Ryan 873 Posted April 19, 2018 We regret to inform everyone that our web servers have recently been breached, and as a result user information may have been compromised. At around 9:00 AM CST today (April 18th, 2018) the hacker(s) had infected the game client with malware, causing anyone who opened the launcher/auto-updater to potentially be infected. After some analysis it appears that the malware steals login data from user web browsers whenever launched. Our systems are once again secure, and the infected client has been removed from our servers (at approx. 6:00 PM CST). Here's what we encourage ALL players to do to: If you had opened the launcher during April 18th, 2018 we recommend you run a virus scan from a reliable antivirus software If you aren't sure or can't remember if you ran the launcher, we recommend doing this just in case Change any important passwords if you believe you've launched the infected client Using a program like http://www.nirsoft.net/utils/chromepass.html allows you to see what logins are stored on your chrome browser We don't believe passwords were compromised unless they were stored in google chrome's auto-fill, but we recommend changing just to be safe. Make sure to reset your in-game passwords and PINs, as well as your forum password Account PINs were not included in the compromised data, but we recommend a change just to be safe You can type ::changepin to prompt an account PIN change We sincerely apologize for this ordeal, and we'll be taking further steps to prevent anything like this from happening in the future. Feel free to private message me on forums if you have any questions or need any assistance regarding this issue Sincerely, The Staff Team 2 1 Share this post Link to post Share on other sites
Aaadrum 60 Posted April 19, 2018 smh ill eat their ass 5 Share this post Link to post Share on other sites
Jaedmo 4 Posted April 19, 2018 (edited) Pathetic. This isn't something anyone should ever have to worry about lol. Get your security under control. Edited April 19, 2018 by Jaedmo 2 Share this post Link to post Share on other sites
Lauren 116 Posted April 19, 2018 if anyone doesn't have an antivirus and doesn't want to pay or know what to get, mbam is extremely reliable and you get a free 14-day premium; https://www.malwarebytes.com/mwb-download/ 1 Share this post Link to post Share on other sites
Alpha Rye 91 Posted April 19, 2018 Thanks for the heads up! Share this post Link to post Share on other sites
Aaadrum 60 Posted April 19, 2018 im not even gonna run a scan thuglife 1 Share this post Link to post Share on other sites
Breh 37 Posted April 19, 2018 9 minutes ago, Murdaaa said: im not even gonna run a scan thuglife Same... Share this post Link to post Share on other sites
Iron Logic 910 Posted April 19, 2018 42 minutes ago, Jaedmo said: Pathetic. This isn't something anyone should ever have to worry about lol. Get your security under control. We do apologise for the breach but this is something every company that handles data can face, big and small. But on the bright side, at least the situation is now under control and our users have been informed as soon as possible (Unlike some companies). We will also be taking big steps into assuring that this never happens again. Share this post Link to post Share on other sites
I am daddy 3 Posted April 19, 2018 Two things. First I appreciate you being responsible enough to let us know about it so we can take action on our end. Secondly, how did someone breach your web server that the client runs through. It’s one thing to lose a forum to an SQL attack or another error. But to actually have your dedicated server compromised to the point someone was able to modify your updater to include a malware redirect is beyond me. I hope you are more transparent on this issue moving forward. Did someone that had access to the server get ratted? Did you get personally attacked? Surely not many people have access to your files, and from my understanding you are very knowledgeable. I apologize if I come off as a dick, but when it comes to my personal data it bothers me. I trust you guys will implement more security protocols moving forward and something like this won’t happen again. 2 Share this post Link to post Share on other sites
MoleManMode 3 Posted April 19, 2018 (edited) So, thanks to you, I had to reset all my passwords, call and cancel my credit cards and request new ones, same with my bank card, as well as go through the headache of resetting all of my authenticators. unacceptable. Officially quitting and already passed my items over to the newbies. If you didn't take your security serious enough from the beginning to protect your server information, I damn sure don't trust you to protect my information anymore. The times were fun, The server is awesome, but you have a lot of things to figure out about how Cyber-anything works. i wish you the best of luck with your servers and in life. Edited April 19, 2018 by MoleManMode 3 Share this post Link to post Share on other sites
