Let’s put the caveat up front: this is my off-the-cuff thoughts on the matter. This doesn’t reflect my company’s position or really seek to throw stones at the people claiming they’ve found evidence of pre-April 2014 Heartbleed exploitation. I haven’t seen evidence that convinces me, but they’re also not posting full PCAPs online. I’m just not convinced it’s been exploited in the wild pre-disclosure. Or rather, I’m not convinced people saw it – if it was happening.
As a thought experiment, let’s assume you’re a national signals intelligence organization with the resources to devote full time employees to trolling open source crypto libraries for new commits in the hopes of finding exploitable bugs. And let’s assume that you spotted Heartbleed at some point in time between formal commit (January 2012) and the public disclosure (April 2014).
So then here’s the $64,000,000 question: what do you do with it? I joked with a friend that I’m impressed Neel Mehta & company actually reported the vulnerability instead of selling it for an 8-figure paycheck to a shady organization and buying an island. This is, if it hadn’t been disclosed, one of those vulnerabilities that could have let someone (or someones) go absolutely wild stealing private information on the internet and it would have been a long time (in my opinion) before people figured out how their credentials were being stolen.
This magnitude of vulnerability is not, in my opinion, the sort of thing you use to spy on IRC networks. This is the sort of thing you use to spy on government agencies. And it’s the sort of thing where you protect the living daylights out of your exploit code. You don’t go throw it onto a botnet and let the botnet do the scanning for you.
Furthermore, let’s talk about the signature aspect of it. I’m willing to assume that the hypothetical government agency who discovered this at some point in the last two years cares about OPSEC. As such, they probably examine their own tools to see if they are easily signatured. Furthermore, if you can wait until the TLS session is established to heartbeat then you won’t be found through easy signature analysis. You can take a perfectly normal TLS session to a server and then start injecting your malicious heartbeats and nobody will know the difference.
Do you really think that if someone found this pre-public disclosure and went to use it that they’d use the most naive implementation of the bug, the one most likely to be discovered through rudimentary analysis of TLS session negotations? I don’t.
My own personal opinion is that if anyone did discover this pre-public disclosure, we’ll never know. If I put my evil hat on, I’d only ever have the code on the public internet on a handful of servers under my strict control, I’d use it against targets that I otherwise couldn’t gain access to, and I’d make it blend as much like legitimate traffic as I absolutely could. I wouldn’t try to spy on an IRC network or deploy the code through a botnet. But that’s just me.