Tag Archive for: discovered

Skylines players warned to check for malware after malicious code is discovered in mods • Eurogamer.net

/in


Players who use mods to play Cities: Skylines have been warned to check their machines for malware after several popular mods have been found to include malicious code.

A hidden auto-updater has reportedly been bundled in all the mods “redesigned” by a modder aptly known as Chaos. As well as making it a core download for several other mods, it also crippled any mods not made by Chaos, forcing around 35,000 unwitting players into using more infected mods.

“Malicious code has been found in mods published by an author using the names Holy Water and Chaos,” a pinned post on the Cities: Skylines subreddit warns. “These mods have been “forks” (modified and reuploaded versions) of popular mods from well-known creators (e.g. Harmony, Network Extensions, Traffic Manager: President Edition). Several (but not all) of these mods have been removed from the Steam Workshop and the author’s account is currently suspended.

“We recommend in the strongest possible terms that you unsubscribe from all items published by this author and do not subscribe, download, or install any mods, from any source, that may be published by this individual in future.”

A moderator of the subreddit additionally told NME: “Users install Harmony (redesigned) for a particular reason, suddenly they get errors in popular mods. The solution provided is to use his versions. Those versions gain traction and users, and people come across them instead of the originals… and see Harmony (redesigned) marked as a dependency. Users install Harmony (redesigned) with the [automatic updating code] bundled with it. Suddenly you have tens of thousands of users who have effectively installed a trojan on their computer.”

Although Valve has now reportedly banned Chaos (and their known alt accounts) and removed the infected mods, players are still worried they can return as a loophole in Steam workshop rules means Chaos may be able to edit and update their mods from accounts other than those banned.

“Chaos can then remotely deploy any code he chooses to users simply by releasing updated code on his GitHub,” the anonymous moderator added. “There is no validation by Steam, GitHub, or any third party. It’s a direct link from Chaos’ brain…

Source…

Dark Souls 3 & Elden Ring “doomsday scenario” RCE hack discovered

/in


Source: FROM Software

A startling discovery took place on Friday, after a streamer was a victim of what appears to be a Remote Code Execution (RCE) attack in Dark Souls 3 live on stream. In the clip, the streamer experiences a hack that can be seen crashing his game, after which Powershell reportedly opened up and ran a script that trash-talked the player using Microsoft text-to-speech.

 

 

According to a message linked in the SpeedSouls Discord server, only one non-malicious person to public knowledge currently knows how to execute this code, and they are working to bring attention to the developers regarding this issue. The hack has been demonstrated but is not widespread yet.

 

In that message referenced in the server, a user who goes by the name Princess Slut stated: “A person who isn’t malicious discovered a new RCE method, and tried to contact From about it through multiple channels. They ignored him. In an attempt to raise awareness to it so that it would be fixed (as this is a SEVERE security flaw), he did a live benign showcase on stream. It didn’t leak. Nobody has it beside him.”

 

Princess Slut continued: “He is in contact with sfix so we can fix it on [Blue Sentinel] but this isn’t ideal, as the base product is insecure. We’re also thinking about Elden Ring as it will have that exploit as well. The attempts to get From’s attention and get an official fix for their exploits is what drives most of us.”

 

Source: Princess Slut

 

An IT specialist I talked to about the potential for this type of hack said: “This is literally the doomsday scenario, someone could completely destroy your computer beyond repair with this exploit… If people can run code on your computer, it is over, they can do anything they want.”

 

Among the things that hackers could carry out with an RCE exploit are:

 

  • Bricking your PC entirely
  • Stealing sensitive data and passwords stored on your PC
  • Executing malware on your PC
  • Using your PC to mine crypto-currency
  • Pretty much anything you can think of

 

We don’t know the extent of the RCE, is it probable that they can elevate permissions on the PC. It isn’t confirmed they can, but it is likely, according to experts I talked to…

Source…

Teen hacker discovered Tesla remote control security flaws by accident

/in


David Colombo, a 19-year-old cybersecurity researcher in Germany, came upon the biggest discovery of his young career by accident.

He was performing a security audit for a French company when he noticed something unusual: a software program on the company’s network that exposed all the data about the chief technology officer’s Tesla Inc. vehicle.

The data included a full history of where the car had been driven and its precise location at that moment.

But that wasn’t all. As Colombo dug deeper he realized that he could push commands to Tesla vehicles whose owners were using the program.

That capability enabled him to hijack some functions on those cars, including opening and closing the doors, turning up the music and disabling security features. (He couldn’t take over the cars’ steering, braking or other operations, however.)

The discovery, which Colombo published on Twitter this week, triggered a vigorous discussion online as the latest example of hacking risks associated with the so-called Internet of Things, where seemingly every product — from refrigerators to doorbells — now have an internet connection.

“I’m not sure I would send that tweet again,” said Colombo, who began programming when he was 10.

“The response was crazy. Somewhere in the comments I have pro- and anti-Tesla arguing very heatedly. It just got blown up so much.”

Colombo said he found more than 25 Teslas in 13 countries throughout Europe and North America that were vulnerable to attack, and that subsequent analysis indicated there could have been hundreds more.

The flaws aren’t in Tesla’s vehicles or the company’s network but rather in a piece of open-source software that allows them to collect and analyze data about their own vehicles.

Tesla didn’t respond to requests for comment.

Colombo said a member of the company’s security team contacted him and that he shared his findings.

A spokesperson for the U.S. National Highway Traffic Safety Administration said it has been in contact with Tesla about the matter and that the agency’s cybersecurity technical team would assist with the evaluation and review of the information.

Colombo provided screenshots and other documents…

Source…

New ESPecter UEFI Bootkit Discovered

/in


Researchers have uncovered a new UEFI bootkit that has the capability to infect Windows machines from Windows 7 up through 10 and remain persistent on the EFI System Partition by installing a malicious Windows Boot Manager.

The new malware is called ESPecter and is somewhat similar, but unrelated to, another UEFI bootkit named FinSpy that Kaspersky disclosed last week. Its origins stretch back to at least 2012 and it has a number of interesting capabilities, including the ability to bypass the Windows Driver Signature Enforcement to load a malicious driver as part of its infection process. ESPecter’s initial infection vector isn’t clear at this point, but researchers at ESET, who discovered the malware, believe it is mainly used for information stealing and espionage and said it may have Chinese authors.

UEFI is the successor to the older BIOS and is designed to be the first thing that runs on boot up. UEFI bootkits are rare and most of the ones that have been identified in the wild have been SPI flash implants rather than ESP implants. The purpose of both types of UEFI malware is to gain control of the lowest level of the machine’s boot process and remain hidden and persistent without any obvious signs of compromise. In the case of ESPecter, this is achieved by patching the Windows Boot Manager, which controls the boot process from the time the machine is started up.

“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process, before the operating system is fully loaded. This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup,” Martin Smolár and Anton Cherepanov of ESET wrote in their analysis of the malware.

“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process.”

“This driver then injects other user-mode components into specific system processes to initiate communication with ESPecter’s C&C server and to allow the attacker to take control of the compromised machine by downloading and running additional malware or executing C&C commands.”

One of…

Source…