Attack on Trust Threat Bulletin: APT Operators Exploit Heartbleed

Situation

On 20 August 2014, TrustedSec reported that Advanced Persistent Threat (APT) operators exploiting Heartbleed were responsible for the data breach of 4.5 million Community Health System patients. The Heartbleed exploit was used against a Juniper system behind the firewall to expand the APT operators’ attack in order, ultimately, to reach the patient records database.

This breach is significant for two reasons:

• It demonstrates how APT attackers will patiently exploit Heartbleed over time.
• The target was a behind-the-firewall system where Heartbleed remediation has been a low priority in many organizations.

The incident likely shows, as is being reported by TIME and Bloomberg, that attackers stole TLS/SSL keys and certificates to execute the breach (further confirmation needs to made).  

Heartbleed remediation, as defined by experts from Bruce Schneier to Gartner, is still overwhelmingly incomplete in most organizations. Venafi Labs recently found 97% of Global 2000 public-facing systems remain vulnerable to attack following Heartbleed to attacks due to incomplete remediation. Complete remediation requires not only a system to be patched, but also new keys to be generated and then certificates to be re-issued, installed, validated, and revoked.

Venafi CISO, Tammy Moskites, has prepared guidelines for CISOs and their teams on why organizations need to prepare to respond to more incidents like Heartbleed.

Threat

CloudFlare and others have confirmed attackers’ ability to steal SSL/TLS keys and certificates by exploiting the Heartbleed vulnerability. The resulting use of stolen keys allows attackers to spoof trusted services and decrypt private communications. Such exploits can enable attackers to steal intellectual property, breach customer privacy directly, or allow the attacker to expand their foothold to reach the primary target.

Given that remediation of public-facing systems was prioritized in most Heartbleed responses, and that many more behind-the-firewall systems remain vulnerable, it is likely that the lack of complete Heartbleed remediation is worse than what Venafi Labs, Netcraft, and others found. This delay in completing a full remediation, including revoking and reissuing all certificates and keys, provided APT operators ample time to plan and coordinate key-stealing incidents that facilitated the data breach. Both the Aviva compromise (that used Heartbleed and was executed 6 weeks after the vulnerability was first reported) and now the Community Health System compromise demonstrate the patience and persistence of APT operators. These examples also provide a reminder that Heartbleed is not over and that remediation by changing all keys and certificates in the organization must be completed.

Impact

Organizations must act quickly to complete Heartbleed remediation for all systems, both public facing and behind-the-firewall. Heartbleed remediation requires that all keys and certificates be replaced, not just for a system to be patched. Incomplete remediation means that business and government services can be spoofed with the trust that a valid digital certificate provides and sensitive communications can be decrypted.

APT operators, from Mask to Crouching Yeti, have been known to exploit stolen keys over a period of up to 7 years. Until keys and certificates are replaced, your network, intellectual property, and customer data is still vulnerable.  

Furthermore, failing to remediate Heartbleed undermines other security controls, from strong authentication and privileged access to behavioral analysis and network access, because attackers have the trusted status of valid keys and certificates to authenticate and cloak their malicious activities.

Recommended Remediation

Venafi recommends customers complete Heartbleed remediation following guidance from Gartner and others, as follows:

• Identify all systems using OpenSSL 1.0.1 – 1.0.1f and upgrade to OpenSSL 1.0.1g
• Prioritize replacement of keys and certificates to fix based on knowledge of vulnerable applications
• Generate new keys and X.509 certificates
• Install new keys and certificates on servers, revoke vulnerable certificates
• Validate new keys and certificates are being used

Venafi customers can learn more about this process and receive additional guidance from the Venafi support team.

Venafi recommends customers use the Venafi Trust Protection Platform to take the following actions:

1. Replace all TLS/SSL keys and certificates with Venafi TrustAuthority and Venafi TrustForce:
   • Prioritize replacement first for systems known to be Heartbleed vulnerable.
   • With TrustAuthority, generate and distribute new keys and certificates.
   • With TrustForce, installation and validation will occur automatically, greatly reducing the time to when remediation is complete and the organization is no longer vulnerable.
2. Validate and report on remediation
   • Using the shared reporting services of the Trust Protection Platform, organizations can identify their progress in reducing risk.
   • The Venafi support team can provide more information and examples.
3. Replace all SSH keys and certificates with TrustForce:
   • Replace all SSH keys by rolling over older versions—installing, validating, and updating authorized key lists will be performed automatically, greatly reducing the time to when remediation is complete and the organization is no longer vulnerable.
   • Just like passwords and TLS/SSL keys and certificates are changed, replacement of all SSH keys is recommended to stop possible expansion of attacks from privileged accounts.

Please contact Venafi support with any questions or a request for help with remediation.

Additional Resources

• TrustedSec Report on Heartbleed Vulnerability Exploit: https://www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedsec/
• Gartner Recommendations on Heartbleed Remediation: http://blogs.gartner.com/erik-heidt/heartbleed-exploit-in-openssl-how-should-you-respond/
• Completing Heartbleed Remediation with Venafi Trust Protection Platform: https://www.venafi.com/solutions/heartbleed-vulnerability/remediating-the-heartbleed
• Heartbleed Remediation Plugin for Venafi Trust Protection Platform: https://support.venafi.com/entries/53032657