Researchers earlier this month guessed heartbleed had infected two-thirds of all Web servers, and researchers at Sucuri reported Friday that just 2 percent of the top 1 million websites on the Internet remain infected and all of the top 1,000 sites have been patched against the OpenSSL vulnerability but Mandiant tracks a scary new attack vector–VPN user sessions.
But also on Friday, Mandiant researchers reported an attack they tracked beginning on April 8 in which an attacker “leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client’s environment,” culminating in the hijacking of “multiple active user sessions.”
Mandiant said the attackers exploited the security vulnerability in OpenSSL running in the client’s SSL VPN concentrator to remotely access active sessions.
This is just the latest in an escalating series of attacks leveraging Heartbleed, which is a problem in OpenSSL’s heartbeat functionality, which if enabled, returns 64KB of memory in plaintext to any client or server requesting a connection. Already, there have been reports of attackers using Heartbleed to steal user names, session IDs, credentials and other data in plaintext. Late last week came the first reports of researchers piecing together enough information to successfully reproduce a private SSL key.
Mandiant said the attacker was able to steal active user session tokens in order to bypass the organization’s multifactor authentication and VPN client software used to validate the authenticity of systems connecting to network resources.
The Mandiant researchers recommended that all organizations running remote access software and appliances determined to be vulnerable to the Heartbleed exploit both upgrade with available patches immediately and review their VPN logs to see if an attack had occurred in the past.
The post VPN is Still Vulnerable to Heartbleed appeared first on Am I Hacker Proof.
View full post on Am I Hacker Proof