Attackers Exploit Heartbleed Vulnerability to Circumvent Multi-factor Authentication on VPNs and Hijack Active User Sessions

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged earlier this month, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

Originally, one of the key concerns about the vulnerability was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed. As it turns out, through an experiment setup by CloudFlare, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit. 

Now, according to researchers at Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. 

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”

The victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek.

According to Mandiant, the following evidence proved the attacker had stolen legitimate user session tokens:

1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.

2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.

3. The timestamps associated with the IP address changes were often within one to two seconds of each other.

4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.

5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.

Additional details and remediation advice are available from Mandiant.

The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”

The NSA has denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.

Earlier this week, Canadian police arrested and charged a 19-year-old man for stealing the data of 900 Canadian taxpayers’ data through an attack that exploited the Heartbleed bug.

Tags:

• Network Security
• NEWS & INDUSTRY
• Vulnerabilities

Kickstarter, a web site that serves as a funding platform for creative projects, said on Saturday that malicious hackers gained unauthorized access to its systems and accessed user data.

“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data,” Yancey Strickler, Kickstarter’s CEO, wrote in a security notice. “Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”

According to Strickler, customer information accessed by the attacker(s) included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.

“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler said.

The company said via Twitter that “old passwords used salted SHA1, digested multiple times. More recent passwords use bcrypt.”

Strickler said that no credit card data was accessed by the attackers, and that so far only two Kickstarter user accounts have seen evidence of unauthorized activity.

Kickstarter did not say how many user accounts were affected in the breach, but the company says that since launching in 2009, more than 5.6 million people have pledged $ 980 million, funding 56,000 creative projects through its platform.

“As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password,” the advisory suggested.

“We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come,” Strickler wrote. “We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”

*Updated with additional details on password encryption.

Tags:

• Network Security
• NEWS & INDUSTRY
• Cybercrime