Ever wanted to see the hacker’s point of view?

The attached article provides quite an interesting and rare insight into the cerber ransomware operations. Due to the misconfiguration of what looks like a a staging server (not a C2)  the researchers from Avast where able to get the source code of the scripts hosted on the server and by analyzing these they could get statistics on infections.

If you’re not into all the technical analysis – just scroll down 2/3 of the page (around the QR code image).

image17.pngMain infections in Europa and the USA

Read article here

MongoDB ransom attacks soar, body count hits 27,000 in hours

So here’s the new thing, find an unprotected MongoDB on the internet, copy (if you are a nice hacker) and wipe the database and leave a ransom note, essentially demanding payment to restore it to its previous state. This is typically between $150 and $500, to be paid in Bitcoin of course :).

If there’s any humor to be found in this new phenomenon, it must be this : hackers are apparently hacking already wiped MongoDB’s, leaving their own ransom note, resulting in the user not knowing who actually deleted the database and who to pay, if he were inclined to pay.

mongo

How can you protect yourself? Well, MongoDB apparently installs itself with a default administrator account that’s configured WITHOUT A PASSWORD.

Sigh…

Some advice from Mongo on how to protect against these types of attacks

Read full article

‘Ghost Hosts’ Bypass URL Filtering

So this really caught my attention, it seems malware writers have find a pretty simple and cool way to bypass URL filtering by inserting random, non-malicious host names in the HTTP host field instead.

16225032086_fb8f1c508a_b

I think once more that DNS sinkholing/firewalling or whatever you want to call it is probably a better way to go, considering it stop ANY request whereas URL/WEB filters only monitor HTTP/HTTPS traffic.

Read full article

900,000 Routers Knocked Offline in Germany amid Rumors of Cyber-Attack

Will we never learn? It never ceases to amaze me why a consumer router should accept ANY kind of request/connection on its public facing interface.

Apparently the exploitation attempts for a SOAP Remote Code Execution (RCE) vulnerability via port 7547 against Speedport routers, which are widely deployed in Germany by Deutsche Telekom.

germany-map

Probably someone has modified Mirai to go look for this specific vulnerability…

Full Article

POISONTAP STEALS COOKIES, DROPS BACKDOORS ON PASSWORD-PROTECTED COMPUTERS

So the other day I was sitting at the other side of the desk of a municipality in Belgium. The person in front of me busy entering all the information into the computer. A computer with the backside, with all the ports (USB, Ethernet and so on) exposed to me…

It would have been very easy to plug in a device such as a poisontap or USB Rubber Ducky, considering the information on citizens that these institutions hold, it’s worrying that basic physical security is not in place.

I’d recommend you have a look at both of these devices, especially PoisonTap which is a very new one running on a $5 Raspberry Pi Zero. By connecting this to a computer, even when locked it can steal passwords, hijack network traffic and install persistent backdoors – even when the device is removed again.

ducky

“USB Rubber Ducky Deluxe”

ptplug

“PoisonTap”