Mandiant uncovered Heartbleed based attacks to Hijack VPN sessions

Pierluigi Paganini April 20, 2014

Security experts at Mandiant uncovered attackers exploiting the Heartbleed vulnerability to circumvent Multi-factor Authentication on VPNs.

We have practically read everything about HeartBleed bug which affects OpenSSL library, we have seen the effects on servers, on mobile devices and also on Tor anonymity,  now lets focus on the possibility to exploit it to hijack VPN sessions.

Cyber criminals are trying to exploit Heartbleed OpenSSL bug against organisations to spy on virtual private network connections hijacking multiple active web sessions.
Security experts at Mandiant discovered attackers are exploiting the Heartbleed vulnerability to circumvent Multi-factor authentication on VPNs. The investigators have found evidences of the attack analyzing IDS signatures and VPN logs.
Considering that through an Heartbleed request the attacker could gain access to a limited portion of memory (64KB of memory for each Heartbeat request), in order to fetch useful data he needs to send a huge quantity of requests. This stream of requests was identified by IDS once it was written a signature specifically for Heartbleed.
heartbleed VPN 2
During the intrusion observed by Mandiant the IDS detected more than 17,000 requests matching the pattern written for HearttBleed.
Mandiant confirmed that an unnamed organization suffered a targeted attack which exploited the “Heartbleed” bug in OpenSSL running in the client’s SSL VPN concentrator to remotely access organization’s internal network.
“This post focuses on a Mandiant investigation where a targeted threat actor leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client’s environment and steps to identify retroactively if this occurred to your organization.” reported the Mandiant official post.
The attacker is able to obtain active session tokens for currently authenticated users sending repeatedly malformed heartbeat requests to the HTTPS web server running on the VPN device. Once gained an active session token, the attacker successfully hijacked multiple active user sessions and deceived the VPN concentrator which considered it as legitimately authenticated.
With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
“The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.” wrote Mandiant experts Christopher Glyer and Chris DiGiamo. 

The following evidence proved the attacker had stolen legitimate user session tokens:

  1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.
  2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address.  In several cases the “flip flopping” activity lasted for multiple hours.
  3. The timestamps associated with the IP address changes were often within one to two seconds of each other.
  4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
  5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
The hackers once gained the access to the internal network of targeted organization attempted to move laterally and escalate his/her privileges.
Attacks like the one uncovered by Mantiant will increase in the next weeks, it is necessary to immediately identify and upgrade the component that make use of the flawed library.

Pierluigi Paganini

(Security Affairs –  VPN, Mandiant)

you might also like

leave a comment