Good news for AWS customers (which is.... a lot of you!)! 

HAFNIUM Exchange attack - detecting and mitigating with ThreatSTOP TI

The Microsoft Exchange attack leveraging multiple zero-days has by some accounts been one of the most wide-spread and potentially damaging hacks in history, orchestrated by a group Microsoft has named HAFNIUM. Malicious network activity related to the attack was first detected in January but the full nature and extent of the attack was publicly disclosed only on March 2nd. Active exploitation started around February 26th, primarily targeting U.S. entities. 

Small-medium businesses are on the bullseye for cyber attacks, with businesses being attacked and compromised on an hourly basis, yet many SMBs don’t seem to be worried at all. 63% of small-medium businesses experienced a data breach in 2019, as reported in a study by Keeper Security and the Ponemon Institute. Yet the same study found that 60% of SMB owners think their businesses aren’t a likely target for a cyber attack. These numbers don’t add up, and something about these business owners’ laid back attitude just doesn’t make sense – SMB recovery from a cyber attack is estimated to cost around $200,000, and can easily reach millions depending on the extent of the damage (and in case of ransomware – how big the ransom price is). In fact, a study by BullGuard found that over forty percent of SMBs do not have cybersecurity defense plans whatsoever.

With ransomware and cyber-attack chaos these days, we find ourselves focusing on the rapid appearance of new and upcoming threats. Every day is a day of new threats, new attack headlines, and new worries. But, it’s important to keep in mind that with so many new attacks come so many researchers and organizations whose goal is to collect and update as much information as possible regarding these new threats. Security service providers, researchers, and security communities collect and publish a plethora of updated, actionable threat intelligence at every given moment. The big question is – how to make all that extremely useful (yet extremely scattered) intelligence actionable, and how to automatically integrate it on to your security solutions and devices.

This weekend we have put our new log-parsing and reporting code into production. The new code significantly increases our speed of log parsing (by about two orders of magnitude) and it provides a lot more help to help our users research what particular blocked threats were caused by. As product manager I am very pleased to say that it is a massive improvement over the previous stuff but, for our existing users, there are a couple of niggles.

Over the last couple of days we've seen an increasing number of outbound DNS queries to ip addresses on our block lists - principally to ones on the DShield 4000. Since the destination servers are frequently in China and the subscribers have little to do with China this looks unlikely to be genuine traffic. It is however somewhat suggestive of Conficker and other similar fastflux DNS malware which "call home" via a DNS lookup to some randomly generated subdomain of an otherwise apparently genuine domain. The DNS lookup resolves (usually) to a fastflux intermediary that communicates with the botmaster, The DNS server itself is generally not 'bad' per se but it will be under the control of the cyber crooks because they have to feed it the zone changes so frequently and this level of activity would raise a flag in any legitimate DNS hosting service.

Recently I blogged that we had added the abuse.ch ZeuS Tracker botnet list as a block list source. Last week we confirmed that it worked by seeing that our customers had connections to addresses on that list that were blocked by ThreatSTOP, and which came from systems later confirmed to be infected.

A recent column by John Dix in Network World paints a rather depressing picture of the state of the Internet when it comes to malware. Mr Dix points out that there are millions of compromised computers (bots) out there and that while network security people can block some of the worst there are a lot that they cannot block because these other threats are quiet enough to not be detected by current IPS/IDS etc. devices. His essential claim is that we just have to assume that every network is penetrated and/or vulnerable to penetration by cyber-criminals. The article quotes various security professionals as stating that the dangerous bot attacks are stealthy and slow moving with the attack gradually building up to its most serious level over a period of days or even weeks.

Yesterday I guest blogged at Control Global about remediation steps for process automation networks and I've been thinking some more about the topic.