Aug 20 2014
The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability. The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated. Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server. The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN. From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.
Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months? Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around. And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.
I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals. Of course it was linked to China; everything Mandiant finds is linked to China somehow. Or I could just be making light of a serious situation.