Latest Blog Posts

Syndicate content The ThreatSTOP Blog
Stop Botnets Stealing from you
Updated: 4 min 27 sec ago

ThreatSTOP adds active Heartbleed attacker list to our feeds

Fri, 04/11/2014 - 07:00

Over the last 36 hours ThreatSTOP has identified a number of hosts that are attempting to scan for the Heartbleed* openSSL vulnerability. This is due to data received from from malware researchers we know as well as visitors to some honeypots we set up ourselves. These addresses have been added to a new expert mode target list called “Heartbleed” as well as to our standard mode “unix server” target list.

We recommend that any of our hosting provider partners who are using us in expert mode update their policies. Similarly, any of our standard mode users who have servers behind a firewall or router running ThreatSTOP and who do not have the “unix server” feed enabled are recommended to add it.

This list is currently fairly small, however we suspect it may grow significantly over the next few days. As we noted in our blog post yesterday, we have been blocking a number of attacks simply because they are coming from IP addresses that are well known to us as attackers, but adding known attackers to our feeds improves our coverage against this threat. Relatedly, we are also in the process of analyzing our customer log data to see if we can determine when this vulnerability became know to the cyber criminals. This should help identify the potential window of vulnerability to this bug and may well help to answer questions about whether the bug has been widely exploited or not.

* For those that may have missed the announcements, the heartbleed vulnerability is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/


Categories: Blogs

ThreatSTOP not vulnerable to Heartbleed

Wed, 04/09/2014 - 20:50

The Heartbleed vulnerability* has burst into public consciousness and generated a lot of justified concern that login information and other confidential data may have been at risk because of it.

ThreatSTOP is pleased to confirm that our servers and service are not susceptible to this bug.

ThreatSTOP customers do not need to be concerned that their ThreatSTOP credentials or anything else on our portal have been put at risk by this vulnerability, because our system architecture, using our, and our partners’ technology in a multi-layered, “belt and suspenders” design, protect against known and unknown threats.

The servers behind ThreatSTOP’s web portal are accessed via traffic management and security appliances from our partner A10 networks  that are not vulnerable to this bug

We have audited our infrastructure and have verified that no systems are, or were, vulnerable to this exploit.

Regarding our blocking services: we distribute our blocklists via DNS queries which do not use TLS encryption (but are secured by other means); ONLY subscribers can access our servers; only the specific subscriber can query their policies, from their configured IP addresses; and connections to our service are ONLY over TCP (thereby eliminating spoofing).

Finally (and as a general point), people are being advised by hysterical media pundits to change their passwords NOW. In general, this is bad advice, at least in the short term.

It only applies to sites that 1) were vulnerable but 2) have now patched themselves so that they no longer are.

If the site is not yet patched then changing your password means an attacker can quite possibly see your new password!

In short: Your ThreatSTOP account, and credentials, are safe. Your other accounts may not be, but don’t change them until the site updates their security.

* For those that may have missed the announcements, the heartbleed vulnerability is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

 

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/


Categories: Blogs

ThreatSTOP blocking Heartbleed

Wed, 04/09/2014 - 20:35

It looks like ThreatSTOP has been protecting our service provider customers from the Heartbleed vulnerability* for some time now.

Although the vulnerability was announced on Monday, it has been reported as having been under active attack for a couple of weeks according to Seacat, who discovered accidentally that they were logging attacks on it.

It has been subject to far greater scanning and exploit since the news broke about it on Monday.

Our preliminary analysis indicates that ThreatSTOP has blocked many attacks seeking to exploit this vulnerability. This is hard to confirm, as ThreatSTOP blocks connection attempts before the attacker can try any SSL activity.

However, ThreatSTOP would have stopped about two thirds of the active scanners listed in the Seacat post linked above. This would, for ThreatSTOP customers, have raised a big red flag about a spike in attacks on port 443, and alerted them on any successful compromise, if traffic left their network to the password stealing hosts.

This is not a fluke. Attackers who are trying to exploit this vulnerability are using the same compromised infrastructure that they use for other attacks. Since we and our research partners have identified these hosts when they made other attacks, they are already in our block lists.

ThreatSTOP blocks all attacks on all open ports from known offenders so it doesn’t matter whether the vulnerability is in web traffic (HTTPS), email, SSL VPN or any of the other protocols that use TLS as a security mechanism so there is less urgency to update software that you may not know has compiled in openssl or linked to its own copies of the library.

*The hearbeat bug is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems (not actually) protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/


Categories: Blogs