Heartbleed bug not exploited before disclosure
The Heartbleed bug has gone down in history as one of the most serious flaws to affect the internet. But new research reveals that prior to its disclosure in April there's no evidence of Heartbleed having being exploited.
The disclosure of Heartbleed sent websites scrambling to apply patches. However, a study by academics at a number of US universities allays fears that the flaw may have been exploited for surveillance by government agencies before it became public.
The researchers say, "We investigated the attack landscape, finding no evidence of largescale attacks prior to the public disclosure, but vulnerability scans began within 22 hours".
By analyzing network traffic collected by traps at Lawrence Berkeley National Laboratory, the National Energy Research Scientific Computing Center and a honeypot on Amazon's EC2 network, researchers were able to determine if any attacks had been launched prior to the disclosure.
With full packet traces available from November 2013 through to April 2014 there were no signs of attempts to exploit Heartbleed in that period. The first attacks were seen less than 22 hours after the bug became public.
The researchers observed 5,948 attempts to exploit the vulnerability from 692 distinct hosts. The attacks targeted 217 hosts with seven attackers successfully completing 103 exploit attempts against 12 distinct hosts.
Three weeks after the disclosure the researchers began contacting the operators of hosts that were still vulnerable. This increased the patching rate by 47 percent. The mass notification of vulnerable operators had, say researchers, "...a significant positive impact on the patching of hosts to which we sent notifications, indicating that this type of notification helps reduce global vulnerability".
The report concludes that analyzing the response to Heartbleed has helped to offer perspective on how similar events can be dealt with in the future.
If you want to read about the research in more detail you can download the full report as a PDF.