Ever wanted to see the hacker’s point of view?

The attached article provides quite an interesting and rare insight into the cerber ransomware operations. Due to the misconfiguration of what looks like a a staging server (not a C2)  the researchers from Avast where able to get the source code of the scripts hosted on the server and by analyzing these they could get statistics on infections.

If you’re not into all the technical analysis – just scroll down 2/3 of the page (around the QR code image).

image17.pngMain infections in Europa and the USA

Read article here

MongoDB ransom attacks soar, body count hits 27,000 in hours

So here’s the new thing, find an unprotected MongoDB on the internet, copy (if you are a nice hacker) and wipe the database and leave a ransom note, essentially demanding payment to restore it to its previous state. This is typically between $150 and $500, to be paid in Bitcoin of course :).

If there’s any humor to be found in this new phenomenon, it must be this : hackers are apparently hacking already wiped MongoDB’s, leaving their own ransom note, resulting in the user not knowing who actually deleted the database and who to pay, if he were inclined to pay.

mongo

How can you protect yourself? Well, MongoDB apparently installs itself with a default administrator account that’s configured WITHOUT A PASSWORD.

Sigh…

Some advice from Mongo on how to protect against these types of attacks

Read full article

‘Ghost Hosts’ Bypass URL Filtering

So this really caught my attention, it seems malware writers have find a pretty simple and cool way to bypass URL filtering by inserting random, non-malicious host names in the HTTP host field instead.

16225032086_fb8f1c508a_b

I think once more that DNS sinkholing/firewalling or whatever you want to call it is probably a better way to go, considering it stop ANY request whereas URL/WEB filters only monitor HTTP/HTTPS traffic.

Read full article