Using Heartbleed, the name for a flaw in security that is used in a wide range of web servers and Internet-connected devices, the attacker was able to break into an employee’s encrypted virtual private network, or so-called VPN, session.
From there, the hacker or hackers used the Heartbleed bug about 1,000 times until successfully extracting information like passwords to get broader access to the victim’s network, said researchers at Mandiant, a cybersecurity firm.
The targeted company only noticed the attack in its later stages. When it began analyzing what happened, it realized the Heartbleed bug was used as the entry point, said Christopher Glyer, an investigator at Mandiant.
It’s a statement from Mandiant and so some mindfulness should be taken when reading their comments. (The same is true when parsing statements from other for-profit security companies.) Still, that Heartbleed is not only weaponized (that happened almost immediately after it was integrated into Metasploit) but is showing up in the wild prominently enough to warrant a response from Mandiant demonstrates why Heartbleed is going to be a problem for years going forward. For a good, if technical, discussion of why the hurt is just going to continue (like all things that involve breaking SSL…) see Adam Langley’s recent post titled “No, Don’t Enable Revocation Checking.”
Also: even if you don’t read Adam’s post you can follow the lesson he provides in the title of his technical post. If in the aftermath of the Heartbleed vulnerability you enabled Revocation Checking in Chrome then disable it, ASAP.