ThreatSTOP blocking Superfish

At ThreatSTOP we have been reading about the Lenovo/Superfish adware security hole with amazement. Not so much at the enormous gaping hole that has been discovered (sadly that seems to be SOP at too many places) but at the way that the various parties involved have completely failed to understand that they have created such an enormous gaping hole.

Given that the creators of the hole seem to be unclear on why they have caused a problem we now believe that it is worth blocking all connections to superfish.com and its associated adware domains (e.g. best-deals-products.com ). The following IP addresses have been added to our system in the TSCriticalG feed that is present in most user policies either directly or because it is included in the BASIC policy:

66.70.34.101, 66.70.34.103, 66.70.34.105, 66.70.34.113, 66.70.34.115, 66.70.34.117, 66.70.34.119, 66.70.34.125, 66.70.34.127, 66.70.34.129 and 66.70.34.251

This will not stop the gaping hole (which seems to get ever more gaping as people look at it more deeply), but it should help our customers determine which computers in their network are vulnerable because they will be the ones with dozens of connections to these IP addresses. Once these devices have been identified it is critical to both uninstall the software and verify that the offending root certificate(s) is removed from them.

Ramifications of the Anthem hack

The Anthem hack has been getting a lot of news coverage because it is one of the larger data breaches in recent years. Of course it is in fairly good company (Sony, Home Depot, Target spring to mind) but it has some features that are unique. These features mean that the impact on those whose data was stolen is probably less than some other hacks, but that doesn’t mean people can relax.

All the information so far seems to indicate that the hack was undertaken by a state sponsored group (see link above and also this one) which means that the hackers probably aren’t going to sell the details on the criminal underground for identity theft or other similar purposes. That’s good, it suggests the victims won’t discover that someone else has filed a tax return on their behalf to fraudulently claim a refund or do some other fraud on them. Unless of course they are the target of the breach.

Of course people who work in positions that may be of interest to spies (or relatives of such people) definitely DO need to be on the look out for carefully crafted spear-phish emails that convince them to open infected word documents or similar. Since the hackers have presumably got the details of many members of the same organization they will no doubt find it relatively simple to come up with a suitably plausible email from someone who seems to be a colleague.

On the other hand that doesn’t mean that the rest of the world can relax. There are already reports of scammers sending emails to anthem victims that try to trick them into handing over more details (though at least one of these turns out to be some good guys deliberately sending an email to try and educate) and there will no doubt be more.

The bottom line is that everyone should treat emails from “Anthem” or any of its related names (Wellpoint, Blue Cross etc.) with extreme suspicion and should NOT click on the links. It would also, undoubtedly help to have policies that block access to IP addresses in strange places, just in case.

Another reason to block China

There have been a number of reports in the last week or two of websites that are apparently being DDoSed from IP addresses in the PRC. This has caused a certain amount of confusion and pain to those affected because there seemed to be no reason for the attack, however the cause has now become clear. As Sucuri explain on their blog, the cause appears to be the so-called “Great Firewall of China”:

It seemed as if the Great Chinese Firewall was mis-configured, instead of blocking the requests to certain sites, it was redirecting, to us at that.

So if a specific site was blocked, the requests to graph.facebook.com also got blocked and redirected to us. Same for Twitter, Zendesk or media.tumblr.com.

This explains why most of the requests were actually for CDN, images or API files.

The sites, like Sucuri, that are impacted are in fact just collateral damage, but that damage can be significant. Even generating a 404 error page or starting an SSL session before aborting can require a few kilobytes of traffic.

This requirement to reply with 10x or more data to a short request is a classic DDoS symptom and clearly if millions of Chinese users are redirected there then the aggregate volume of traffic and server load could easily cause the servers to be unavailable to legitimate traffic. Even if the web-servers do manage to survive the influx of traffic, it is highly likely that the upstream service provider will bill the server owner for bandwidth overage because millions of multi-kilobyte responses equates to gigabytes of data being transferred.

Of course if the servers were behind a firewall protected by ThreatSTOP, then the effects could be significantly reduced by adding China to the block policy. By doing so all these connection attempts would be dropped at the first TCP SYN packet with no reply sent so instead of kilobytes of data being sent, just a couple of hundred would be received (assuming 3x 64byte SYN packets per attempt). This would drastically reduce the bandwidth requirements and, because the packets are being dropped at the firewall, there would be no impact at all on the servers.

ThreatSTOP blocking Shellshock (Bash) scanners

Over the last 36 hours ThreatSTOP has identified a number of hosts that are attempting to scan for (and then exploit) the Shellshock bash vulnerability. We are actively identifying these miscreants through (failed) attacks against our servers, detection by our honeypots, and data received from malware researchers we work with.

These addresses have been added to a new expert mode target list called “shellshock” as well as to our standard mode “UNIX SERVER” target list.

We recommend that any of our users who have servers exposed to the Internet implement these target lists. If you are a Standard user, you should already be using the UNIX SERVER list if you have unix or linux servers that allow connections from the Internet. If you are an Expert Mode user, you should add the shellshock list to your policies that are used on Internet facing servers.

