Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Minecraft. Show all posts

Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

A new variant of Necro malware loader was found on 11 million Android devices through Google Play in infected SDK supply chain attacks. The re-appearance of Necro malware is a sign of persistent flaws in popular app stores like Google. 

A recent report by Kaspersky suggests the latest version of Necro Trojan was deployed via infected advertising software development kits (SDK) used by Android game mods, authentic apps, and mod variants of famous software, such as Minecraft, Spotify, and WhatsApp. The blog covers key findings from the Kaspersky report, the techniques used by threat actors, and the impact on cybersecurity. 

What is Necro Trojan 

Aka Necro Python, the Necro Trojan is an advanced malware strain active since it first appeared. Malware can perform various malicious activities such as cryptocurrency mining, data theft, and installation of additional payloads. The recent version is more advanced, making it difficult to track and eliminate. 

Distribution of Necro Trojan

Users sometimes want premium or customized options that official versions don't have. But these unofficial mods, such as GB WhatsApp, Spotify+, and Insta Pro can contain malware. Traditionally, threat actors used these mods because they are distributed on unofficial sites that lack moderation. 

However, in the recent trend, experts discovered actors targeting official app stores via infected apps

In the latest case, Trojan authors abused both distribution vectors, a new variant of multi-stage Necro loader compromised modified versions of Spotify, Minecraft, and other famous apps in unofficial sources, and apps in Google Play. "The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application,” said the report.

Key Findings

  • The downloaded payloads can display ads in invisible windows, and interact with them. They can also execute arbitrary DEX files, install download apps, open arbitrary links in invisible WebView windows and run JavaScript, run a tunnel via the victim's device, and subscribe to paid services. 
  • The new variant of the Necro loader uses obfuscation to escape detection. 
  • The loader deployed in the app uses steganography tactics to hide payloads 

Gaming PCs as Silent Storytellers: Why Privacy Is Crucial

 


Online games and video games are incredibly popular as a way to connect with people and interact with them. They are a great way to connect with others and interact with them. Many people enjoy playing games online, either on gaming consoles, computers, or mobile devices. However, online gaming also poses some risks, such as viruses, identity theft, and phishing attempts. 

For a game to track its players, a game must track at least some of their interactions during the game to be able to see when they have earned X or Y. Privacy threats are nothing new, but they're often overlooked when it comes to PC gaming. Achievements are one such example.  

As it becomes clear that such in-game tracking is ubiquitous and often taken for granted, it just might be worth taking a closer look at whether PC gaming might be a threat to privacy and how it might be overlooked as such. The information on these devices may be accessible and stolen by identity thieves and other fraudsters if they are not protected.

Spammers can use an unprotected computer as a "zombie drone" to send spam which appears to have been sent from the computer system itself. These computers may be infected with malicious viruses or spyware, causing their computers to be slow and unresponsive. 

There are several ways to secure the privacy of users by taking good care of their devices and protecting them with safety measures and good practices. For important software such as an internet browser, users need to make sure that they download the recommended updates from their device's manufacturer or operating system provider, particularly if it is an important update. 

A variety of tools can be used to prevent the use of malicious software on your device, including antivirus software, antispyware software, and firewalls. It is generally true that PC games are permitted to collect a limited amount of personal information from users so long as users allow them to do so within reasonable limits. Additionally, this data may be used or shared and stored in a wide variety of ways depending on the game device or platform being used. 

Antivirus software


In essence, antivirus software protects users against viruses that can damage their data, slow down or crash their hardware, or even allow spammers to send emails to them through the user's account as a result of their antivirus software. A user's files and incoming emails will be scanned for viruses by antivirus protection, and anything that can cause harm will be removed from the files and emails.

To protect themselves from the latest "bugs" that circulate on the internet, users must keep their antivirus software updated regularly. There is usually a feature in most antivirus software that automatically downloads updates when users are online. An effective firewall works by preventing cyber criminals from entering and using your computer by either using a software program or a physical device. Using Internet search engines, hackers do a similar thing to how some telemarketers use random phone numbers to contact clients. 

Concerns In Online Gaming 

Spyware Threats in Gaming


In the gaming world, players may find themselves at risk of spyware, particularly when engaging with untrustworthy online gaming platforms. Spyware, a clandestine monitoring tool, operates silently, observing a user's online activities without their awareness. The gathered information may be exploited by unscrupulous entities, leading to severe privacy breaches. 

