Report: Heartbleed was used to attack “a large corporation” less than 24 hours after the bug was discovered
Researchers at the Mandiant security firm have revealed that the Heartbleed bug was used to attack a large corporation less than 24 hours after it was first disclosed to the public. The news follows claims that the bug has been “mostly fixed” after the top 1,000 websites updated their infrastructure. It also shows that the bug’s threat is indeed widespread and frustratingly hard to predict.
The attack is among the first confirmed to take advantage of the Heartbleed bug. Another attack was used to gather taxpayer information from a Canadian government-run website. And because the Heartbleed bug has reportedly left two-thirds of the Internet vulnerable to attack, it’s possible that others have occurred.
The good news is that, contrary to previous reports, it is possible to determine if a Heartbleed attack has taken place. Knowing that Heartbleed is a definite threat that leaves some kind of trace (even if it’s hard to detect – it’s often unclear if someone is attacking a company or checking its security to conduct further research on the bug) makes it just a little less scary than before.
At least until you remember that the bug affects the Wi-Fi routers many consumers are using in their homes, millions of Android smartphones, and a large portion of the Internet. Then it’s clear that just because the monster in the Internet’s closet leaves a trail, that doesn’t make it any less terrifying.
Reactions from around the Web
The New York Times reports that no attacks made before Heartbleed’s disclosure have been detected:
It was still unclear whether the Heartbleed bug was exploited before its discovery by a Google researcher earlier this month.
For the last week, researchers at the Berkeley National Laboratory and the National Energy Research Scientific Computing Center, a separate supercomputer facility, have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for Heartbleed exploitations before it became public on April 7.
So far, they have found none.
Mandiant’s researchers explain how they discovered that Heartbleed was used in the attack:
Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions. Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users. With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
The exploit method was identified and confirmed by analyzing two sources of information, IDS signatures and VPN logs. The victim organization implemented a set of signatures to identify Heartbleed network activity. The IDS signature “SERVER-OTHER TLSv1.1 large heartbeat response – possible ssl heartbleed attempt”, depicted in figure 1, alerted over 17,000 times during the intrusion. The source of the heartbeat response was the organization’s internal SSL VPN device.
The Sucuri security group shares their findings on most popular websites:
After 10 days of massive coverage, we expected to see every server out there patched against it. To confirm our expectations, we scanned every web site listed in the Alexa top 1 million rank. Yes, we scanned the top web sites in the world to see how many were still infected.
The results were interesting:
Top 1,000 sites: 0 sites vulnerable (all of them patched)
Top 10,000 sites: 53 sites vulnerable (only 0.53% vulnerable)
Top 100,000 sites: 1595 sites vulnerable (1.5% still vulnerable)
Top 1,000,000 sites: 20320 sites vulnerable (2% still vulnerable)
Pando weighs in
I wrote about the shaky idea that the Internet can ever truly be secure after the bug was revealed:
The bug is said to have been around since 2012. The sheer number of websites that use OpenSSL — including Yahoo, Imgur, and OKCupid — means that many millions of Internet users may have potentially had their privacy compromised over the last two years. Combine that with the news that Apple had failed to implement a security tool in its mobile and desktop operating systems for more than a year and the idea that anyone can ever be truly secure online seems permanently out of reach.
I then wrote about why being able to change your passwords is a good thing:
The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?
Having to change all of your passwords sucks. Not being able to adapt to compromises in the security measures that protect all of your personal information, however, would be even worse.
Then I explored about how small mistakes can have enormous consequences on the modern Web:
Finding these errors would be like finding a typo in “Infinite Jest” – it’s not going to be easy unless you know just what you’re looking for.
But the ramifications of these mistakes aren’t quite so minuscule. Hundreds of millions of people rely on Apple’s products to browse the Web. Even more interact with a large number of websites that use OpenSSL. It’s impossible to know how many people have been affected by these mistakes, but the threat itself has been enough to put security experts on high alert.
That’s the truth of Internet security. All it takes is for a team of professionals to miss two words, or for two unpaid volunteers to miss a “quite trivial” mistake in a widely-used utility, for the privacy of essentially everyone who uses the Internet to be threatened. Welcome to the Web, where a single misplaced strand can cause a disaster few will notice until years later.
This led me to wonder why Internet security is entrusted to people working in their spare time:
It’s time for Internet security to be handled by people who can afford to devote their entire lives to it, not people who in their spare time are forced to carry “an enormous burden” that affects basically anyone who uses the Internet. We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?
And finally, I wrote about the problem many consumers will face when trying to defend their privacy after Google revealed that millions of Android smartphones are affected by the bug:
The discovery follows reports that the Heartbleed bug has been found in Wi-Fi routers from Cisco and Juniper Systems. The fix for that problem, according to one security expert, is going to involve “a trash can, a credit card, and a trip to Best Buy.” There’s little else people can do.
These warnings demonstrate the Heartbleed bug’s lasting impact. Large companies can and have fixed their websites or updated their infrastructure to protect their users’ information. But when consumers are using devices that have long since been abandoned by their creators or are difficult to upgrade, the only recourse seems to be either living with the possibility of being affected by Heartbleed or upgrading to new hardware unaffected by the vulnerability.