Hello, welcome to the Thursday, April 6, 2017 edition of the Santonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier has an interesting diary about how attackers are going after sites and indicators that are commonly whitelisted. For example, the top

1,000 most popular sites, these sites are often whitelisted, but you'll find sites like

Twitter and GitHub or such among these sites, which of course can also be used as command and control channels,

which of course makes it more difficult for the analyst to really filter out what's going on.

Same of course for URLs.

A lot of ransomware, for example, uses search.php or URLs like that that are very commonly used in

non-malicious sites. So again, this makes not a great indicator to find malicious or infected hosts.

And earlier today, to get ready for the webcast, we'll have later on Thursday about the struts too vulnerability.

I was looking through my honeypot logs again and I saw that there's quite a bit of activity that's actually targeting Windows servers with ransomware.

In this particular case, they tried to install the Kerber Ransomware on the host

that claimed to be vulnerable for these threats to vulnerability. A Google search will show you

how others have reported this last a few days as well. This morning when I ran this

ransomware first in my little honeypot, Windows system that actually has antivirus installed,

it still slipped past the antivirus. Antivirus coverage wasn't that great. End of the day

to day, that's no longer true.

We do now have pretty good coverage for this variant.

And researchers at Kaspersky are reporting about an interesting compromise of a Brazilian bank.

Apparently, this bank lost control over all 36 domains it uses to do business with.

Once attackers had control of these domains, they were able to redirect traffic to these domains

at will, they were able to intercept email, and most importantly, they were able to intercept HTTP requests to the

...