Skip to main content

New Heartbleed Exploit Hijacked Secure Network Sessions

Experts have discovered another confirmed instance of cybercriminals using the Heartbleed bug. But this time was different: the bug exists on firmware that has to be replaced, not updated, and was used to break into a virtual private network (VPN), bypassing the network's multifactor authentication entirely.

An unspecified attacker exploited the bug on an unnamed company's VPN concentrator, an appliance that provides secure remote connectivity to a private network such as one a company might use in its office. Washington D.C.-based security company Mandiant discovered the attack, which began on Apr. 8, just a day after the Heartbleed bug became public knowledge.

MORE: Heartbleed: Who Was Affected, What to Do Now

The VPN concentrator was using a version of the encryption software OpenSSL that contained the Heartbleed bug.  This allowed the attacker to bypass not only the multi-factor authentication in place to protect users from getting their accounts hijacked, but also the VPN client software that checks whether the systems connecting to the VPN were company-owned and authorized.

This hack also differed from the other Heartbleed exploits seen thus far in that the attackers sought out active VPN session keys for currently authenticated users, instead of encryption keys. Then, using the session key, the attackers could hijack a user session and thereby trick the VPN concentrator into recognizing them as authenticated users.

"Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization," Mandiant wrote in its blog post.

Though exploiting Heartbleed on a typical website leaves no trace in the site's logs, Mandiant found several pieces of evidence for this particular exploit on the VPN concentrator. For one, they noticed that the remote end of certain VPN connections kept switching IP addresses. One was the IP address of the truly authorized person's device, and the other was that of the attacker. Further, the attacker's IP address was geographically distant from the VPN's area and the other authorized users', and had a different service provider.

This attack illustrates the long-term problems the Heartbleed bug can cause, not just on websites but email, networking and end-user software as well. In this case, the makers of the affected VPN concentrator need to create a firmware update for these devices and push it out to their customers.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

  • rwinches
    "the bug exists on firmware that has to be replaced, not updated"

    "the makers of the affected VPN concentrator need to create a firmware update for these devices and push it out to their customers."

    Yeah cause if you have a very expensive piece of equipment you of course would include the ability to update the firmware.
    Reply
  • sajidali27
    First we need to understand Who is affected and who’s not? The second threat is that they got the private keys to your SSL certificate. All of VPN servers have been patched and new keys have been made. Our private CA keys are not stored online and did not need to be changed. <a href="http://www.bestvpnservice.com/blog/how-to-protect-from-heartbleed-bug?rel=ugc" title="How to Stay Safe from OpenSSL’s Heartbleed">
    Reply
  • MalcolmTucker
    Apple "AirPort Utility" also uses OpenSSL according to the Licensing documents.

    Until Apple provides a new release of "Airport Utility", it's likely best for Apple Users to go to their Applications > Utilities Folder and place "Airport Utility into the trash.

    Doing this exercise will protect Apple users from the vulnerabilities that may be present in the Apple Software, that Apple doesn't want to disclose. Remember- Apple's culture is based on a different release type. It's

    Deny -> Replace -> Market and brand the update -> Admit there was a problem -> Put Phil Schiller in an on-stage demo where he's wearing a speedo that turns Tim Cook on.
    Reply
  • SeanSanker
    Malcolm:
    Where did you get your info? Apple ditched their OpenSSL code 10 years ago. Your homophobic comments really have no place here. http://appleinsider.com/articles/14/04/18/how-apple-dodged-the-heartbleed-bullet
    Reply
  • Blessedman
    Everyone keeps looking at hackers, I am looking at the NSA (with backing from the MPAA and the RIAA) at a grab for the future of the net.
    Reply
  • Dr-Emmerich
    Apple "AirPort Utility" also uses OpenSSL according to the Licensing documents.

    Until Apple provides a new release of "Airport Utility", it's likely best for Apple Users to go to their Applications > Utilities Folder and place "Airport Utility into the trash.

    Doing this exercise will protect Apple users from the vulnerabilities that may be present in the Apple Software, that Apple doesn't want to disclose. Remember- Apple's culture is based on a different release type. It's

    Deny -> Replace -> Market and brand the update -> Admit there was a problem -> Put Phil Schiller in an on-stage demo where he's wearing a speedo that turns Tim Cook on.

    You have NO idea what you're talking about... worst kind of troll.
    Reply