On 20 August 2014, TrustedSec reported that Advanced Persistent Threat (APT) operators exploiting Heartbleed were responsible for the data breach of 4.5 million Community Health System patients. The Heartbleed exploit was used against a Juniper system behind the firewall to expand the APT operators’ attack in order, ultimately, to reach the patient records database.
This breach is significant for two reasons:
The incident likely shows, as is being reported by TIME and Bloomberg, that attackers stole TLS/SSL keys and certificates to execute the breach (further confirmation needs to made).
Heartbleed remediation, as defined by experts from Bruce Schneier to Gartner, is still overwhelmingly incomplete in most organizations. Venafi Labs recently found 97% of Global 2000 public-facing systems remain vulnerable to attack following Heartbleed to attacks due to incomplete remediation. Complete remediation requires not only a system to be patched, but also new keys to be generated and then certificates to be re-issued, installed, validated, and revoked.
Venafi CISO, Tammy Moskites, has prepared guidelines for CISOs and their teams on why organizations need to prepare to respond to more incidents like Heartbleed.
CloudFlare and others have confirmed attackers’ ability to steal SSL/TLS keys and certificates by exploiting the Heartbleed vulnerability. The resulting use of stolen keys allows attackers to spoof trusted services and decrypt private communications. Such exploits can enable attackers to steal intellectual property, breach customer privacy directly, or allow the attacker to expand their foothold to reach the primary target.
Given that remediation of public-facing systems was prioritized in most Heartbleed responses, and that many more behind-the-firewall systems remain vulnerable, it is likely that the lack of complete Heartbleed remediation is worse than what Venafi Labs, Netcraft, and others found. This delay in completing a full remediation, including revoking and reissuing all certificates and keys, provided APT operators ample time to plan and coordinate key-stealing incidents that facilitated the data breach. Both the Aviva compromise (that used Heartbleed and was executed 6 weeks after the vulnerability was first reported) and now the Community Health System compromise demonstrate the patience and persistence of APT operators. These examples also provide a reminder that Heartbleed is not over and that remediation by changing all keys and certificates in the organization must be completed.
Organizations must act quickly to complete Heartbleed remediation for all systems, both public facing and behind-the-firewall. Heartbleed remediation requires that all keys and certificates be replaced, not just for a system to be patched. Incomplete remediation means that business and government services can be spoofed with the trust that a valid digital certificate provides and sensitive communications can be decrypted.
APT operators, from Mask to Crouching Yeti, have been known to exploit stolen keys over a period of up to 7 years. Until keys and certificates are replaced, your network, intellectual property, and customer data is still vulnerable.
Furthermore, failing to remediate Heartbleed undermines other security controls, from strong authentication and privileged access to behavioral analysis and network access, because attackers have the trusted status of valid keys and certificates to authenticate and cloak their malicious activities.
Venafi recommends customers complete Heartbleed remediation following guidance from Gartner and others, as follows:
Venafi customers can learn more about this process and receive additional guidance from the Venafi support team.
Venafi recommends customers use the Venafi Trust Protection Platform to take the following actions:
Please contact Venafi support with any questions or a request for help with remediation.