This list is currently around 700 entries and growing fast. We were blocking many of these even before we focused on detecting shellshock exploit attempts. As we noted in our blog posts about Heartbleed, we have been blocking a number of attacks simply because they are coming from IP addresses that are well known to us as attackers.

The shellshock vulnerability is a serious vulnerability in the GNU bash shell that runs on linux and unix based systems (this includes Apple, BTW). The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. This weakness allows for installation of reverse shells and other malware on internet facing servers. The bug affects web servers which run shell scripts from CGI, and SSH servers, but could also be exploitable by other protocols such as DHCP. The vulnerability is being actively used to compromise webservers and build botnets that can attack other parts of the Internet.

ThreatSTOP recommends that all our users also apply the patches provided by the various Linux distributions to all Internet facing hosts as soon as possible. Many other security firms such as Websense are blogging about this, and many of them have useful tips. Only those who, like us, can actually provide blocks against inbound attackers are able to protect their customers from this threat. Anti-Virus, Web filtering and other host based or outbound only technologies provide no protection against this threat.

About ThreatSTOP
ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router. Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

ThreatSTOP Announces Improvements to Reporting

ThreatSTOP is pleased to announce a new release of its web portal that significantly improves the speed an utility of the logfile analysis and reporting it provides to subscribers. The new reporting UI presents data in a way that is in line with how our customers prefer to analyze the data.

The most important information is which types of attack have been seen and so the order of the default tabs has been changed so that “Summary by Threat” is the first one displayed. Within that tab, we have broken the attacks down by threat category (Botnets, Malware, Inbound …) and then within each category we detail the number of hits in particular target lists.

SummaryByThreat

In addition to changing the “Summary by Threat” tab, we have also changed the “Summary by IP” tab to make it quicker to identify vulnerable internal hosts. Rather than displaying communication pairs, it now shows internal IP addresses only. Clicking on a particular internal IP address shows what communications with it have been blocked.

SummaryByIP

Finally we have tweaked the “Summary by Date” tab to display the busiest date/hour and to provide breakdowns of traffic by hour. This can be particularly useful to identify infected devices that are “calling home” when no one is in the office.

SummaryByDate

We do of course welcome feedback from our subscribers and suggestions from them on additional ways to enhance our reporting UI.

In addition to the layout changes some back end work has been done to improve performance, particularly for our larger customers. The combined result of the back end database changes and the UI changes is that ThreatSTOP’s customers get to see the firewall log data they care about immediately so that they can take action to remediate compromise internal hosts or handle sustained attacks on internet facing devices.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

ThreatSTOP adds active Heartbleed attacker list to our feeds

Over the last 36 hours ThreatSTOP has identified a number of hosts that are attempting to scan for the Heartbleed* openSSL vulnerability. This is due to data received from from malware researchers we know as well as visitors to some honeypots we set up ourselves. These addresses have been added to a new expert mode target list called “Heartbleed” as well as to our standard mode “unix server” target list.

We recommend that any of our hosting provider partners who are using us in expert mode update their policies. Similarly, any of our standard mode users who have servers behind a firewall or router running ThreatSTOP and who do not have the “unix server” feed enabled are recommended to add it.

This list is currently fairly small, however we suspect it may grow significantly over the next few days. As we noted in our blog post yesterday, we have been blocking a number of attacks simply because they are coming from IP addresses that are well known to us as attackers, but adding known attackers to our feeds improves our coverage against this threat. Relatedly, we are also in the process of analyzing our customer log data to see if we can determine when this vulnerability became know to the cyber criminals. This should help identify the potential window of vulnerability to this bug and may well help to answer questions about whether the bug has been widely exploited or not.

* For those that may have missed the announcements, the heartbleed vulnerability is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

ThreatSTOP not vulnerable to Heartbleed

The Heartbleed vulnerability* has burst into public consciousness and generated a lot of justified concern that login information and other confidential data may have been at risk because of it.

ThreatSTOP is pleased to confirm that our servers and service are not susceptible to this bug.

ThreatSTOP customers do not need to be concerned that their ThreatSTOP credentials or anything else on our portal have been put at risk by this vulnerability, because our system architecture, using our, and our partners’ technology in a multi-layered, “belt and suspenders” design, protect against known and unknown threats.

The servers behind ThreatSTOP’s web portal are accessed via traffic management and security appliances from our partner A10 networks  that are not vulnerable to this bug

We have audited our infrastructure and have verified that no systems are, or were, vulnerable to this exploit.

Regarding our blocking services: we distribute our blocklists via DNS queries which do not use TLS encryption (but are secured by other means); ONLY subscribers can access our servers; only the specific subscriber can query their policies, from their configured IP addresses; and connections to our service are ONLY over TCP (thereby eliminating spoofing).

Finally (and as a general point), people are being advised by hysterical media pundits to change their passwords NOW. In general, this is bad advice, at least in the short term.

It only applies to sites that 1) were vulnerable but 2) have now patched themselves so that they no longer are.

If the site is not yet patched then changing your password means an attacker can quite possibly see your new password!

In short: Your ThreatSTOP account, and credentials, are safe. Your other accounts may not be, but don’t change them until the site updates their security.

* For those that may have missed the announcements, the heartbleed vulnerability is

a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

 

About ThreatSTOP

ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router.  Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: