Until two weeks ago, thousands of Microsoft Exchange servers were under attack unknown to anyone. Since Microsoft and other researchers uncovered this severe cyber offensive against various U.S. institutions, organizations have been scrambling to patch the vulnerabilities used in the attack, understand the extent of potential damage, and ensure protection for next time (and there will be a next time). In this blog post, we'll explain how to do exactly that.

The Gafgyt IoT botnet has been around for 7 years already, boasting many different variants over time. Also known as BASHLITE, this botnet has become notorious for launching DDoS attacks, making it almost as well-known as famous botnets such as Mirai in recent years. In 2018, two Gafgyt variants were detected, targeting Apache Struts and SonicWall vulnerabilities. Over the next year, Gafgyt started targeting vulnerable internet of things devices, wreaking havoc on gaming servers all over the world.

Good news for AWS customers (which is.... a lot of you!)! 

HAFNIUM Exchange attack - detecting and mitigating with ThreatSTOP TI

The Microsoft Exchange attack leveraging multiple zero-days has by some accounts been one of the most wide-spread and potentially damaging hacks in history, orchestrated by a group Microsoft has named HAFNIUM. Malicious network activity related to the attack was first detected in January but the full nature and extent of the attack was publicly disclosed only on March 2nd. Active exploitation started around February 26th, primarily targeting U.S. entities. 

Healthcare has been one of the most severely impacted industries by the still-menacing COVID-19 virus. The sudden global pandemic created a surge in demand for clinical care, medical equipment, healthcare technologies and eventually - a solution. All of these and more rely on information technology. From making appointments and delivering healthcare to patients, to using internet-connected medical devices and developing vaccine research, COVID-19 response is vulnerable to cyber attacks on all levels. Being by far the most pressing issue today, it comes as no surprise that attackers are exploiting the difficult situation healthcare institutions are facing to wreak havoc and cash in on their struggle.

The new macOS malware strain has infected almost 30,000 devices so far, running on Apple’s new M1 chips. Most instances were detected in the United States, United Kingdom, Canada, France and Germany, though it has been reported that Silver Sparrow has reached Macs in at least 153 countries.

When reading the names of these attacks out loud, we wouldn’t be surprised if the first thought that comes to mind is “how malicious can attacks with such cutesy names really be?”. Well, phishing is used as the attack vector for 95% of all targeted attacks against enterprise networks, and a single spear phishing attack results in an average loss of $1.6 million according to Security Boulevard. So yeah, phishing is quite a big deal.

But it’s not only classic email phishing that is causing a fuss. The FBI issued a warning last month about voice phishing attacks, also known as “vishing”. In their statement, the FBI shed light on a new wave of cybercriminals “taking advantage of changing environments and technology” during lockdown and other COVID-19 restrictions. In this blog post, we will explain how phishing works across different platforms, how to recognize the attacks and how to make sure you’re protected.

One of the most interesting questions we get asked at TheatSTOP concerns how long an IP address remains bad once it has been identified as such. Each threat list treats its IPs slightly differently, so the answer is not completely straightforward and varies depending on which list the IP is on. Moreover, many lists do not display specific "first seen" or "last seen" data on each IP address, but rather simply list the currently active IPs (where “active” typically means that they have been identified as bad within the last week or so). Possibly worse for our questioners, some of the threat sources we use are distributed under terms that prohibit us from answering the question.

Wondering what our readers were most interested in over the past year? Wonder no more! We've rounded up our most read articles of the year to save you time. Wrapping up the worldwide roller coaster that was 2020, we wish we were feeling a little more nostalgic. Covid-19 came in like a tornado and changed up our daily lives as we knew them. The security industry, accordingly, also had to change mindsets and processes to adjust to a new, distributed-access-focused reality.

The Best, according to you:

Last month’s uncovering of the SolarWinds supply chain attack caused waves of panic and chatter across the U.S. and all over the world. How did such a widely-used and important software get breached? And are even the supposedly best-protected companies (and their customers) still at risk of compromise? Bit by bit, more information is being discovered about the famous attack we all recently witnessed. It is supposed that Russian nation-state actors are behind the breach that poisoned a SolarWinds software update, delivering the Sunburst backdoor to around 18,000 organizations and companies, including large tech companies such as Microsoft, FireEye and more. Even President Joe Biden is facing pressure from security advisors to urgently address what is being called one of the worst data breaches to ever hit the U.S. government. Since the original headlines outlining the Sunburst supply chain variant, additional malware strains involved in the attacks have also been discovered.