Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Casinos. Show all posts

Hackers Target Online Casinos With GamePlayerFramework Malware

 


The Russian cybersecurity company Kaspersky has stated that the activity of gambling puppet and DRBControl is associated with another set of intrusions that are being linked to Earth Berberoka (aka GamblingPuppet) and Earth Berberoka, citing a similar tactic and targeting as well as the creation of secure messaging clients.

As per the speculations "there may be a mix between espionage and IP theft, though their true motives remain a mystery so far," researchers Kurt Baumgartner and Georgy Kucherin wrote in a technical paper that appeared this week.

In November 2021 Kaspersky said that a PlugX loader and other payloads were detected on an employee monitoring service and a security package deployment service.

A company representative said on Friday that the attacker "was able to perform cyber espionage activities with some degree of stealth due to the initial infection method - the distribution of the framework through security solution packages."

"In addition to downloading programs, launchers, and a set of plugins used to gain remote access, the researchers also developed a new collection of keyloggers that can steal clipboard data and keystrokes from the computer."

In the following weeks, the same security package deployment service has also been used in the delivery of what is called the GamePlayerFramework, a C# variant of a C++-based malware known as PuppetLoader that was deployed.

Based on signs that have been uncovered, DiceyF appears to be a follow-on campaign to Earth Berberoka with a re-engineered malware toolset, even though the framework is maintained by two separate branches called Tifa and Yuna, which include different modules of varying sophistication.

While the Tifa branch mainly consists of a downloader and a core component, the Yuna branch is more complex in terms of functionality. It includes a downloader, a set of plugins, and a minimum of 12 PuppetLoader modules in addition to the downloader. Despite this, it is believed that both branches are actively and incrementally updated, and they are both considered active.

Regardless of the variant employed, once the GamePlayerFramework is launched, it can connect to the command-and-control system (C2) and transmit information about the compromised host, as well as the contents of the clipboard, and then the malware can seize control of the host by answering any of the fifteen commands that the C2 has provided.

As part of this process, the C2 server will also launch a plugin on the victim system. The plugin can either be downloaded from the C2 server when the framework is instantiated or retrieved by requesting the "InstallPlugin" command from the server when the framework is instantiated.

This allows the plugins to be used in conjunction with Google Chrome and Mozilla Firefox browsers to steal cookies from the browsers themselves. Also, this software is capable of capturing keystrokes and clipboard data, establishing virtual desktop sessions, and even being able to remotely log into the machine through Secure Shell.

Moreover, Kaspersky pointed out the use of a malicious app that mimicked Mango Employee Account Data Synchronizer, another piece of software that mimics employee account data synchronization. The GamePlayerFramework is dropped in the network by this messenger app which is used by the targeted entities to make their campaigns more effective.

Researchers have observed several exciting characteristics of DiceyF campaigns and TTP, according to the researchers. There is evidence that the group has modified their software over time, and has developed functionality in the code throughout their intrusions.

To ensure that victims would not become suspicious about the disguised implants, attackers gathered information about targeted organizations (like the floor where the IT department of the organization is located) and included the information in graphic windows that were displayed to victims.

Several Critical Flaws Detected in Las Vegas’s Leading Casinos

 

External attack surface management platform, Reposify, has discovered multiple vulnerabilities in the IT networks of Las Vegas’s leading casinos. Recently, Nevada Gaming Control Board (NGCB) issued a warning for all the casino operators and advised them to remain prepared for possible cyber-attacks.

“We can say with certainty that the types of vulnerabilities discovered had the potential to result in financial losses and exposure of sensitive information including personal information of customers,” Reposify spokesperson said.

Researchers from Reposify used an External attack surface management (EASM) platform to detect security loopholes in the IT networks of casinos that might catch attackers’ attention. During their examination, researchers discovered multiple exposures in the network perimeter of a leading Las Vegas casino and also a stack trace of a casino’s purchasing system. 

The security loophole in stack trace allowed researchers to secure details regarding the casino’s backend architecture and other highly sensitive information. Researchers claim that attackers can abuse exposed stack traces to secure access into a casino’s internal networks. In addition, cybersecurity experts also spotted a Microsoft Exchange server with multiple critical flaws. These flaws could allow malicious actors to gain domain administrator rights and execute remote code attacks.

“If attackers managed to gain access to this server, which they could easily do by exploiting the several vulnerabilities this server had, they would be able to see all internal and external communications, launch phishing and ransomware attacks, among others,” Repsoify’s spokesperson told CyberNews in an email.

According to the researchers, one of the casinos did not use multi-factor authentication for logging in to a firewall system, leaving a critical part of security open to credential stuffing and brute force attacks.

“We can say with certainty that the types of vulnerabilities discovered had the potential to result in financial losses and exposure of sensitive information including personal information of customers,” the spokesperson explained. 

Notably, Reposify did not publish the names of the affected casinos and also didn't know whether discovered flaws were abused or not. Consequently, casinos with security loopholes in their IT systems were informed about the findings of the research in an attempt to help them fix the issues. 

“Casinos are considered a lucrative target for attackers, as evident by the numerous recent attacks on such establishments. After reviewing the exposures and unencrypted assets discovered over publicly accessible internet, I urge security teams to take immediate actions to identify and eliminate unknown exposures in their attack surfaces before they fall victim to the next cyber-attack,” Arnon Yosha, a senior security researcher at Reposify, stated.