Cyware Daily Threat Intelligence April 16, 2018

Roaming Mantis
The Roaming Mantis malware was discovered hijacking DNS settings on routers and redirecting users to malicious IP addresses to install Trojanized applications. Once infecting a device, the malware tries to steal user information, including credentials for two-factor authentication, and give the attackers full control. The malware is mostly targeting South Korea, Bangladesh, and Japan.

Spartacus ransomware
A new ransomware has been spotted encrypting infected files and appending the extension '.spartacus'. The ransomware also sends victims a set of instructions insist them to write an e-mail, including the public key (ID KEY) and the Bitcoin address straight, to a specific address. The virus creates a unique mutex of “Test” in order to not run the ransomware twice.

Desert Scorpion spyware
A Hamas-linked spyware was discovered in the Google Play Store by the mobile security firm Lookout. The malware is designed to steal data from a target’s phone and record phone calls, videos, and surrounding audio can be recorded. Desert Scorpion uses multi-stage attacks to hide this functionality and the C&C infrastructure. Old JavaScript crypto flaw
A flawed crypto library that could allow hackers o brute-force private keys, take control of users' wallets, and steal funds from old Bitcoin addresses was found. The vulnerability resides in the use of the JavaScript SecureRandom() function.

Microsoft IIS 6.0 vulnerability targeted
The IIS 6.0 vulnerability is being exploited by hackers to take over Windows servers and install a malware strain named lsass.eXe in order to Electroneum cryptocurrency. The infection process is masked by the use of the Squiblydoo technique. This flaw, dubbed CVE-2017-7269, is used to target Windows IIS 6.0 servers.

Patch for SPI Flash flaw
Intel released security patches for vulnerabilities in the configuration of multiple CPU series that could allow an attacker to alter the behavior of the chip's SPI Flash memory. This flaw, traced as CVE-2017-5703, could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware. Data leaked online
Personal information of more than 46,000 TrueMove H users was leaked online due to an open Amazon Web Services' (AWS) cloud storage. Over 32GB of data--which includes images of identity documents--was found to have leaked. The output from bucket-finder showed several issues such as config files, source code, and other potential information disclosures. The issue has already been fixed.

Connected fish tank hacked
Cybercriminals managed to exfiltrate a high-roller database of gamblers by infecting a thermometer in an aquarium in the lobby of the casino. A vulnerability in the thermostat was exploited to find the high-roller database. They then pulled that back across the network, out the internet-connected thermostat, and up to the cloud.

YouTuber hacked
A popular cryptocurrency YouTuber was hacked during a livestream session. Hackers stole $2 million in the process. The wallet transactions on Etherscan clearly revealed that all of the tokens were withdrawn during the livestream.