Hello, welcome to the Thursday, September 7th, 2017 edition of the Sansonet Storms and a stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We are still monitoring very closely the struts two vulnerability that was announced on Tuesday. An exploit has been released now in the form of

a meta-sploid module, so exploitation at this point is ongoing. You have to patch this

this week or take other mitigating actions like, for example, disabling the rest plugin if you have it enabled

in the first place. Of course that may not be an option if you're actually actively using

it. Let us know if you see any use of the exploit in the wild. I haven't seen anything yet in my honeypots

have to check again. The last time I checked was a couple

hours ago, but this is something that probably already is being used in more targeted attacks.

So if you are running a vulnerable site, then make sure when you're patching that you also

double check that the server hasn't already been

exploited. And MongoDB instances that are not properly secured continue to be the focus of

ransomware. There is a new Google dock table that a couple of security researchers put together that lists

27,000 databases that have successfully been hijacked by ransomware.

And apparently almost all of them, and that's 22,500 of them, were apparently hijacked by one particular group,

which identifies it by one specific email address.

Now, ransom demands are actually not all that high, 0.052.2 bitcoins, which comes down to somewhere

around $200 to maybe $1,000, depending on the exchange

rate for Bitcoin.

But even though it's not all that expensive to pay up, it looks like not too many people

are actually paying one of the Bitcoin addresses being used by this very large group, only got

about 0.6 Bitcoin so far. So in the order of $2,000, that's actually kind of a good thing

that people are not paying up, but may also be a sign. And that was also suggested in some

...