
Security experts at Mandiant uncovered attackers exploiting the Heartbleed vulnerability to circumvent Multi-factor Authentication on VPNs.
We have practically read everything about HeartBleed bug which affects OpenSSL library, we have seen the effects on servers, on mobile devices and also on Tor anonymity, now lets focus on the possibility to exploit it to hijack VPN sessions.
“This post focuses on a Mandiant investigation where a targeted threat actor leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client’s environment and steps to identify retroactively if this occurred to your organization.” reported the Mandiant official post.
“With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.”“The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.” wrote Mandiant experts Christopher Glyer and Chris DiGiamo.
The following evidence proved the attacker had stolen legitimate user session tokens:
- A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.
- The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.
- The timestamps associated with the IP address changes were often within one to two seconds of each other.
- The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
- The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
(Security Affairs – VPN, Mandiant)




