Over the weekend, a Russian IP known to be malicious by a variety of threat intelligence vendors tried to communicate with our customers' networks over 2 million times. The IP is known to be malicious by DShield, CINS Army, AbuseIPDB, IPSum and Collective Intelligence. Malicious activity from this IP was also reported on Alienvault's Open Threat Exchange by two additional sources - the Louisiana Cyber Investigators Alliance (LCIA) who caught this IP using their honeypot, and the Internet Storm Center.

ThreatSTOP is now a ThreatConnect partner, integrating our DNS and IP threat intelligence directly into ThreatConnect's market-leading Threat Intelligence (TIP) and Security Orchestration, Automation, and Response (SOAR) Platform.

In news that's certain to make cyber criminals depressed, but security practitioners joyous, ThreatSTOP and Bandura have developed an integration that builds on the proactive, block-threats-early mantra shared by the two security companies.

Until two weeks ago, thousands of Microsoft Exchange servers were under attack unknown to anyone. Since Microsoft and other researchers uncovered this severe cyber offensive against various U.S. institutions, organizations have been scrambling to patch the vulnerabilities used in the attack, understand the extent of potential damage, and ensure protection for next time (and there will be a next time). In this blog post, we'll explain how to do exactly that.

Good news for AWS customers (which is.... a lot of you!)! 

HAFNIUM Exchange attack - detecting and mitigating with ThreatSTOP TI

The Microsoft Exchange attack leveraging multiple zero-days has by some accounts been one of the most wide-spread and potentially damaging hacks in history, orchestrated by a group Microsoft has named HAFNIUM. Malicious network activity related to the attack was first detected in January but the full nature and extent of the attack was publicly disclosed only on March 2nd. Active exploitation started around February 26th, primarily targeting U.S. entities. 

With ransomware and cyber-attack chaos these days, we find ourselves focusing on the rapid appearance of new and upcoming threats. Every day is a day of new threats, new attack headlines, and new worries. But, it’s important to keep in mind that with so many new attacks come so many researchers and organizations whose goal is to collect and update as much information as possible regarding these new threats. Security service providers, researchers, and security communities collect and publish a plethora of updated, actionable threat intelligence at every given moment. The big question is – how to make all that extremely useful (yet extremely scattered) intelligence actionable, and how to automatically integrate it on to your security solutions and devices.

A new android malware strain was uncovered in May, boasting the ability to steal data from 337 applications, including passwords and credit card information. Among these apps are some of the most highly-used applications on any android phone, such as Netflix, Gmail, Amazon, Uber, and more.

The Japanese manufacturing giant revealed that it had been hit with ransomware on Monday June 8, 2020, forcing it to shut down a number of manufacturing facilities and disrupting its global operations. Honda was left with no choice but to halt operations in Japan, North America, the U.K., Turkey and Italy. Furthermore, the ransomware attack caused disruptions to the company’s customer service and financial services.

One of the key problems in threat intelligence is curating whitelists of infrastructure and domains that should never be blocked. Just recently, a government CERT distributed lists of IoCs that included private IP addresses that just are not useful for analysts and hunt teams. At best, it creates wasted time and effort. At worst, key infrastructure is blocked and there is business impact and/or loss of revenue.