Examining the CHS Breach and Heartbleed Exploitation

Yesterday, TrustedSec, a security consultancy based on Ohio, wrote that the recent breach at Community Health Systems (CHS) was the result of exploitation of the Heartbleed OpenSSL vulnerability (CVE-2014-0160). CHS’s 8-K filing on Monday did not reveal how the attackers got into their network, only that the records of approximately 4.5 million patients were stolen in attacks in between April and June of 2014. TrustedSec reports on how attackers were apparently able to glean user credentials from a certain device via the Heartbleed vulnerability and use them to log in via a VPN.

We need more facts to be sure, but this instance may be the first public breach related to the Heartbleed vulnerability since it was announced in April. Now, over four months since the Heartbleed disclosure, this attack reminds us of how serious this vulnerability is and how critical protection against it remains.

As Heartbleed allows the attacker to scrape memory from the vulnerable device, they can retrieve significant amounts of secret information. In this case, that apparently included VPN credentials, which they then used to log into the network and more laterally from system to system until discovering the data they were after.

While most vendors released patches for their products months ago it remains up to the users and administrators to ensure those patches are deployed. As the OpenSSL library is so widely used, some administrators may be finding unpatched systems for years to come. While network-based defenses are not a substitute for patching software, Heartbleed is detectable using IPS signatures. Palo Alto Networks deployed five signatures in April to defend against this threat, 40039, 36420, 36419, 36418 and 36416.

No matter how well patched your systems are, there’s no reason not to deploy IPS signatures like these to detect and block attempted Heartbleed exploits. If you’ve already deployed signatures and your logs are showing attempted exploits, consider blocking or monitoring the IP addresses sending the requests. A Heartbleed probe could be evidence of the early stages of an attack on your network, and persistent attackers are unlikely to give up after jiggling the handle on the front door.

For more on Heartbleed

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42