Tech News - Malware Analysis

Yesterday, Epic Games, the developer of Fortnite, an online video game acknowledged the existence of a bug in the game (Fortnite). This bug could let attackers access user accounts by impersonating as real gamers and purchase V-Buck, Fortnite’s in-game currency with credit cards. This bug could also eavesdrop on record players’ in-game conversation and background home conversations. Just two months ago, researchers at Check Point Research found the vulnerabilities and informed Epic Games which then fixed the vulnerability. In a statement to Washington Post, Oded Vanunu, Check Point’s head of products vulnerability research said, "The chain of the vulnerabilities within the log-in flow provide[d] the hacker the ability to take full control of the account.” According to an analysis made by market research company SuperData, last year, with the help of Fortnite, Epic Games was leading the market for free-to-play games by earning $2.4 billion in revenue. 10 months ago, a user shared his experience on Reddit regarding his account being hacked. The hacker used all his money using his card for buying V-Bucks. The post reads, “It appears my epic games account was hacked this past weekend, and they proceeded to spend all the money they could on v-bucks (which was all of it).” The victim also added a note, “ I've never tried signing up for free v-bucks or anything of the sort. I think I've just used the same password email combo too many times and at some point it was leaked in some data breach.” In spite of refund by Epic team the online gaming world doesn’t look that safe. But this post has some comments which clearly states how scared users are. One of the users commented, “Well, after reading this I just deleted my PayPal from my Epic Games account. Definitely going to run with entering details each time instead of storing them.” The thread has some comments which suggests having a two-way verification, changing passwords frequently and using prepaid cards if possible for online games. In a statement to The Verge, Epic Games said, “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.” Hackers deceive players in various ways, one of which is, asking users to log into fake websites that promised to generate V-Buck. These sites ask gamers to enter their game login credentials and personal information like name, address and credit card details, which further get misused. Usually, such scams are promoted via social media campaigns that claim gamers can “earn easy cash” or “make quick money”. Check Point’s research found out a vulnerability in the game that didn’t even require the login details for the attackers to attack. An XSS (cross-site scripting) attack was responsible according to researchers, which would just require users to click on a link sent to them by the attacker. As soon as the user would click the link, their Fortnite username and password would immediately be captured by the attacker, without the need for them to enter any login credentials. According to the researchers, this bug would let hackers steal pieces of code to identify a gamer when he/she logs into the game by a third-party account such as Xbox Live or Facebook. After accessing a gamer’s account in Fortnite with these security tokens, hackers could buy weapons, in-game currency, or even cosmetic accessories. To know more about the bug in Fortnite, check out the report and YouTube video by Check Point. Hyatt Hotels launches public bug bounty program with HackerOne 35-year-old vulnerabilities in SCP client discovered by F-Secure researcher Fortnite server suffered a minor outage, Epic Games was quick to address the issue

This week, NATIONAL VULNERABILITY DATABASE (NVD) identified an integer overflow flaw in libssh2 before the release of version 1.8.1 which could lead to an out of bounds write. A remote attacker could take advantage of this flaw to compromise an SSH server and execute code on the client system when a user connects to the server. Impact of the flaw in libssh2 The Common Vulnerability Scoring System (CVSS) base score, a numerical score that reflects its severity, calculated by the team who identified the flaw is 8.8, which is high. The overall impact score calculated by the team is 5.9 where the exploitability score is 2.8. The team also identified that the attack vector was a network and the attack complexity was low. Security issues fixed by the team CVE-2019-3861: The team fixed out-of-bounds reads with SSH packets. CVE-2019-3862: The team fixed the issues related to out-of-bounds memory with message channel request packet. CVE-2019-3860: The team fixed out-of-bounds reads with SFTP packets. CVE-2019-3863: The team fixed the integer overflow in user authenticate keyboard which could allow out-of-bounds writes with keyboard responses. CVE-2019-3856: The team fixed the issues related to a potential integer overflow in keyboard handling which could allow out-of-bounds write with payload. CVE-2019-3859: The team fixed the issues with out-of-bounds reads with payloads because of unchecked use of _libssh2_packet_require and _libssh2_packet_requirev. CVE-2019-3855: The team fixed a potential Integer overflow in transport read which could allow out-of-bounds write with a payload. CVE-2019-3858: The issues with the zero-byte allocation have been fixed, which could lead to an out-of-bounds read with SFTP packet. To know more about this news, check out NVD’s post. Linux use-after-free vulnerability found in Linux 2.6 through 4.20.11 Stable release of CUDA 10.0 out, with Turing support, tools and library changes ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research