Guarding Against Cyberbullying in Gaming


A typical instance of cyberbullying within the gaming community can be a very distressing experience for those involved. Besides humiliating their targets, the perpetrators also use tactics that attempt to coerce victims into revealing personal information through the use of intimidation and coercion. When obtained, a user's information can be used against them, emphasizing that in a gaming environment, vigilance and protective measures are essential to safeguarding the player's interests. 

The BleedingPipe RCE Exploit Presents Minecraft With a New Security Challenge

 


'BleedingPipe' is actively exploited by hackers to execute malicious commands on servers and clients running Minecraft mods. This is to take advantage of the remote code execution vulnerability. By doing this, they can gain control over the devices and make them work as they want. 

There is a vulnerability known as BleedingPipe, which can be found in many Minecraft mods because the wrong way the 'ObjectInputStream' class is used to deserialize is implemented in Java, which leads to BleedingPipe Servers and clients using this to exchange packets of information between each other over the network. Attackers tamper with Minecraft mod servers by sending specially crafted network packets to them to take control of the servers. 

As a result of a newly discovered security vulnerability, Minecraft Java Edition players and server owners have been able to execute code remotely on their computers caused by bad actors. Because the exploit takes advantage of Java's deserialization mechanism, you will likely be affected if you run one of the many popular mods that are susceptible to it. This is also true if you play on a server with them installed. 

In addition to AetherCraft, Immersive Armor, CreativeCore, ttCore, and many other popular Minecraft mods, several other vulnerabilities affect Minecraft. The following GitHub user dogboy21 has compiled a comprehensive list of mods that you may find useful. 

In addition to listing some other mods affected by this issue, the MMPA's blog post on the subject has an in-depth description of the bug. As you can see from the video below that's taken from the YouTube channel PwnFunction, this insecure deserialization attack works by exploiting the insecurity of the serialization process. 

As a result of remote code execution exploits (RCE) vulnerabilities, the attackers could also infect your computer and use it to spread code elsewhere, or they could install ransomware that is designed to block you from accessing your files unless you pay a cash ransom for it. 

By exploiting the flaws in the same Minecraft mods used by those players who connect to the server through these hacked servers, the threat actors are additionally able to install malware on the devices that connect to those servers. 

An investigation conducted by the Minecraft security community (MMPA) has found that the flaw affects many Minecraft mods that run on the 1.7.10/1.12.2 Forge, which utilizes unsafe code to deserialize data to Minecraft objects. 

July, Active Exploitation


It was in March 2022 when the first indications of BleedingPipe exploitation were seen in the wild, however, developers of the mod managed to fix them within minutes. A Forge forum post earlier this month warned that an unknown zero-day RCE being used by a large number of attackers to steal players' Steam session cookies is being used in large-scale active exploitation. 

It has been discovered by the MMPA that the BleedingPipe vulnerability in the following Minecraft mods is also present due to further research:

EnderCore
LogisticsPipes versions older than 0.10.0.71
BDLib 1.7 through 1.12
Smart Moving 1.12
Brazier
DankNull 
Gadomancy
Advent of Ascension (Nevermine) version 1.12.2
Astral Sorcery versions 1.9.1 and older
EnderCore versions below 1.12.2-0.5.77
JourneyMap versions below 1.16.5-5.7.2
Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4
RebornCore versions below 4.7.3
Thaumic Tinkerer versions below 2.3-138   

Although the above list is not complete, it is worthwhile to note that BleedingPipe could potentially negatively impact a wide variety of mods in addition to the ones listed above. 

According to the Mobile Media Protection Association (MMPA), an attacker is actively scanning the internet to see which Minecraft servers are affected by this vulnerability so they can conduct data breaches. If any mods on servers are vulnerable, they must be fixed immediately. 

For protection against BleedingPipe, check the official release channels of the impacted mods to download the latest versions of the affected mods. It is recommended that you migrate to a fork that has adopted the fixes for the vulnerability. This is if the mod you are using has not addressed it in a security update. 

In addition to the PipeBlocker mod, MMPA has released a 'PipeBlocker' mod. This allows both bots and servers to protect from 'ObjectInputSteam' network traffic by filtering it. Server administrators are strongly advised to check all mods for suspicious file additions using the 'jSus' or 'jNeedle' scanners. This is to check for suspicious file additions dropped by attackers. The payload dropped on compromised systems is currently unknown.

