The security firm TrustedSec said in a blog post on Tuesday that a recent hack of the healthcare network Community Health Services was the result of an attack on the so-called “Heartbleed” vulnerability in OpenSSL.
According to TrustedSec, attackers targeted vulnerable VPN (virtual private network) software from Juniper networks in a breach that affected an estimated 4.5 million patients.
TrustedSec cited a “trusted and anonymous source close to the CHS investigation” in its blog post. It said attackers were able to glean user credentials from memory on a CHS Juniper device by exploiting the Heartbleed vulnerability. Those credentials were used to login via the VPN to CHS’s network, then move laterally to the servers containing the patient data.
[Read more Security Ledger coverage of the Heartbleed vulnerability here.]
A separate report by Bloomberg attributed the attack to hackers in China, though it did not provide any evidence linking the attackers to a specific Chinese hacking crew, the Chinese government, the People’s Liberation Army (PLA) or compromised infrastructure within the country.
If true, TrustedSec’s claim that the OpenSSL flaw was the root cause of the compromise at CHS would be the first reported incident of Heartbleed being used in a prominent attack.
Large Internet platforms and social media firms were quick to patch Heartbleed. But security firms have warned for months that many software applications that use vulnerable OpenSSL components have not yet been patched.
In June, the firm Secunia warned about “hundreds of services, application software and operating systems make use of OpenSSL for purposes unrelated to delivering pages over HTTPS.” Secunia specifically called out SSL VPNs as a category of application that used OpenSSL and may not have been patched. “The number of systems vulnerable to Heartbleed, then, is almost certainly much larger than originally estimated,” Secunia said.
Read more via CHS Hacked by Heartbleed (Exclusive to TrustedSec).