Cyber criminals have explored one more way to exploit Heartbleed OpenSSL bug against organisations to hijack multiple active web sessions conducted over a virtual private network connection.
The consulting and incident response Mandiant investigated targeted attack against an unnamed organization and said the hackers have exploited the “Heartbleed” security vulnerability in OpenSSL running in the client’s SSL VPN concentrator to remotely access active sessions of an organization's internal network.
The incident is the result of attacks leveraging the OpenSSL Heartbleed vulnerabilities, which resides in the OpenSSL’s heartbeat functionality, if enabled would return 64KB of random memory in plaintext to any client or server requesting for a connection. The vulnerability infected almost two-third of internet web servers, including the popular websites.
Recently, there has been an arrest of a Canadian teen of stealing usernames, credentials, session IDs and other data in plaintext from the Canada Revenue Agency by exploiting the Heartbleed OpenSSL bug. This shows that there may have been more active cyber criminals out there using the Heartbleed bug to steal private data and take over web sessions.
The hacker successfully stolen active user session tokens in order to bypass both the organization’s multifactor authentication and VPN client software used to validate the authenticity of systems connecting to the VPN were owned by the organization and running specific security software.
“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” wrote Mandiant investigators Christopher Glyer and Chris DiGiamo. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.”
OpenVPN previously warned that it could be vulnerable to attack since the open source VPN software uses OpenSSL by default.
According to the firm, it is clear that the Heartbleed attack is not traceable, and the bug returns only 64KB of memory for each heartbeat request, but in order to fetch useful data an attacker need to send a continuous chain of requests, and in this situation, an IDS signature specifically written for Heartbleed triggered more than 17,000 alerts during the intrusion.
The researchers posted the evidence for the assurance that the attacker they tracked had "stolen legitimate user session tokens":
- A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization's SSL VPN.
- The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, "flip flopping", between the malicious IP address and the user's original IP address. In several cases the "flip flopping" activity lasted for multiple hours.
- The timestamps associated with the IP address changes were often within one to two seconds of each other.
- The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
- The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
“Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization,” the researchers wrote.
The Mandiant researchers recommended all organizations running both remote access software and appliances vulnerable to the Heartbleed exploit to immediately identify and upgrade with the available patches and review their VPN logs to know if an attack had occurred in the past or not.