Security flaw in EA’s Origin client exposed gamers to hackers

Electronic Arts has fixed a vulnerability in its online gaming platform Origin after security researchers found they could trick an unsuspecting gamer into remotely running malicious code on their computer.

The bug affected Windows users with the Origin app installed. Tens of millions of gamers use the Origin app to buy, access and download games. To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.

But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victims computer.

“An attacker could’ve ran anything they wanted,” Bee told TechCrunch.

‘Popping calc’ to demonstrate a remote code execution bug in Origin. (Image: supplied)

The researchers gave TechCrunch proof-of-concept code to test the bug for ourselves. The code allowed any app to run at the same level of privileges as the logged-in user. In this case, the researchers popped open the Windows calculator — the go-to app for hackers to show they can run code remotely on an affected computer.

But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.

Bee said a malicious link could be sent as an email or listed on a webpage, but could also triggered if the malicious code was combined with a cross-site scripting exploit that ran automatically in the browser.

It was also possible to steal a user’s account access token using a single line of code, allowing a hacker to gain access to a user’s account without needing their password.

Origin’s macOS client wasn’t affected by the bug.

EA spokesperson John Reseburg confirmed a fix was rolled out Monday. TechCrunch confirmed the code no longer worked following the update.

Let’s block ads! (Why?)

Link to original source

Scranos, a new rootkit malware, steals passwords and pushes YouTube clicks

Security researchers have discovered an unusual new malware that steals user passwords and account payment methods stored in a victim’s browser — and also silently pushes up YouTube subscribers and revenue.

The malware, Scranos, infects with rootkit capabilities, burying deep into vulnerable Windows computers to gain persistent access — even after the computer restarts. Scranos only emerged in recent months, according to Bitdefender with new research out Tuesday, but the number of its infections has rocketed in the months since it was first identified in November.

“The motivations are strictly commercial,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender, in an email. “They seem to be interested in spreading the botnet to consolidate the business by infecting as many devices as possible to perform advertising abuse and to use it as a distribution platform for third party malware,” he said.

Bitdefender found the malware spreading through trojanized downloads that masquerade as real apps, like video players and e-book readers. The rogue apps are digitally signed — likely from a fraudulently generated certificate — to prevent getting blocked by the computer. “By using this approach, the hackers are more likely to infect targets,” said Botezatu. Once installed, the rootkit takes hold to maintain its presence and phones home to its command and control server to download additional malicious components. The second-stage droppers inject custom code libraries in common browsers — Chrome, Firefox, Edge, Baidu, and Yandex to name a few — to target Facebook, YouTube, Amazon, and Airbnb accounts, gathering data to send back to the malware operator.

“The motivations are strictly commercial… they are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit.” Bitdefender’s Bogdan Botezatu

Chief among those is the YouTube component, said Bitdefender. The malware opens Chrome in debugging mode and, with the payload, hides the browser window on the desktop and taskbar. The browser is tricked into opening a YouTube videos in the background, mutes it, subscribes to a channel specified by the command and control server and click ads.

The malware “aggressively” promoted four YouTube videos on different channels, the researchers found, turning victim computers into a de facto clickfarm to generate video revenue.

“They are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit,” said Botezatu. “They are growing accounts that they have been paid to grow and helping inflate an audience so they can grow specific ‘influencer’ accounts.”

Another downloadable component allows the malware to spam a victim’s Facebook friend requests with phishing messages. By siphoning off a user’s session cookie, it sends a malicious link to an Android adware app over a chat message.

“If the user is logged into a Facebook account, it impersonates the user and extracts data from the account by visiting certain web pages from the user’s computer, to avoid arousing suspicion by triggering an unknown device alert,” reads the report. “It can extract the number of friends, and whether the user administrates any pages or has payment information in the account.” The malware also tries to steal Instagram session cookies and the number of followers the user has.

Other malicious components allow the malware to steal data from Steam accounts, inject adware to Internet Explorer, run rogue Chrome extensions, and collect and upload a user’s browsing history.

“This is an extremely sophisticated threat that took a lot of time and effort to set up,” said Botezatu. The researchers believe the botnet has tens of thousands of devices ensnared already — at least.

“Rootkit-based malware shows an unusual level of sophistication and dedication,” he said.

Let’s block ads! (Why?)

Link to original source

Microsoft: Hackers compromised support agent’s credentials to access customer email accounts

On the heels of a trove of 773 million emails, and tens of millions of passwords, from a variety of domains getting leaked in January, Microsoft has faced another breach affecting its web-based email services.

