Hello, welcome to the Thursday, January 5th, 2017 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

About a week ago, we noted an increase in scanning for GRE, the generic routing capsulation protocol.

A reader now noted that in October, a bug was fixed in Linux related to GRE.

We don't really know if the scanning is related to this bug, if someone is trying to find

vulnerable systems.

But anyway, this vulnerability led to a denial of service condition if you were

sending packets that had GREE inside of GRE packets and did that multiple times.

Now, the packets we have seen did not have that characteristics, but it could be an attempt to just enumerate systems

that do support GRE. It should also be noted that the vulnerability is not exploitable for systems

that use the regular 1500 byte Ethernet MTO because the packet wouldn't really fit inside that size with all the nested

GRE headers that are required to exploit this vulnerability.

And then we have kind of a new variant to the ransomware scheme in that attackers are taking

advantage of unsecure MongoDB installs and are then claiming at

least that they encrypted the data. It has been reported several times over the last couple of years

that you should not expose your database directly to the internet, in particular not these newer no-seq

databases like MongoDB that are often not password secured. This latest trick pretends to

encrypt the data. It actually doesn't encrypt it. It just adds a message that claims data

is encrypted and then demands ransom.

In other cases, the attacker is actually copying the data first and then deleting it from

the database and then again asking for ransom in order to return the data to the rightful

owner.

...