After months of dire predictions surrounding Heartbleed, the breach at Community Health Systems Inc. was the first major security incident to be linked with the widespread OpenSSL vulnerability. Detecting Heartbleed exploits is a nearly impossible task though, according to experts, so the Fortune 500 healthcare entity is unlikely to be the only organization victimized by the flaw.
Publicized in April, Heartbleed is a vulnerability in the OpenSSL open-source encryption library that can be triggered due to the flawed implementation of the Heartbeat extension. By repeatedly sending Heartbeat requests to a vulnerable device, an attacker could glean login credentials, X.509 certificates and communications encrypted by an OpenSSL implementation.
The OpenSSL Project provided a patched version of the encryption library when Heartbleed was announced, but recent studies have shown that many organizations either haven't patched their systems or didn't complete the remediation process. In the case of the Community Health breach, details provided to infosec consultancy TrustedSec don't clarify when, or if, the Franklin, Tenn.-based company had applied the necessary Heartbleed patches for the devices on its networks -- only that attackers were able to capture legitimate login credentials from a Juniper device and use them to access its VPN.
Chris Wysopal, CTO for application security vendor Veracode, said that the circumstances surrounding the Community Health breach make it probable that other companies may be facing similar, though as yet undiscovered, incidents.
"Whenever you see an attack like this, you have to think was this really a unique scenario or infrastructure, or was it something that was very common?" said Wysopal. "I can only imagine that throughout the healthcare industry and other areas, they use these Juniper devices, which needed to be patched, and other organizations probably had a challenge patching in a timely way."
Legitimate login credentials cause big problems
What was made clear by Community Health's 8-K filing to the U.S. Securities and Exchange Commission was that hackers were able to access the company's network in April, when Heartbleed was announced, and again in June.
For Michael Coates, director of product security at Shape Security and chairman of the OWASP global board, the situation is an example of just how dangerous it can be for an organization when login credentials are swiped. Coates said that VPN credentials can be particularly problematic because they can be used to access the internal network of an organization, where security teams often choose to forego security measures like encrypting communications because they assume anyone accessing that part of the network is trusted.
From that vantage point, Coates said that attackers could scan the devices on the internal network in search for other vulnerabilities to be exploited, or could even simply monitor the traffic on the internal network for critical information. And by exploiting Heartbleed, Coates noted that organizations would likely not notice the initial incursion because Heartbeat requests aren't recorded in security logs, meaning attackers could repeatedly take advantage of the flaw without leaving a trace.
Michael CoatesDirector of Product Security, Shape Security
"So there's definitely multiple angles put at risk by attackers getting valid login credentials and getting into the internal network," said Coates. "I think we will continue to see more of these in the coming months, and it all may be linked back to this initial vulnerability that is either unpatched still and is still a gaping hole in the security of a company or hospital, or was used when the window of opportunity was open and we're continuing to see the fallout from that access."
Because Heartbleed exploits are so difficult to detect, Jay Kaplan, CEO of security as a service provider Synack, said it was indeed unlikely that an organization would notice the initial attack vector. As a result, he said that enterprises should focus on doing a better job of auditing all logins so that unusual behavior, such as logins from China at unusual times, can be flagged immediately for investigation.
Kaplan also emphasized the importance of patching all Heartbleed-vulnerable devices immediately and then forcing users to reset all passwords.
"[A password reset] may add an extra few hours to someone's day, but it's good to err on the safe side," said Kaplan.
Wysopal agreed that rotating credentials is vital after remediation efforts have been completed, but noted that anomaly detection for logins can be fairly difficult to implement, especially when attackers can mask the region from which an attack is launched. And while IT teams can place regional and time restrictions on logins, he said such measures aren't popular because they place restrictions on users working while traveling or late at night.
What may work best from a prevention perspective, Wysopal added, is implementing two-factor authentication for all internal network systems. Even by using a mobile-device based soft token mechanism, he said, Community Health likely could have prevented its breach.
As for future Heartbleed scenarios, Wyospal emphasized the importance of gaining a better overview of the IT sprawl now plaguing many organizations, and especially keeping track of which products may be affected by certain vulnerabilities. One easy way to do that, he said, is to simply use the domain name system to find all websites associated with a company's domain -- a potential attack vector that may be off the radar of most IT security teams.
"A marketing department might have put up a website and it wasn't on their normal network, so when they did their initial Heartbleed scan, they didn't find it," said Wysopal. "[Community Health] obviously has lots and lots of domain names, and that would have been a challenge for them to do. A lot of companies are dealing with how the IT infrastructure has grown so big over time, and they don't know where everything is."