The attached article provides quite an interesting and rare insight into the cerber ransomware operations. Due to the misconfiguration of what looks like a a staging server (not a C2) the researchers from Avast where able to get the source code of the scripts hosted on the server and by analyzing these they could get statistics on infections.
If you’re not into all the technical analysis – just scroll down 2/3 of the page (around the QR code image).
Main infections in Europa and the USA
Read article here
So here’s the new thing, find an unprotected MongoDB on the internet, copy (if you are a nice hacker) and wipe the database and leave a ransom note, essentially demanding payment to restore it to its previous state. This is typically between $150 and $500, to be paid in Bitcoin of course :).
If there’s any humor to be found in this new phenomenon, it must be this : hackers are apparently hacking already wiped MongoDB’s, leaving their own ransom note, resulting in the user not knowing who actually deleted the database and who to pay, if he were inclined to pay.
How can you protect yourself? Well, MongoDB apparently installs itself with a default administrator account that’s configured WITHOUT A PASSWORD.
Some advice from Mongo on how to protect against these types of attacks
Read full article
So this really caught my attention, it seems malware writers have find a pretty simple and cool way to bypass URL filtering by inserting random, non-malicious host names in the HTTP host field instead.
I think once more that DNS sinkholing/firewalling or whatever you want to call it is probably a better way to go, considering it stop ANY request whereas URL/WEB filters only monitor HTTP/HTTPS traffic.
Read full article
Mmm, seems like another massive breach – of course after the Adult Friend Finder leak of 400+ million accounts, this looks like no big deal – but it’s one of the bigger ones actually. In other news xHamster was also breached – yes that the ‘adult’ video site 🙂
Will we never learn? It never ceases to amaze me why a consumer router should accept ANY kind of request/connection on its public facing interface.
Apparently the exploitation attempts for a SOAP Remote Code Execution (RCE) vulnerability via port 7547 against Speedport routers, which are widely deployed in Germany by Deutsche Telekom.
Probably someone has modified Mirai to go look for this specific vulnerability…
So the other day I was sitting at the other side of the desk of a municipality in Belgium. The person in front of me busy entering all the information into the computer. A computer with the backside, with all the ports (USB, Ethernet and so on) exposed to me…
It would have been very easy to plug in a device such as a poisontap or USB Rubber Ducky, considering the information on citizens that these institutions hold, it’s worrying that basic physical security is not in place.
I’d recommend you have a look at both of these devices, especially PoisonTap which is a very new one running on a $5 Raspberry Pi Zero. By connecting this to a computer, even when locked it can steal passwords, hijack network traffic and install persistent backdoors – even when the device is removed again.
“USB Rubber Ducky Deluxe”
Ok, so OOPS I guess. Who would have thought 400 million people were using the, ahem, services of social website Adult Friend Finder?
And maybe even more worrying, have a look at the passwords people are using… Really?
Article from Gizmodo
Article from LeakedSource