Over the last 36 hours ThreatSTOP has identified a number of hosts that are attempting to scan for the Heartbleed* openSSL vulnerability. This is due to data received from from malware researchers we know as well as visitors to some honeypots we set up ourselves. These addresses have been added to a new expert mode target list called "Heartbleed" as well as to our standard mode "unix server" target list.
We recommend that any of our hosting provider partners who are using us in expert mode update their policies. Similarly, any of our standard mode users who have servers behind a firewall or router running ThreatSTOP and who do not have the "unix server" feed enabled are recommended to add it.
This list is currently fairly small, however we suspect it may grow significantly over the next few days. As we noted in our blog post yesterday, we have been blocking a number of attacks simply because they are coming from IP addresses that are well known to us as attackers, but adding known attackers to our feeds improves our coverage against this threat. Relatedly, we are also in the process of analyzing our customer log data to see if we can determine when this vulnerability became know to the cyber criminals. This should help identify the potential window of vulnerability to this bug and may well help to answer questions about whether the bug has been widely exploited or not.
* For those that may have missed the announcements, the heartbleed vulnerability is
a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
ThreatSTOP is a real-time domain and IP Reputation Service that automatically delivers a block list directly to users’ firewalls, routers and DNS servers, so they can enforce it. It is a cloud-based service that protects the user’s network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals and state actors. The data consists of both specific threat indicators and geographic data which users combine to create their own customized policies for protection. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user’s BIND (DNS) server, firewall or router. Founded in 2009, ThreatSTOP is headquartered in Carlsbad, CA. For more information visit http://www.threatstop.com/