TrustedSec researchers report that the recent breach at Community Health Systems (CHS), which affected approximately 4.5 people who had been referred to or received services from CHS-affiliated physicians, was enabled by the Heartbleed OpenSSL bug.
The researchers say the attack vector was confirmed by a “trusted and anonymous source” involved in the investigation of the breach. “Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN,” TrustedSec explained in a blog post.
The time between the release of an exploit and the issuing of a patch, the researchers noted, is the most critical period for any organization. “What we can learn here is that when something as large as HeartBleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay,” they wrote. “Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said by email that CHS is likely the first of many organizations to acknowledge a Heartbleed-related exploit. “Unless fully remediated, Heartbleed leaves open doors for attackers to extract data, including credentials like passwords and encryption keys, which provide long-term visibility and access to the kinds of data stolen from Community Health Systems,” he said.
“IT security teams are clearly under the false notion that they have remediated Heartbleed by applying a software patch,” Bocek added. “Yet if someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door. Organizations must find and replace all of their keys and certificates — all of them.”
Venafi’s recent Q3 Heartbleed Threat Research Analysis [PDF] found that 97 percent of Global 2000 organizations’ public-facing servers remains vulnerable to cyber attacks due to incomplete Heartbleed remediation. “From June to July 2014, the number of confirmed Heartbleed vulnerable sites was only reduced marginally,” the report stated. “Heartbleed is considered to be one of the worst vulnerabilities in history and should be taken seriously.”
A recent eSecurity Planet article examined several ways for admins and end users to mitigate the threat from Heartbleed.
Still, CHS was vulnerable to more than just Heartbleed. Lookingglass researchers recently found 10 IP addresses associated with CHS that were linked to the Asprox, Kelihos, Conficker, Ramdo, Sality and Zeus Gameover bots. “These bots are known for performing SQL injections, phishing scams, spamming, bitcoin theft, data exfiltration, proxy services, click fraud and banking credential theft,” the researchers noted.
Just one of those infections, Conficker, was discovered back in 2008, and patches were available soon after. “These infections are a strong indicator that systems have gone unpatched for years — a common theme in the healthcare industry,” Lookingglass noted.
“If an advanced nation state penetrated this network, they probably didn’t have to work very hard to gain a foothold,” the researchers added.