Heartbleed maliciously exploited to hack network with multifactor authentication

  • 18 April 2014
  • 2 replies
  • 7 views

Userlevel 7
Badge +54
In-the-wild VPN attack using Heartbleed underscores real-world threat of bug.

Demonstrating yet another way the catastrophic Heartbleed vulnerability threatens users, malicious hackers were able to exploit the bug to successfully bypass multifactor authentication and fraud detection on an organization's virtual private network (VPN), security researchers said.

When the critical flaw in the OpenSSL cryptographic library came to light 11 days ago, it was best known as a dangerous hole that allowed attackers to siphon out user names, passwords, and even private encryption keys processed by vulnerable Web servers. More recently, researchers confirmed that Heartbleed could be exploited to steal the private keys underpinning the widely used OpenVPN application and likely software for other VPNs that rely on a vulnerable version of OpenSSL.
 
Full Article

2 replies

Userlevel 7
The following article is a update on Heartbleed bug
(CHS hackers exploited the Heartbleed bug)
 
Author: Zorz/ HNS Managing Editor/ Posted on 20 August 2014
 
The recent massive Community Health Systems breach, which resulted in the compromise of personal information of some 4.5 million patients, was executed by exploiting the infamous OpenSSL Heartbleed vulnerability.

The claim was made by David Kennedy, CEO of security consulting firm TrustedSec, who said that while he and his company aren't involved in the breach investigation, he got the information from three different people close to the investigation. CHS has not commented the matter.

"Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN," Kennedy revealed in a blog post. "From here, the attackers were able to further their access into CHS by working their way through the network."
 
Help Net Security/ full read here/ http://www.net-security.org/secworld.php?id=17276
Userlevel 7
The following article is a update on Heartbleed
By Ian Barker/ Posted 9/10/2014
 
 

The Heartbleed bug has gone down in history as one of the most serious flaws to affect the internet. But new research reveals that prior to its disclosure in April there's no evidence of Heartbleed having being exploited.
The disclosure of Heartbleed sent websites scrambling to apply patches. However, a study by academics at a number of US universities allays fears that the flaw may have been exploited for surveillance by government agencies before it became public.
 The researchers say, "We investigated the attack landscape, finding no evidence of largescale attacks prior to the public disclosure, but vulnerability scans began within 22 hours".
By analyzing network traffic collected by traps at Lawrence Berkeley National Laboratory, the National Energy Research Scientific Computing Center and a honeypot on Amazon's EC2 network, researchers were able to determine if any attacks had been launched prior to the disclosure.
 
betanews/ full article here/ http://betanews.com/2014/09/10/heartbleed-bug-not-exploited-before-disclosure/

Reply