Cyware Daily Threat Intelligence February 22, 2018

Mirai-based botnet
A Mirai-based botnet, called OMG, is being used to turn IoT devices into proxy servers. The strings used in this Mirai variant is ‘/bin/busybox OOMGA’ and ‘OOMGA: applet not found’. Proxies are used by hackers to become anonymous while carrying out malicious activities.

Ursnif malware campaign
Scammers are pretending to be from the Australian Securities and Investment Commission (ASIC) and sending emails infected with the Ursnif malware. These emails have a link that provides an invoice with fake payment details, clicking on which, infects the system with Ursnif malware.

JavaScript-based evasion techniques
Hackers are using JavaScript codes in the attack vector, often used in the dropper stage, to evade the various reverse-engineering techniques. Using this technique, an attacker would have a control flow integrity. Flaws in uTorrent Windows version
Several security vulnerabilities have been spotted in BitTorrent’s official client, uTorrent. A fix has been released in uTorrent version 3.5.3.44352. uTorrent Web users can update to the latest available build 0.12.0.502.

IOTA won't fix the flaw
A vulnerability has been spotted in IOTA that could open up users to a replay attack. IOTA was developed to enable fee-less microtransactions for the Internet of Things. However, IOTA denied to fix the issue as it believes this is a situation that will occur only in extreme circumstances.

GitLab fixes issues
Security researchers discovered several bugs in GitLab that would allow hackers to hijack domains by exploiting a weakness in the way GitLab handles domain verification. Researchers were able to hijack 700 domains and subdomains. GitLab fixed the issue, and urged users to verify domain ownership by adding a DNS TXT record containing a token generated by GitLab. SamSam Ransomware breach
The Colorado’s Department of Transportation (CDOT) has been hit by SamSam ransomware, resulting in shutdown of more than 2,000 computers. The malware infected these systems, encrypted files and demanded to pay the ransom in Bitcoins. Interestingly, the ransomware only hit systems functioning on Windows OS.

LA Times website mines Monero
The Los Angeles Times website has been mining cryptocurrencies. This happened after the newspaper's IT staffers left at least one of the publication's Amazon Web Services (AWS) S3 cloud storage buckets open. Users are advised to install antivirus or ad-blockers to stay safe from cryptocurrency miners.

Data breach HardwareZone (HWZ)
Around 685,000 users registered with HardwareZone (HWZ) became victims of a data breach, after losing their profile data. The breach was discovered after a suspicious posting was made on the forum site.