When the Heartbleed OpenSSL vulnerability was revealed in April, many within the security community warned that the flaw could be used to expose sensitive data, though little evidence existed at the time that attackers were actively taking advantage of Heartbleed. Now, an infosec consultancy is warning that a Heartbleed exploit may have served as the initial attack vector in the recent Community Health Systems Inc. data breach.
Franklin, Tennessee-based Community Health, which operates over 200 hospitals in 29 states, said this week in an 8-K filing with the U.S. Securities and Exchange Commission that attackers breached its security systems in April and June, exfiltrating the HIPAA-protected patient data of 4.5 million patients in the process. That data included personal information such as names, birthdates, contact details and Social Security numbers, according to the filing, but the healthcare provider stressed medical information and credit card details were not compromised.
Community Health also noted that it had hired outside forensics firm Mandiant to help with the investigation. Mandiant connected the breach to "APT 18," a Chinese hacking group, but delivered no further details on the tactics utilized by the attackers or why they stole personal data as opposed valuable intellectual property, the typical target of such groups.
Yesterday, a blog post from Cleveland, Ohio-based information security consultancy TrustedSec LLC claimed that the attackers behind the Community Health breach exploited Heartbleed to gain a foothold on the company's network. TrustedSec said the information came from an anonymous source close to breach investigation, and in an interview with Bloomberg, Founder and Principal Security Consultant David Kennedy said he was informed of the connection by three unnamed sources.
This is the first instance to date that a Heartbleed exploit has been used as the initial vector for a data breach, according to TrustedSec. Heartbleed was linked to minor security incidents shortly after the flaw was publicized, and researchers from CloudFlare, Akamai Technologies Inc. and other firms subsequently proved Heartbleed could indeed be exploited to glean private SSL keys and other sensitive data, though in a time-consuming fashion.
The TrustedSec blog post explained that the Community Health attackers were able to obtain user credentials from a then-unpatched Juniper device on the company's network, which they were able to use to login to the Community Health VPN.
"From here, the attackers were able to further their access into CHS by working their way through the network until the estimated 4.5 million patient records were obtained from a database," ,TrustedSec wrote in the blog post. "This is no surprise, as when given internal access to any computer network it is virtually a 100% success rate at breaking into systems and furthering access."
Several Juniper products were known to be affected by Heartbleed, including multiple versions of its SSL VPN and products that utilized Junos OS 13.3R1, but the company patched those products shortly after the OpenSSL vulnerability became public. TrustedSec didn't provide any further clarification on which Juniper product was targeted in the breach, nor how long the device had remained unpatched -- only that the incident could have been prevented by applying compensatory controls until a patch was in place.
"Having the ability to detect and respond to an attack when it happens is key to enacting incident response and mitigating the threat quickly," TrustedSec concluded in the blog post. "What we can learn here is that when something as large as heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay."
Still concerned about Heartbleed? Learn why a majority of Global 2000 organizations are still vulnerable to the OpenSSL flaw despite patching, and revisit the open-source software present in you organization.