Norse Special Threat Report: Heartbleed? Potential scanning and targeting of port 443 and HTTPS

04/11/2014

With Heartbleed having everyone's attention and capturing every conversation this week, our information security threat analysis team thought it would be prudent to check Norse's global sensor grid to see if anyone was targeting port 443. In looking at activity targeting port 443 over the last two weeks, the amount is not significant - though there are a handful of spikes just before and after the vulnerability announcement on 2014 April 7.

Norse Special Threat Report: Potential scanning and targeting of port 443 activity over time

Digging in to our data, there were four groupings of specific threat actors which became apparent. The first group of actors that stood out was from the College of Engineering at University of Michigan (UMich) and the ZMap project project, which we excluded from these results and analysis. Even with the UMich activity excluded, the US was second for the number of IP addresses involved in targeting port 443; with Netherlands and then China rounding up the top three.

Norse Special Threat Report: Potential scanning and targeting of port 443, IP addresses involved per country bubble chart

For the amount of activity, the results are similar in that China has the most activity we have seen for this time frame, with the US and Netherlands second and third. Note that though there is just a handful of IP addresses involved from China (36 in total), the amount of activity far surpassed every other IP and country we have seen in the first two weeks of April.

Norse Special Threat Report: Potential scanning and targeting of port 443, IP addresses involved per country bar chart

Of these 36 IPs in China, a few are within the same AS number and ISP. Not surprisingly, the majority of these IPs are rated EXTREME within our IPViking platform and are relatively active over this time frame.

Norse Special Threat Report: Potential scanning and targeting of port 443, China (CN) IP addresses activity time line April 1 - 13 2014

The US based activity was the most surprising so far. A good portion of the IPs involved (20 of the 56) are within AS numbers assigned to Amazon (AS 14618 and AS 16509), with the majority of these having Merck and Co as the ISP. The majority of IPs associated with Amazon all have ratings within our IPViking platform of HIGH or EXTREME.

Norse Special Threat Report: Potential scanning and targeting of port 443, United States (US) IP addresses activity time line April 1 - 13 2014

The majority of activity from Netherlands is from 58 IP addresses within AS 25459, assigned to NedZone Internet BV. It is quite strange that their activity was primarily on the few days before the April 7 announcement; though there was also activity from six (6) of their IP addresses on April 10, 2014. The IP addresses involved were in the range of 37.247.36 [DOT] 67 to 37.247.36 [DOT] 124; with the six IPs active on April 10, 2014 included:

  • 37.247.36 [DOT] 69
  • 37.247.36 [DOT] 84
  • 37.247.36 [DOT] 95
  • 37.247.36 [DOT] 101
  • 37.247.36 [DOT] 115
  • 37.247.36 [DOT] 118
Norse Special Threat Report: Potential scanning and targeting of port 443, Netherlands (NL) IP addresses activity time line April 1 - 13 2014

With secure communications being "critical infrastructure" for business and our personal lives, there will be miscreants that target these sorts of resources - that is where the valuables are, and with a known vulnerability exploits are that much easier. For additional information, the Zmap project also has a Heartbleed Bug Health Report with information and insight based on their visibility, as well as the EFF outlining two other IP addresses that were apparently targeting port 443 back in November 2013.

Norse will continue monitoring this activity to provide analysis and insight with the intent to recognize and defend against this sort of malicious activity. For real time protections and insight, reach out to the Norse sales staff for further information and assistance.