Microsoft has confirmed to TechCrunch that a certain “limited” number of people who use web email services managed by Microsoft — which cover services like @msn.com and @hotmail.com — had their accounts compromised.

According to an email Microsoft has sent out to affected users (the reader who tipped us off got his late Friday evening), malicious hackers were potentially able to access an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with — “but not the content of any e-mails or attachments,” nor — it seems — login credentials like passwords.

Microsoft is still recommending that affected users change their passwords regardless.

The breach occurred between January 1 and March 28, Microsoft’s letter to users said. 

The hackers got into the system by compromising a customer support agent’s credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn’t know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result. “You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source.”

We are printing the full text of the email below, but a separate email sent to us, from Microsoft’s Information Protection and Governance team, confirmed some of the basic details, adding that it has increased detection and monitoring on those accounts affected.

Microsoft recently became aware of an issue involving unauthorized access to some customers’ web-based email accounts by cybercriminals. We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access. A limited number of consumer accounts were impacted, and we have notified all impacted customers. Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts. 

No enterprise customers are affected, TechCrunch understands.

Right now, a lot of question marks remain. It’s unclear exactly how many people or accounts were affected, nor in which territories they are located — but it seems that at least some were in the European Union, since Microsoft also provides information for contacting Microsoft’s data protection officer in the region.

We also don’t know how the agent’s credentials were compromised, or if the agent was a Microsoft employee, or if the person worked for a third party providing support services. And Microsoft has not explained how it discovered the breach.

We have asked Microsoft all of the above and will update this post as we learn more.

In this age where cybersecurity breaches get revealed on a daily basis, email is one of the most commonly leaked pieces of personal information. There’s even been a site created dedicated to helping people figure out if they are among those who have been hacked. Have I Been Pwned, as the site is called, now has over 7.8 billion email addresses in its database.

We’ll update this post as we learn more. The letter from Microsoft to affected users follows.

Dear Customer

Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).

It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

If you require further assistance, or have any additional questions or concerns, please feel free to reach out to our Incident Response Team at ipg-ir@microsoft.com. If you are a citizen of European Union, you may also contact Microsoft’s Data Protection Officer at:

EU Data Protection Officer
Microsoft Ireland Operations Ltd
One Microsoft Place,
South County Business Park,
Leopardstown, Dublin 18, Ireland
dpoffice@microsoft.com

Microsoft regrets any inconvenience caused by this issue. Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.

Let’s block ads! (Why?)

Link to original source

Homeland Security warns of security flaws in enterprise VPN apps

Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break into a company’s internal network, according to a warning issued by Homeland Security’s cybersecurity division.

An alert was published Friday by the government’s Cybersecurity and Infrastructure Security Agency following a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.

The VPN apps built by four vendors — Cisco, Palo Alto Networks, Pulse Secure, and F5 Networks — improperly store authentication tokens and session cookies on a user’s computer. These aren’t your traditional consumer VPN apps used to protect your privacy, but enterprise VPN apps that are typically rolled out by a company’s IT staff to allow remote workers to access resources on a company’s network.

The apps generate tokens from a user’s password and stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.

But with access to a user’s computer — such as through malware — an attacker could steal those tokens and use them to gain access to a company’s network with the same level of access as the user. That includes company apps, systems and data.

So far, only Palo Alto Networks has confirmed its GlobalProtect app was vulnerable. The company issued a patch for both its Windows and Mac clients.

Neither Cisco nor Pulse Secure have patched their apps. F5 Networks is said to have known about storing since at least 2013 but advised users to roll out two-factor authentication instead of releasing a patch.

CERT warned that hundreds of other apps could be affected — but more testing was required.

Let’s block ads! (Why?)

Link to original source

Review: The $199 Echo Link turns the fidelity up to 11

The Echo Link takes streaming music and makes it sound better. Just wirelessly connect it to an Echo device and plug it into a set of nice speakers. It’s the missing link.

The Link bridges the gap between streaming music and a nice audio system. Instead of settling for the analog connection of an Echo Dot, the Echo Link serves audio over a digital connection and it makes just enough of a difference to justify the $200 price.

I plugged the Eco Link into the audio system in my office and was pleased with the results. This is the Echo device I’ve been waiting for.

In my case the Echo Link took Spotfiy’s 320 kbps stream and opened it up. The Link creates a wider soundstage and makes the music a bit more full and expansive. The bass hits a touch harder and the highs now have a new-found crispness. Lyrics are clearer and easier to pick apart. The differences are subtle. Everything is just slightly improved over the sound quailty found when using an Echo Dot’s 3.5mm output.

