Experts have discovered another confirmed instance of cybercriminals using the Heartbleed bug. But this time was different: the bug exists on firmware that has to be replaced, not updated, and was used to break into a virtual private network (VPN), bypassing the network's multifactor authentication entirely.
An unspecified attacker exploited the bug on an unnamed company's VPN concentrator, an appliance that provides secure remote connectivity to a private network such as one a company might use in its office. Washington D.C.-based security company Mandiant discovered the attack, which began on Apr. 8, just a day after the Heartbleed bug became public knowledge.
The VPN concentrator was using a version of the encryption software OpenSSL that contained the Heartbleed bug. This allowed the attacker to bypass not only the multi-factor authentication in place to protect users from getting their accounts hijacked, but also the VPN client software that checks whether the systems connecting to the VPN were company-owned and authorized.
This hack also differed from the other Heartbleed exploits seen thus far in that the attackers sought out active VPN session keys for currently authenticated users, instead of encryption keys. Then, using the session key, the attackers could hijack a user session and thereby trick the VPN concentrator into recognizing them as authenticated users.
"Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization," Mandiant wrote in its blog post.
Though exploiting Heartbleed on a typical website leaves no trace in the site's logs, Mandiant found several pieces of evidence for this particular exploit on the VPN concentrator. For one, they noticed that the remote end of certain VPN connections kept switching IP addresses. One was the IP address of the truly authorized person's device, and the other was that of the attacker. Further, the attacker's IP address was geographically distant from the VPN's area and the other authorized users', and had a different service provider.
This attack illustrates the long-term problems the Heartbleed bug can cause, not just on websites but email, networking and end-user software as well. In this case, the makers of the affected VPN concentrator need to create a firmware update for these devices and push it out to their customers.