Heartbleed attack used to skip past multifactor authentication

In one of the earliest instances of a Heartbleed attack breaking through a private corporate network, security firm Mandiant reports that a client's virtual private network session was successfully hacked.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

A Heartbleed T-shirt shows just how effective the Heartbleed campaign has been. Martin Mulazzani

Attackers were able to breach a walled-off virtual private network by exploiting the Heartbleed vulnerability, security company Mandiant said on Friday.

The breach is one of the earliest instances of attackers using Heartbleed to bypass multifactor authentication and break through a VPN, said Mandiant Technical Director Christopher Glyer. It's not clear from the report if data was stolen from the affected organization.

The Heartbleed vulnerability was accidentally introduced several years ago to OpenSSL, the encryption platform used by more than two-thirds of the Internet, but it wasn't discovered till the beginning of this past April. Since then, Internet firms large and small have been scrambling to patch their OpenSSL implementations.

In bypassing multifactor authentication, the attackers were able to get around one of the stricter methods of ensuring that someone is who they say they are. Instead of just a single password, multifactor authentication requires at least two of three kinds of credentials: something you know, something you have, and something you are.

While much of the Internet discussion of Heartbleed has focused on attackers taking advantage of the vulnerability to steal private encryption keys, Glyer said the attack against the unnamed Mandiant client indicates that session hijacking is also a risk.

"Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions," he said.

The timing of the breach indicates that the attackers were able to exploit the brief window between the announcement of the Heartbleed vulnerability and when major firms began patching their sites a few days later. Nearly two weeks after the Heartbleed bug was revealed, more than 20,000 of the top 1 million websites remain vulnerable to Heartbleed attacks.

Mandiant, owned by FireEye, recommended three steps for organizations running vulnerable remote-access software:

  • "Identify infrastructure affected by the vulnerability and upgrade it as soon as possible.
  • "Implement network-intrusion detection signatures to identify repeated attempts to leverage the vulnerability. In our experience, an attacker will likely send hundreds of attempts because the vulnerability only exposes up to 64KB of data from a random section of memory.
  • "Perform historical review of VPN logs to identify instances where the IP address of a session changed repeatedly between two IP addresses. It is common for an IP address to legitimately change during a session, but from our analysis it is fairly uncommon for the IP address to repeatedly change back and forth between IP addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period."