Cyware Daily Threat Intelligence February 09, 2018

New PoS malware
A new variant of a Point of Sale (PoS) malware, named UDPoS, has been detected. The malware disguises itself as a LogMeIn service pack and generates unusual amounts of DNS requests, to steal magnetic stripe payment card data. However, UDPoS appears to be less sophisticated than recent strains of PoS malware.

Cryptocurrency mining
Attackers have been launching attacks, on various servers, to carry out cryptocurrency mining. However, a new attack is targeting a water utility provider in Europe. This is the first time industrial controls systems (ICS), or SCADA servers have been used to mine cryptocurrency.Experts theorize that the port of entry for the malware was via the system known as Human Machine Interface (HMI). Flaws in Amazon's Key service
A new way for hackers to break into a home that’s protected by Amazon Key has been found. Amazon Key lets deliverymen enter a property, using an app to unlock the door. The delivery is recorded via a web-connected camera, called the Cloud Cam. It has been found that using Raspberry Pi equipped with a battery pack and wireless dongle, the device can be hacked.

New microcode update for Skylake
Intel released a new microcode update, for Skylake processors, that can provide protection from the Spectre flaws. In the past, Intel has released a patch and withdrew it owing to rebooting issues.

Windows installer delivering LokiBot
Security researchers have discovered that the Windows Installer service in Microsoft Windows OS is exploiting the CVE-2017-11882 vulnerability to deliver Loki infostealer. The attack uses msiexec.exe as part of the Windows Installer service to download the malware. To prevent this attack, users can disable or restrict Windows Installer. Reddit clone site
A clone website, that appears to be Reddit site, set up by scammers managed to steal Reddit login credentials of visitors. The fake website had a valid SSL certificate and hosted on a Colombian domain, reddit.co instead of reddit.com.

Customer data exposed
An open port a NAS server, left customer data of the Maryland Joint Insurance Association (MJIA) exposed. Leaked information included names, addresses, phone numbers, dates of birth, Social Security numbers, bank account numbers, check images, and internal access credentials. The exposed server also contained login details for ISO ClaimSearch.

DCGH’s EMR Hacked
Cyber criminals hacked the Decatur County General Hospital (DCGH) by remotely installing software onto its electronic health record software to generate digital currency. Affected server includes personally identifiable information of around 24,000 patients. The hospital urged patients to place a fraud alert on their credit files.