Latest Blog Posts
At ThreatSTOP we have been reading about the Lenovo/Superfish adware security hole with amazement. Not so much at the enormous gaping hole that has been discovered (sadly that seems to be SOP at too many places) but at the way that the various parties involved have completely failed to understand that they have created such an enormous gaping hole.
Given that the creators of the hole seem to be unclear on why they have caused a problem we now believe that it is worth blocking all connections to superfish.com and its associated adware domains (e.g. best-deals-products.com ). The following IP addresses have been added to our system in the TSCriticalG feed that is present in most user policies either directly or because it is included in the BASIC policy:
126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 18.104.22.168
This will not stop the gaping hole (which seems to get ever more gaping as people look at it more deeply), but it should help our customers determine which computers in their network are vulnerable because they will be the ones with dozens of connections to these IP addresses. Once these devices have been identified it is critical to both uninstall the software and verify that the offending root certificate(s) is removed from them.
The Anthem hack has been getting a lot of news coverage because it is one of the larger data breaches in recent years. Of course it is in fairly good company (Sony, Home Depot, Target spring to mind) but it has some features that are unique. These features mean that the impact on those whose data was stolen is probably less than some other hacks, but that doesn’t mean people can relax.
All the information so far seems to indicate that the hack was undertaken by a state sponsored group (see link above and also this one) which means that the hackers probably aren’t going to sell the details on the criminal underground for identity theft or other similar purposes. That’s good, it suggests the victims won’t discover that someone else has filed a tax return on their behalf to fraudulently claim a refund or do some other fraud on them. Unless of course they are the target of the breach.
Of course people who work in positions that may be of interest to spies (or relatives of such people) definitely DO need to be on the look out for carefully crafted spear-phish emails that convince them to open infected word documents or similar. Since the hackers have presumably got the details of many members of the same organization they will no doubt find it relatively simple to come up with a suitably plausible email from someone who seems to be a colleague.
On the other hand that doesn’t mean that the rest of the world can relax. There are already reports of scammers sending emails to anthem victims that try to trick them into handing over more details (though at least one of these turns out to be some good guys deliberately sending an email to try and educate) and there will no doubt be more.
The bottom line is that everyone should treat emails from “Anthem” or any of its related names (Wellpoint, Blue Cross etc.) with extreme suspicion and should NOT click on the links. It would also, undoubtedly help to have policies that block access to IP addresses in strange places, just in case.
There have been a number of reports in the last week or two of websites that are apparently being DDoSed from IP addresses in the PRC. This has caused a certain amount of confusion and pain to those affected because there seemed to be no reason for the attack, however the cause has now become clear. As Sucuri explain on their blog, the cause appears to be the so-called “Great Firewall of China”:
It seemed as if the Great Chinese Firewall was mis-configured, instead of blocking the requests to certain sites, it was redirecting, to us at that.
So if a specific site was blocked, the requests to graph.facebook.com also got blocked and redirected to us. Same for Twitter, Zendesk or media.tumblr.com.
This explains why most of the requests were actually for CDN, images or API files.
The sites, like Sucuri, that are impacted are in fact just collateral damage, but that damage can be significant. Even generating a 404 error page or starting an SSL session before aborting can require a few kilobytes of traffic.
This requirement to reply with 10x or more data to a short request is a classic DDoS symptom and clearly if millions of Chinese users are redirected there then the aggregate volume of traffic and server load could easily cause the servers to be unavailable to legitimate traffic. Even if the web-servers do manage to survive the influx of traffic, it is highly likely that the upstream service provider will bill the server owner for bandwidth overage because millions of multi-kilobyte responses equates to gigabytes of data being transferred.
Of course if the servers were behind a firewall protected by ThreatSTOP, then the effects could be significantly reduced by adding China to the block policy. By doing so all these connection attempts would be dropped at the first TCP SYN packet with no reply sent so instead of kilobytes of data being sent, just a couple of hundred would be received (assuming 3x 64byte SYN packets per attempt). This would drastically reduce the bandwidth requirements and, because the packets are being dropped at the firewall, there would be no impact at all on the servers.