It looks like ThreatSTOP has been protecting our service provider customers from the Heartbleed vulnerability* for some time now.
Although the vulnerability was announced on Monday, it has been reported as having been under active attack for a couple of weeks according to Seacat, who discovered accidentally that they were logging attacks on it.
It has been subject to far greater scanning and exploit since the news broke about it on Monday.
Our preliminary analysis indicates that ThreatSTOP has blocked many attacks seeking to exploit this vulnerability. This is hard to confirm, as ThreatSTOP blocks connection attempts before the attacker can try any SSL activity.
However, ThreatSTOP would have stopped about two thirds of the active scanners listed in the Seacat post linked above. This would, for ThreatSTOP customers, have raised a big red flag about a spike in attacks on port 443, and alerted them on any successful compromise, if traffic left their network to the password stealing hosts.
This is not a fluke. Attackers who are trying to exploit this vulnerability are using the same compromised infrastructure that they use for other attacks. Since we and our research partners have identified these hosts when they made other attacks, they are already in our block lists.
ThreatSTOP blocks all attacks on all open ports from known offenders so it doesn't matter whether the vulnerability is in web traffic (HTTPS), email, SSL VPN or any of the other protocols that use TLS as a security mechanism so there is less urgency to update software that you may not know has compiled in openssl or linked to its own copies of the library.
*The hearbeat bug is
a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems (not actually) protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user's network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user's BIND (DNS) server, firewall or router. Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/