Community Health Systems attackers exploited Heartbleed bug for access, firm says

Share this article:
Community Health Systems attackers exploited Heartbleed bug for access, firm says
Sources close to the breach investigation tipped off TrustedSec CEO David Kennedy.

The CEO of a security firm believes that the major Community Health Systems (CHS) breach impacting four million patients started with the exploit of a VPN device, which was vulnerable to the notorious Heartbleed bug.

According to David Kennedy, the principal security consultant and CEO at Ohio-based TrustedSec, attackers targeted a VPN concentrator device manufactured by Juniper Networks.

TrustedSec revealed the information in Tuesday blog post, and in a Wednesday follow up interview with, Kennedy confirmed that three sources close to the CHS investigation tipped him off to the initial attack vector.

After leveraging the Heartbleed flaw, attackers were able to obtain VPN credentials stored in memory on the CHS Juniper device, Kennedy explained.

In his interview with, he added that the attack happened soon after word spread of the pervasive Heartbleed bug in early April – which essentially allows attackers to “read protected pieces of memory that could contain sensitive information,” Kennedy said.

In this case, the obtained information led saboteurs to a trove of data housed by Tennessee-based CHS – names, addresses, birth dates, phone numbers and Social Security numbers belonging to more than four million patients.

CHS, which owns, operates and leases 206 hospitals across the country, was reportedly struck with malware during its breach –  a move, which Kennedy couldn't confirm took place, though he did see it as a logical next step for attackers, which made “perfect sense.”

“Once [attackers] had those credentials they were sitting on that network with full access,” Kennedy said.

While Kennedy didn't give specifics as to the date of the breach, he did say that attackers compromised the vulnerable device “shortly after the Juniper patch was out,” and that immediate implementation of the fix could have thwarted the breach.

Less than two weeks after the Heartbleed vulnerability was publicly disclosed in April, security firm Mandiant revealed that it was investigating an incident where an attacker “leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions.”

In the blog post, the company detailed an attack scenario which sounds similar to Kennedy's description of the Community Health incident.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.