , change and hide your ip address , secure your use on the internet , the program work on computers and all kind of mobile devices ,

http://www.bestcheapvpnservice.com/cheap-vpn-solution-for-small-business/
AaronB062
50%
50%
AaronB062,
User Rank: Apprentice
4/25/2014 | 4:16:29 PM
Heartbleed is bad, but session hijacking is not new
Session hijacking is not a new risk, but it is somewhat of a sleeper. It's not likely something that is at the top of the agenda for every organization's security update meeting – but it should be.  In fact, OWASP puts session management collectively with authentication management and lists them as No. 2 in the top 10 vulnerabilities from 2013.  We have been concerned about this vulnerability and have worked with our customers on session management and protection against session hijacking and replay.
AmmarNaeem
50%
50%
AmmarNaeem,
User Rank: Strategist
4/22/2014 | 5:36:24 AM
Re: Bigger Heartbleed problem
The Heartbleed bug is making headlines people!

CNN Money reported yesterday that a teenager (19 year old) was able to exploit the Heartbleed bug to hack into Canada's tax agency, the Canada Revenue Agency.

Major websites like Facebook and Tumblr have applied the necessary patches but mobile devices (smartphones) still remain unsafe. Android and iOS users can secure online privacy and internet freedom (until the patches/upgrades come out) by using VPNs to tunnel and encrypt their data. Heartbleed is Causing Damage & You Need to Protect Yourself.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/21/2014 | 1:33:43 PM
Bigger Heartbleed problem
This is exactly what experts have been worried about--cyberspies or cybercriminals using Heartbleed for targeted attacks against an organization via their OpenSSL-based VPN. This and Heartbleed attacks against internal SSL servers are perhaps the most devastating possible outcomes.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...