Breach, Data Security, Incident Response, TDR, Vulnerability Management

Community Health Systems attackers exploited Heartbleed bug for access, firm says

The CEO of a security firm believes that the major Community Health Systems (CHS) breach impacting four million patients started with the exploit of a VPN device, which was vulnerable to the notorious Heartbleed bug.

According to David Kennedy, the principal security consultant and CEO at Ohio-based TrustedSec, attackers targeted a VPN concentrator device manufactured by Juniper Networks.

TrustedSec revealed the information in Tuesday blog post, and in a Wednesday follow up interview with, Kennedy confirmed that three sources close to the CHS investigation tipped him off to the initial attack vector.

After leveraging the Heartbleed flaw, attackers were able to obtain VPN credentials stored in memory on the CHS Juniper device, Kennedy explained.

In his interview with, he added that the attack happened soon after word spread of the pervasive Heartbleed bug in early April – which essentially allows attackers to “read protected pieces of memory that could contain sensitive information,” Kennedy said.

In this case, the obtained information led saboteurs to a trove of data housed by Tennessee-based CHS – names, addresses, birth dates, phone numbers and Social Security numbers belonging to more than four million patients.

CHS, which owns, operates and leases 206 hospitals across the country, was reportedly struck with malware during its breach –  a move, which Kennedy couldn't confirm took place, though he did see it as a logical next step for attackers, which made “perfect sense.”

“Once [attackers] had those credentials they were sitting on that network with full access,” Kennedy said.

While Kennedy didn't give specifics as to the date of the breach, he did say that attackers compromised the vulnerable device “shortly after the Juniper patch was out,” and that immediate implementation of the fix could have thwarted the breach.

Less than two weeks after the Heartbleed vulnerability was publicly disclosed in April, security firm Mandiant revealed that it was investigating an incident where an attacker “leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions.”

In the blog post, the company detailed an attack scenario which sounds similar to Kennedy's description of the Community Health incident.

At the time, Mandiant said that the attacker obtained active session tokens via the exploit and “convinced the VPN concentrator that he/she was legitimately authenticated.” The attacker later “attempted to move laterally and escalate [their] privileges within the victim organization,” after having connected to the VPN, the firm said.

In Wednesday email correspondence with, a spokesperson for FireEye (which owns the Mandiant unit) said that the company wasn't hired by CHS until June 2014 to investigate "a suspected breach." The company declined to comment further on any possible ties between the incidents citing the "ongoing investigation."

On Tuesday, Websense Security Labs revealed new findings on malicious activity increasingly impacting health care organizations in recent months, with the majority of attacks delivered by way of the Heartbleed bug.

On Wednesday, Carl Leonard, senior manager of security researcher at Websense, told in an interview that the findings, along with the recent CHS breach revelations, presented a “wake-up call for the health care sector.”

“We know that the data that these organizations store is incredibly valuable,” Leonard said, explaining that identity theft and insurance fraud could be goals for attackers, as well as criminals gleaning financial data to acquire infrastructure for subsequent attacks.

In addition, the CHS incident also provided another lesson, he added. “As soon as vulnerabilities are known, it's worth building [patches for them] into your security posture,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.