If you are using a mod that may be vulnerable, it would be wise to perform similar checks in your .minecraft directory, or your mod launcher's default directory. This will enable you to check for unusual files or malware before playing with that mod. 

Users of desktops are also advised to run a scan of the system with an antivirus program rather than not installing one. This is so that they can detect malicious executables. To protect their servers, owners are advised to use jSus and Needle to check the status of their mods, as well as install the MMPA's PipeBlocker mod, which filters Java's ObjectInputStream for any exploits that arise due to this. The use of the GT New Horizons version of the BDLib mod is highly recommended if you use EnderIO and LogisticsPipes, as well as the modified GT New Horizons version of the BDLib mod if you use those.

Shockbyte Assures Users of Data Safety Amid Git Leak Incident

 

Minecraft enthusiasts were taken aback by recent reports of a security breach at Shockbyte, one of the leading Minecraft server hosting providers. However, the company has come forward to assure its users that there is no cause for concern regarding their data. The incident, which involved a leak of data through Git, raised eyebrows among the Minecraft community, but Shockbyte quickly took action to address the issue.

The news of the security incident spread rapidly across various tech publications, causing a wave of worry among Shockbyte's user base. TechRadar, CyberNews, and Yahoo! were among the platforms that covered the story, amplifying concerns about potential data compromise. However, it is essential to clarify the company's response and the actions taken to ensure data safety.

Shockbyte promptly acknowledged the situation and undertook a thorough investigation into the incident. The hosting provider determined that the breach occurred through a leak in their Git repository, a widely used version control system. Although Git leaks can be serious, Shockbyte acted swiftly to minimize any potential impact on its users.

In a public statement, Shockbyte reassured its customers that no sensitive personal data, including passwords or payment information, had been compromised. The leaked data primarily consisted of code and configuration files related to server setups. While this incident is undoubtedly concerning, it is important to note that the leaked information does not pose a direct threat to users' personal data or accounts.

The company has taken immediate steps to address the issue and mitigate any potential risks. Shockbyte has thoroughly reviewed its security measures and implemented additional safeguards to prevent similar incidents from occurring in the future. They have also emphasized the importance of strong passwords and recommended that users change their login credentials as an extra precaution.

Furthermore, Shockbyte has been transparent in its communication with its users throughout the incident. They have actively updated their customers via their official website and social media channels, providing detailed information about the breach and the steps taken to resolve it. By maintaining open lines of communication, Shockbyte has demonstrated its commitment to ensuring the trust and confidence of its user community.

As Minecraft continues to captivate millions of players worldwide, the importance of robust server hosting and data security cannot be overstated. Shockbyte's response to the Git leak incident serves as a reminder of the need for constant vigilance in safeguarding user data. The incident has undoubtedly been a learning experience for the company, further strengthening its commitment to data protection and cybersecurity.

New Botnet Targeting Minecraft Servers Could be a Threat to Enterprises


Enterprises are being affected significantly more by the constant spread of a newly discovered botnet, that is apparently targeting private Minecraft Java servers than simply bumming out a biome. 

According to a report published by researchers at Microsoft on December 16, this new botnet is utilized in order to aid DDoS attacks on Minecraft servers. This may sound trivial, but enterprises must take an account since this botnet could potentially as well target Windows and Linux devices, spreading rapidly without being detected. 

Launch of The Attack

The attack begins with the online user downloading malicious downloads of “cracked” Windows licenses.  

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices […] Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet," the Defender team explains in a report. 

The security researchers further recommend that organizations strengthen their device network in order to evade any such threats. It was furthermore revealed that most of the devices infected were in Russia. 

Enterprises Beware

The sheer number of potentially targeted servers and the scarce cyber protection on private Minecraft servers, make this botnet a threat to be taken seriously by the cybersecurity teams, warns Patrick Tiquet, Vice president of security architecture at Keeper Security. 

"The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets […] Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future," he explains. 

Besides the malware, Microsoft’s recommendations are a smart idea for safeguarding the company against all kinds of botnets, not simply those that target Minecraft, according to Mike Parkin of Vulcan Cyber.  

Fake Minecraft Modpacks On Google Play Deliver Millions of Abusive Ads and Disrupt Normal Phone Usage

 

Scammers have now begun taking advantage of the Minecraft sandbox video clip game’s wild accomplishment by building Google Play applications.
These applications surface to be Minecraft modpacks, but in its place supply abusive ads, as per researchers. Because Minecraft was designed in Java, it was easy for third-party developers to create compatible applications or these “modpacks” to enhance and customize the gaming experience for players. 

