Initial attack vector allowed stealing log-in credentials

Aug 20, 2014 07:45 GMT  ·  By

The breaking into the network of Community Health Systems (CHS) that ended with details of 4.5 million patients being exfiltrated by the hackers, was possible by exploiting the Heartbleed vulnerability present on a CHS Juniper device.

By leveraging the flaw in the OpenSSL cryptographic library, the attackers were able to extract user credentials from the memory of the server, which were used for connecting to the systems via a VPN (virtual private network).

TrustedSec, a company offering penetration testing and risk assessment services, says they obtained details about how the breach occurred and that the information about Heartbleed being at fault came from a trusted source close to the CHS investigation.

As per the regulatory filling to the SEC (Securities and Exchange Commission), the initial breach of the CHS network took place in April, 2014.

News of the code error in the OpenSSL library allowing the improper input validation and extracting information from the memory of the affected system, was reported by Neel Mehta of Google’s security team on April 1, but it was publicly revealed a week later.

Considering the novelty of the security flaw, very few systems received a patch as soon as news of the vulnerability spread on the Internet.

Also, due to its open-source nature, the OpenSSL library is so widespread that it is integrated in most things providing secure communication, from web servers, operating systems and applications to hardware devices.

According to a study from Venafi, 97 percent of the Global 2000 companies had external servers that were still vulnerable to a Heartbleed attack, months after a patch was released.

In the case of the CHS breach, after the perpetrators found their way into the network, reaching the 4.5 million records database was easy pickings. “This is no surprise as when given internal access to any computer network, it is virtually a 100% success rate at breaking into systems and furthering access,” say TrustedSec security experts in a blog post.

The operators behind the intrusion are believed to be an Advanced Persistent Threat (APT) group based in China, according to Mandiant, the forensics company that investigated the incident.

On April 11, Juniper had already released updates for its SSL VPN versions 7 and 8, but applying them fell into the hands of the customers.

“The time between 0-day (the day heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organization where monitoring and detection become essential elements of it security program,” say TrustedSec experts.

TrustedSec has been founded by David Kennedy, a former NSA employee, who served as Chief Security Officer (CSO) for Diebold, an ATM making company.