Websites Fixing Heartbleed Bug, VPNs Still Vulnerable

After the initial panic over the Heartbleed bug, which some researchers earlier this month guessed had infected two-thirds of all Web servers, researchers at Sucuri reported Friday that just 2 percent of the top 1 million websites on the Internet remain infected and all of the top 1,000 sites have been patched against the OpenSSL vulnerability.
But also on Friday, Mandiant researchers reported an attack they tracked beginning on April 8 in which an attacker "leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client's environment," culminating in the hijacking of "multiple active user sessions."
So in short, the good news is that the vast majority of websites, and all of the most heavily trafficked sites on the Web, have fixed this vulnerability, which is an exploit of a bug in Open SSL code responsible for sending "Heartbeat" notifications between servers and clients, including PCs and mobile devices.
The not-so-good news is that there may have been more folks out there using the Heartbleed exploit to steal private data and take over user sessions than we previously thought. There's been one notable arrest of a Heartbleed attacker to date, a Canadian teen alleged to have exploited the bug to pilfer taxpayer data from the Canada Revenue Agency.
Since we haven't heard much about any other specific attacks using Heartbleed and with the pretty rapid movement by prominent websites to fix the problem as documented Sucuri, there's a feeling we all may have dodged a bullet here.
Not so fast, say Mandiant researchers Christopher Glyer and Chris DiGiamo. Their research has led them to believe that too much Heartbleed discussion on the Internet "has focused on an attacker using the vulnerability to steal private keys from a Web server, and less on the potential for session hijacking" like the attack Mandiant tracked.
The researchers offered evidence for their belief that the attacker they tracked had "stolen legitimate user session tokens":

• A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization's SSL VPN.
• The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, "flip flopping", between the malicious IP address and the user's original IP address. In several cases the "flip flopping" activity lasted for multiple hours.
• The timestamps associated with the IP address changes were often within one to two seconds of each other.
• The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
• The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.

The Mandiant researchers recommended that all organizations running remote access software and appliances determined to be vulnerable to the Heartbleed exploit both upgrade with available patches immediately and review their VPN logs to see if an attack had occurred in the past.