Community Health Systems attackers exploited Heartbleed bug for access, firm says

Share this article:
Community Health Systems attackers exploited Heartbleed bug for access, firm says
Sources close to the breach investigation tipped off TrustedSec CEO David Kennedy.

The CEO of a security firm believes that the major Community Health Systems (CHS) breach impacting four million patients started with the exploit of a VPN device, which was vulnerable to the notorious Heartbleed bug.

According to David Kennedy, the principal security consultant and CEO at Ohio-based TrustedSec, attackers targeted a VPN concentrator device manufactured by Juniper Networks.

TrustedSec revealed the information in Tuesday blog post, and in a Wednesday follow up interview with SCMagazine.com, Kennedy confirmed that three sources close to the CHS investigation tipped him off to the initial attack vector.

After leveraging the Heartbleed flaw, attackers were able to obtain VPN credentials stored in memory on the CHS Juniper device, Kennedy explained.

In his interview with SCMagazine.com, he added that the attack happened soon after word spread of the pervasive Heartbleed bug in early April – which essentially allows attackers to “read protected pieces of memory that could contain sensitive information,” Kennedy said.

In this case, the obtained information led saboteurs to a trove of data housed by Tennessee-based CHS – names, addresses, birth dates, phone numbers and Social Security numbers belonging to more than four million patients.

CHS, which owns, operates and leases 206 hospitals across the country, was reportedly struck with malware during its breach –  a move, which Kennedy couldn't confirm took place, though he did see it as a logical next step for attackers, which made “perfect sense.”

“Once [attackers] had those credentials they were sitting on that network with full access,” Kennedy said.

While Kennedy didn't give specifics as to the date of the breach, he did say that attackers compromised the vulnerable device “shortly after the Juniper patch was out,” and that immediate implementation of the fix could have thwarted the breach.

Less than two weeks after the Heartbleed vulnerability was publicly disclosed in April, security firm Mandiant revealed that it was investigating an incident where an attacker “leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions.”

In the blog post, the company detailed an attack scenario which sounds similar to Kennedy's description of the Community Health incident.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Malvertising impacts Yahoo, AOL visitors, spreads ransomware

Malvertising impacts Yahoo, AOL visitors, spreads ransomware

The malvertising campaign is serving CryptoWall 2.0, researchers at Proofpoint revealed.

Federal Trade Commission appoints new chief technologist

The government agency has announced Ashkan Soltani as its new chief technologist, according to a release.

Cybercriminals continue to piggyback on Ebola news

Email samples discovered by researchers at Trustwave reveal how attackers are infecting users with the DarkComet Remote Access Trojan.