The reason why the game is so popular is basically the fact it builds certain skills within the players which have also been touted by parents and educators as beneficial (especially for kids). Since July, Kaspersky researchers have found more than 20 of these apps and determined that they have been downloaded on more than a million Android devices. 

Among those 15,000 Minecraft mods lurk at least 20 that Kaspersky researchers were able to identify as malicious. Google Play has removed all but five of the malicious titles, Kaspersky said: Zone Modding Minecraft, Textures for Minecraft ACPE, Seeded for Minecraft ACPE, Mods for Minecraft ACPE and Darcy Minecraft Mod are still up and available.

As per Kaspersky, once the modpack malware is installed on the Android device, it only allows itself to be opened once, and once opened, the app is glitchy and useless — exactly how it’s intended to work. 

“The frustrated user closes the app, which promptly vanishes. More precisely, its icon disappears from the smartphone’s menu. Because the ‘modpack’ seemed glitchy from the start, most users, especially kids and teens, won’t waste time looking for it,” a report reads by researchers.

“The sample we examined automatically opened a browser window with ads every two minutes, greatly interfering with normal smartphone use. In addition to the browser, the apps can open Google Play and Facebook or play YouTube videos, depending on the [command-and-control] server’s orders. Whatever the case, the constant stream of full-screen ads makes the phone practically unusable,” the report continued. 

Researchers said reinstalling the browser or messing with the settings would be the next likely troubleshoot, but that won’t get rid of the malware either. 

First, the user needs to identify the malicious app. The device will display a full list of apps under settings, (Settings → Apps and notifications → Show all apps). Delete the app from this list and the malware should be gone.

“Fortunately, the misbehaving modpacks get removed entirely with deletion and do not try to restore themselves.” However, researchers suggest that in order to avoid malicious apps for the parents and kids they should know where to look. For instance, they pointed out that although two of the malicious modpacks have different publishers, the descriptions are identical, “down to the typos.” 

The app ratings also offer a clue something is fishy. Kaspersky pointed out that the average rating was in the three-star neighborhood, but that’s because there were extreme reviews on either end of the spectrum, one-star or five-stars. 



Users complain that the app doesn't work and just deletes itself

“That kind of spread suggests that bots are leaving rave reviews, but real users are very unhappy,” the report added. “Unfortunately, in this case, the cybercriminals are targeting kids and teenagers, who may not pay attention to ratings and reviews before installing an app.”

Hackers Attack Gaming Industry, Sell Player Accounts on Darkweb


Generating a tremendous revenue of $120.1 billion in 2019, the gaming industry is one of the largest and fastest-growing sectors. But this success comes at a high cost as it attracts hackers as a potential target. However, cyber-attacks in the video game industry are hard to trace, making the sector vulnerable to cybercriminals in recent times.



About the attacks
As per recent research, there exist covert markets that trade stolen gaming accounts. These trades can generate an unbelievable amount of $1 billion annually with this business. The Fortnite and Minecraft together amount to 70% of what these underground markets make. According to reports, Roblox, Runescape, Fortnite, and Minecraft are responsible for generating $700 annually. Experts at Night Lion security say that hackers selling stolen Fortnite player accounts are making up to $1 million annually.

Recent developments 
Hackers are now operating as a hierarchical organization, appointing designations for different work. The structured enterprise has positions like developers, senior managers, project managers, sales, and public relations to sensationalize their services.

  • The actors are using open cloud services and digital platforms to conduct their business. 
  • The hackers steal in-game inventories like skins, crates, and coupons from player accounts and sell them on the black market for a lower price. 
  • These hackers often target top gaming accounts and steal player profiles to trade them for lower prices in the underground market. 

Recent attacks 

  • Last month, experts found a game named "Fall Guys: Ultimate Knockout," which contained malicious javascript API. It stole data from target players' discord and browser. 
  • In June 2020, around 1.3 million Stalker Online players' accounts were stolen and sold on the dark web later. 
  • In July 2020, a Nintendo leak revealed the game's details before they were officially launched in the market. 


The gaming industry now faces a bigger challenge to protect its community from the rising attacks. A proactive and multi-layered approach can help gamming companies protect their customers, along with products and services. However, gamers should be careful, too, avoiding re-use of the same password on other platforms.