Demonstrating yet another way the catastrophic Heartbleed vulnerability threatens users, malicious hackers were able to exploit the bug to successfully bypass multifactor authentication and fraud detection on an organization's virtual private network (VPN), security researchers said.
When the critical flaw in the OpenSSL cryptographic library came to light 11 days ago, it was best known as a dangerous hole that allowed attackers to siphon out user names, passwords, and even private encryption keys processed by vulnerable Web servers. More recently, researchers confirmed that Heartbleed could be exploited to steal the private keys underpinning the widely used OpenVPN application and likely software for other VPNs that rely on a vulnerable version of OpenSSL.
On Friday, researchers with network security firm Mandiant said Heartbleed had been used to subvert a customer's VPN concentrator, an appliance that typically provides a secure way for people to access a network from outside the organization. The devices frequently require multiple forms of authentication before granting access to an end user. Passwords, previously set authentication cookies, and other types of security tokens are frequently used. That's where Heartbleed came in handy for the hackers, who went to work exploiting the bug less than a day after it became public knowledge. A separate researcher theorized such an attack was possible the same day.