Security researchers are warning they have found that rogue hackers have been compiling and posting lists that contain thousands of websites that are known to be vulnerable to the Heartbleed bug (CVE-2014-0160) affecting some versions of OpenSSL.
“Hackers are posting huge lists of 10,000+ domains that have been run through the automated web-based Heartbleed vulnerability checking tools,” wrote Daniel Ingevaldson from anti-fraud vendor Easy Solutions. “This lists described if the web sites are vulnerable, patched, or if SSL was not present.”
While Ingevaldson says this should not come as surprise given the magnitude of the vulnerability, he cautions that the availability of automated “health check” tools being proliferated on the Internet means that sooner or later if you are using a vulnerable version of OpenSSL, you may find yourself included in one of these lists and the target of attackers.
“These scans might lead to automated attacks that harvest login credentials en masse,” Ingevaldson continued. “Since we still live in a world filled with single-factor authentication and an over-reliance on out-of-wallet questions, we can expect an increase in account takeover attacks by simply pulling credentials from the memory of vulnerable servers and automatically testing them against other sites.”
Researchers are still debating whether or not exploit code could be developed that would exploit the Heartbleed bug in such a manner as to force a vulnerable server to leak enough data stored in memory to be able to fully reconstruct the private encryption key, exposing sensitive data and communications.
“If not, [Heartbleed is] still really bad—servers can expose usernames, passwords, contents of encrypted communication. If so, it’s even worse because it would allow decryption of any SSL traffic even after the bug was fixed,” Ingevaldson said.
“Don’t be penny wise and pound foolish. Patch your systems and replace your certs. Vulnerabilities are provable in the moment, but exploitability generally increases over time.”
Read More Here…