Community Health Systems attackers exploited Heartbleed bug for access, firm says

Share this article:
Community Health Systems attackers exploited Heartbleed bug for access, firm says
Sources close to the breach investigation tipped off TrustedSec CEO David Kennedy.

The CEO of a security firm believes that the major Community Health Systems (CHS) breach impacting four million patients started with the exploit of a VPN device, which was vulnerable to the notorious Heartbleed bug.

According to David Kennedy, the principal security consultant and CEO at Ohio-based TrustedSec, attackers targeted a VPN concentrator device manufactured by Juniper Networks.

TrustedSec revealed the information in Tuesday blog post, and in a Wednesday follow up interview with SCMagazine.com, Kennedy confirmed that three sources close to the CHS investigation tipped him off to the initial attack vector.

After leveraging the Heartbleed flaw, attackers were able to obtain VPN credentials stored in memory on the CHS Juniper device, Kennedy explained.

In his interview with SCMagazine.com, he added that the attack happened soon after word spread of the pervasive Heartbleed bug in early April – which essentially allows attackers to “read protected pieces of memory that could contain sensitive information,” Kennedy said.

In this case, the obtained information led saboteurs to a trove of data housed by Tennessee-based CHS – names, addresses, birth dates, phone numbers and Social Security numbers belonging to more than four million patients.

CHS, which owns, operates and leases 206 hospitals across the country, was reportedly struck with malware during its breach –  a move, which Kennedy couldn't confirm took place, though he did see it as a logical next step for attackers, which made “perfect sense.”

“Once [attackers] had those credentials they were sitting on that network with full access,” Kennedy said.

While Kennedy didn't give specifics as to the date of the breach, he did say that attackers compromised the vulnerable device “shortly after the Juniper patch was out,” and that immediate implementation of the fix could have thwarted the breach.

Less than two weeks after the Heartbleed vulnerability was publicly disclosed in April, security firm Mandiant revealed that it was investigating an incident where an attacker “leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions.”

In the blog post, the company detailed an attack scenario which sounds similar to Kennedy's description of the Community Health incident.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.