When the Heartbleed vulnerability was made public last week, it seemed terrifying. Afflicting thousands of servers across the Internet, the bug had the potential to expose a wide variety of private data, including credit card numbers, passwords, and even a server's private encryption keys.
But one question that came up a lot was whether anyone had actually used Heartbleed to attack real computer systems. For the first few days, no one could point to real-world examples of Heartbleed attacks.
But now that uncertainty has been put to rest, as the security firm Mandiant reports that it is has observed a Heartbleed attack occurring "in the wild." The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.
The attack worked like this. When a user logs into a VPN service, it issues a "session token," a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server's memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization's internal network.
In the immediate aftermath of Heartbleed's discovery the vulnerability of big organizations like Google and Tumblr got most of the press. But those are huge firms employing thousands of engineers. They quickly updated their software and hardened their defenses.
The problem is that OpenSSL is used by a lot of smaller companies in a wide variety of special-purpose networking appliances. The software on these network appliances may not be as easy to upgrade as a general-purpose web server. And organizations might not even realize that their devices are running OpenSSL in the first place, much less know how to fix it.
That means we should expect to see organizations being hit with Heartbleed attacks for a long time to come. It'll be a recurring reminder that we don't invest nearly enough to secure our IT infrastructure.