Hackers took advantage of the Heartbleed vulnerability to break into a major corporation’s network, less than a day after the bug was brought to the public’s attention, security experts told The New York Times.
Officials with Mandiant, an Alexandria, Va.-based network security firm, said in a blog post Friday that a hacker or hackers leveraged the Heartbleed bug to break into an employee’s virtual private network, or VPN.
“Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization,” Mandiant said.
Mandiant didn’t identify the company by name, but a Mandiant investigator told the Times it is a “major corporation.”
The attack occurred on April 8, just one day after the Heartbleed bug became public knowledge. Officials are still assessing what, if any, damage was caused by the hack, the Times said.
Heartbleed is a serious security flaw in OpenSSL, the software that a huge number of websites use to encrypt and transmit data. Hackers exploiting the bug can gain access to sensitive private information such as usernames and passwords.
To date, much of the discussion about Heartbleed has focused on an attacker using the vulnerability to steal private encryption keys from a Web server. The case cited by Mandiant exposed another danger: the potential for hijacking user sessions while employees are logged on to a corporate network.
The Mandiant case is one of the first known attacks involving Heartbleed. Earlier this week, Canadian police charged a 19-year-old man in connection with exploiting the bug to steal taxpayer data from a government website.