In a totally insane disrespect of privacy, the US senate has just approved a law that finds it’s pretty OK for an ISP to sell your browsing history to advertisers and ‘other’ companies.
I’ll be keeping an eye on my mailbox next time I’m in the states 🙂
Apparently about 140 banks, enterprises, government institutions and telcoms worldwide are infected with a very hard to detect new attack that uses mainly legitimate tools such as powershell, windows Sc and Netsh to load malicious code in memory.
Sweet, this impacts about 20 million – mostly enterprise – users. Luckily this didn’t get exploited in the wild (yetà or added to an Exploit Kit (EK).
The attached article provides quite an interesting and rare insight into the cerber ransomware operations. Due to the misconfiguration of what looks like a a staging server (not a C2) the researchers from Avast where able to get the source code of the scripts hosted on the server and by analyzing these they could get statistics on infections.
If you’re not into all the technical analysis – just scroll down 2/3 of the page (around the QR code image).
So here’s the new thing, find an unprotected MongoDB on the internet, copy (if you are a nice hacker) and wipe the database and leave a ransom note, essentially demanding payment to restore it to its previous state. This is typically between $150 and $500, to be paid in Bitcoin of course :).
If there’s any humor to be found in this new phenomenon, it must be this : hackers are apparently hacking already wiped MongoDB’s, leaving their own ransom note, resulting in the user not knowing who actually deleted the database and who to pay, if he were inclined to pay.
How can you protect yourself? Well, MongoDB apparently installs itself with a default administrator account that’s configured WITHOUT A PASSWORD.
So this really caught my attention, it seems malware writers have find a pretty simple and cool way to bypass URL filtering by inserting random, non-malicious host names in the HTTP host field instead.
I think once more that DNS sinkholing/firewalling or whatever you want to call it is probably a better way to go, considering it stop ANY request whereas URL/WEB filters only monitor HTTP/HTTPS traffic.