Don’t have a set of nice speakers? That’s okay, Amazon also just released the Echo Link Amp, which features a built-in amplifier capable of powering a set of small speakers (read the review here).

Here’s the thing: I’m surprised Amazon is making the Echo Link. The device caters to what must be a small demographic of Echo owners looking to improve the quality of Pandora or Spotify when using an audio system. And yet, without support for local or streaming high resolution audio, it’s not good enough for audiophiles. This is for wannabe audiophiles. Hey, that’s me.

Review

There are Echo’s scattered throughout my house. The devices provide a fantastic way to access music and NPR. The tiny Echo Link is perfect for the system in my office where I have a pair of Definitive Technology bookshelf speakers powered by an Onkyo receiver and amp. I have a turntable and SACD player connected to the receiver but those are a hassle when I’m at my desk. The majority of the time I listen to Spotify through the Amazon Echo Input.

I added the Onkyo amplifier to the system last year and it made a huge difference to the quality. The music suddenly had more power. The two-channel amp pushes harder than the receiver, and resulted in audio that was more expansive and clear. And at any volume, too. I didn’t know what I was missing. That’s the trick with audio. Most of the time the audio sounds great until it suddenly sounds better. The Echo Link provided me with the same feeling of discovery.

To be clear the $200 Echo Link does not provide a night and day difference in my audio quality. It’s a slight upgrade over the audio outputted by a $20 Echo Input — and don’t forget, an Echo device (like the $20 Echo Input) is required to make the Echo Link work.

The Echo Link provides the extra juice lacking from the Echo Input or Dot. Those less expensive options output audio to an audio system, but only through an analog connection. The Echo Link offers a digital connection through Toslink or Digital Coax. It has analog outputs that’s powered by a DAC with a superior dynamic range and total harmonic distortion found in the Input or Dot. It’s an easy way to improve the quality of music from streaming services.

The Echo Link, and Echo Link Amp, also feature a headphone amp. It’s an interesting detail. With this jack, someone could have the Echo Link on their desk and use it to power a set of headphones without any loss of quality.

I set up a simple A/B test to spot the differences between a Link and a Dot. First, I connected the Echo Link with a Toslink connection to my receiver and an Echo Input. I also connected an Echo Dot through its 3.5mm analog connection to the receiver. I created a group in the Alexa app of the devices. This allowed each of the devices to play the same source simultaneously. Then, as needed, I was able to switch between the Dot and Link with just a touch of a button, providing an easy and quick way to test the differences.

I’ll leave it up to you to justify the cost. To me, as someone who has invested money into a quality audio system, the extra cost of the Echo Link is worth it. But to others an Echo Dot could be enough.

It’s important to note that the Echo Link works a bit differently than other Echo devices connected to an audio system. When, say, a Dot is connected to an audio system, the internal speakers are turned off and all of the audio is sent to the system. The Echo Link doesn’t have to override the companion Echo. When an Echo Link is connected to an Echo device, the Echo still responds through its internal speakers; only music is sent to the Echo Link. For example, when the Echo is asked about the weather, the forecast is played back through the speakers in the Echo and not the audio system connected to the Echo Link. In most cases this allows the owner to turn off the high-power speakers and still have access to voice commands on the Echo.

The Echo Link takes streaming music and instantly improves the quality. In my case the improvements were slight but noticeable. It works with all the streaming services supported by Echo devices, but it’s important to note it does not work with Tidal’s high-res Master Audio tracks. The best the Echo Link can do is 320 kbps from Spotify or Tidal. This is a limiting factor and it’s not surprising. If the Echo Link supported Tidal’s Master Tracks, I would likely sign up for that service, and that is not in the best interest of Amazon which hopes I sign up for Amazon Music Unlimited.

I spoke to Amazon about the Echo Link’s lack of support for Tidal Master Tracks and they indicated they’re interested in hearing how customers will use the device before committing to adding support.

The Link is interesting. Google doesn’t have anything similar in its Google Home Line. The Sonos Amp is similar, but with a built-in amplifier, it’s a closer competitor to the Echo Link Amp. Several high-end audio companies sell components that can stream audio over digital connections yet none are as easy to use or as inexpensive as the Echo Link. The Echo Link is the easiest way to improve the sound of streaming music services.

Let’s block ads! (Why?)

Link to original source