We have practically read everything about HeartBleed bug which affects OpenSSL library, we have seen the effects on servers, on mobile devices and also on Tor anonymity, now lets focus on the possibility to exploit it to hijack VPN sessions.
“This post focuses on a Mandiant investigation where a targeted threat actor leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client’s environment and steps to identify retroactively if this occurred to your organization.” reported the Mandiant official post.
“With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.”“The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.” wrote Mandiant experts Christopher Glyer and Chris DiGiamo.
The following evidence proved the attacker had stolen legitimate user session tokens:
(Security Affairs – VPN, Mandiant)