In a blog post published on Friday, they detailed a particular attack they investigated that involved the exploitation of the Heartbleed vulnerability in a SSL VPN concentrator - a device that handles a large number of incoming VPN tunnels.
"Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions. Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," they shared.
"With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software."
If you are wondering how they know for sure that the Hearbleed bug was exploited in the attack, the answer is that the victim organization implemented a set of IDS signatures to identify Heartbleed network activity, and the IDS alerts were triggered over 17,000 times. Also, the VPN logs showed VPN connections of multiple users speedily “flip flopping” between users' IP address and malicious IP addresses tied to different ISPs.
The identity of the targeted organization is unknown, but according to the NYT, it is a "major corporation with particularly sophisticated attack detection systems."
The attack was spotted in its later stages, when the attacker tried to "move laterally and escalate his/her privileges within the victim organization."
The researchers have several recommendations for organizations worrying about being hit with this type of exploit: patch/upgrade your infrastructure, implement appropriate network intrusion detection signatures to spot the attacks, and check out VPN logs "for instances where the IP address of a session changed quickly and repeatedly between two IP addresses from different network blocks, geographic locations, or from different service providers."