A recent report released by Shodan found that as of January 22, 2017, nearly 200,000 publicly accessible internet devices were vulnerable to Heartbleed.
The detailed report gives some insight into those who continue to be exposed to this vulnerability. It’s no surprise that the majority of these systems are HTTPS pages hosted by Apache and running on Linux, as this has been the case for the lifetime of Heartbleed. The interesting aspects are the top organizations and domains that are vulnerable.
Digging into the numbers, I can assume there are two categories of vulnerable systems that are dominating the Heartbleed numbers. The first are hosting websites, specifically on Amazon AWS. Amazon.com is the second ranked organization with 5,163 vulnerable systems, while amazonaws.com is the number one domain with 6,375 vulnerable systems; nearly beating out the next two top domains combined.
The second category of vulnerable systems are exposed routers and/or firewalls with a publicly accessible web administration consoles. We see quite a few Internet Service Providers on this list, including Verizon, Comcast and South Korea Broadband.
Additionally, there are products such as FortiWifi 80C, DD-WRT and SonicWALL SSL-VPN, which make appearances on the top products report. as well.
But are these two categories of systems even being targeted by attackers on the Internet?
Within 10 days, a teenager stole private data from a taxpayer website by exploiting Heartbleed. While hard data on exploiting Heartbleed against routers is not available, we do know other exploits are actively being used. This fairly critical vulnerability was announced back in April of 2014, with a fix being available on April 7 of the same month.
For those counting, this means that a fix for Heartbleed has now been available for over 1,000 days. One can only imagine what have been doing to these systems over that time span, and will continue to do for the next 1,000 days.
What this report is clearly showing is that security is a journey, not a destination. One can assume that many of the systems that are still vulnerable to Heartbleed were considered “secure” at some point during their initial deployment.
Advanced attackers aren’t exclusively using zero-day exploits against their targets. It’s all about efficiency and getting the job done, and leveraging known vulnerabilities and exploits are going to be used first. Applying patches and updates is an easy first step in creating a more secure internet for everyone.
Free services, such as Filippo.io’s Heartbleed Test, can provide a quick answer to check your website.