Hello and welcome to the Tuesday, April 18, 2020, 3 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Augusta, Georgia.

Jan today wrote a diary about a significant increase in the number of medical devices exposed in China, according to

Shodan at least. The increase started about two weeks ago and now reached 30,000 devices.

The other classification assigned to these IP addresses appears to be Honeypot.

So, well, are these medical device honeypots or what's exactly going on here?

Jan wasn't quite able to figure out how Chodan classified these devices.

He didn't really find sort of any specific ports open on a small

sample of these devices to identify them as medical devices or a honeypot for that matter.

On the other hand, it could also be, of course, that this is some trick being played by the

Chinese firewall or some other network device

that specifically redirects, for example, scans from Shodan scanners.

In general, while Shodan is pretty good in identifying vulnerable devices and classifying them,

it is, as Jan points out, somewhat a black box,

and of course some artifacts like this could always show up in their data based on essentially

a buck or maybe a little bit inaccurate decision in how these devices are classified.

And Melver Hunterunter team recently reported that they spotted a Mac OS version of the infamous

lockbit ransomware in the wild. This particular binary was apparently compiled specifically

for M1 Max.

Patrick Wardle now took a closer look at the binary and published a blog post with an analysis.

And while this does look like it's derived from log bit and it does look like it's an attempt

at creating a ransomware, it's an attempt at creating a ransomware.

...