Attackers had the ability to obtain user credentials from memory on a CHS Juniper system using the heartbleed vulnerability and utilized these to login using a VPN.
From this point, the attackers had the ability to elevate their access into CHS by working their way throughout the network until the estimated 4.5 million patient records were extracted from a database. This isn’t a surprise when attackers have access to the internal network, it is practically a 100% rate of success at getting into systems and obtaining elevated permissions.
This may be the first verified breach of its kind in which the heartbleed bug is the known initial attack vector that had been employed. There are certain to be others that have not or will not ever be discovered.
An additional weak point in CHS’s infrastructure could be the obvious absence of segmentation in their customer database. CHS operates or leases 206 hospitals in 29 US states, none of which served 4.5 million patients all independently.
“While Heartbleed was how the credentials were stolen this time,” says Joshua Roback, security architect for SilverSky, “this could have just as easily been a common spear phishing attack, similar to the Target attack earlier this year. The real concern is the ability to hack into the database once logged in, and then exfiltration [of] the data.”