Forensics 0 Posted April 19, 2018 1 hour ago, MoleManMode said: So, thanks to you, I had to reset all my passwords, call and cancel my credit cards and request new ones, same with my bank card, as well as go through the headache of resetting all of my authenticators. unacceptable. Officially quitting and already passed my items over to the newbies. If you didn't take your security serious enough from the beginning to protect your server information, I damn sure don't trust you to protect my information anymore. The times were fun, The server is awesome, but you have a lot of things to figure out about how Cyber-anything works. i wish you the best of luck with your servers and in life. Wah. Share this post Link to post Share on other sites
London 7 Posted April 19, 2018 free $100 bonds for everyone@!!@!@!@!@ 1 1 Share this post Link to post Share on other sites
Ya Blewit 1 Posted April 19, 2018 What he said ^^ 1 Share this post Link to post Share on other sites
vaya1 0 Posted April 19, 2018 I ran a scan but have found no problem. Although I've changed the majority of my passwords, which was quite annoying. I understand that a breach would be possible, but the fact they could inject malware into the launcher seems a bit odd to me. I hope a reply will be given with a proper explanation how this was possible. Share this post Link to post Share on other sites
Kliksa 162 Posted April 19, 2018 3 hours ago, MoleManMode said: So, thanks to you, I had to reset all my passwords, call and cancel my credit cards and request new ones, same with my bank card, as well as go through the headache of resetting all of my authenticators. unacceptable. Officially quitting and already passed my items over to the newbies. If you didn't take your security serious enough from the beginning to protect your server information, I damn sure don't trust you to protect my information anymore. The times were fun, The server is awesome, but you have a lot of things to figure out about how Cyber-anything works. i wish you the best of luck with your servers and in life. The exploit used was with IBP and not with the security parameters Ryan had in place. Share this post Link to post Share on other sites
Ryan 873 Posted April 19, 2018 5 hours ago, vaya1 said: I ran a scan but have found no problem. Although I've changed the majority of my passwords, which was quite annoying. I understand that a breach would be possible, but the fact they could inject malware into the launcher seems a bit odd to me. I hope a reply will be given with a proper explanation how this was possible. Only our web servers were compromised, but the game client is hosted and downloaded from the web server (HTTP) by the auto-updater launcher. The dedicated servers in which we host the actual game was not breached. Clarification/update on the malware: After reverse engineering the infected client it appears that the malware does not actually execute (those who understand some Java may be able to see in this decompiled class https://i.imgur.com/4w0lpl4.png) This may be good news, because there is a chance that the malware was not programmed properly for those who launched it, meaning no personal data was stolen. But in case we're wrong or missing anything in our analysis, I had administered this warning for everyone to be completely safe. EDIT: It appears after testing with a more reliable decompiler, it unfortunately does in fact execute. 2 1 Share this post Link to post Share on other sites
I am daddy 3 Posted April 19, 2018 Thank you for replying Ryan. I was monitoring outgoing connections Incase of malware and did not notice anything unusual and all scans came back clean. I run keyscrambler so I wasn’t concerned about losing financial information I just did not know how deep the exploit went and panicked. Thank you for posting the decompile and handling this professionally. Share this post Link to post Share on other sites
mekanism 0 Posted April 20, 2018 Wait, did you just post what kind of encryption you use by showing us the decompiled 'malware'? Crypt32? Lol Share this post Link to post Share on other sites
Lauren 116 Posted April 20, 2018 18 minutes ago, mekanism said: Wait, did you just post what kind of encryption you use by showing us the decompiled 'malware'? Crypt32? Lol It's an image of the infected, decompiled client. It's showing the execution and default utility, that's it. Share this post Link to post Share on other sites
forgiveiron 0 Posted April 20, 2018 Any chance you know where this malware may plant itself, as in what the file may be named or where it is located? Share this post Link to post Share on other sites
Vintage 40 Posted April 20, 2018 (edited) 1 hour ago, forgiveiron said: Any chance you know where this malware may plant itself, as in what the file may be named or where it is located? I asked him yesterday, he said from the analysis he concluded the file just scraped the chrome saved password data then wiped itself from the pc Edit: He said ; From the analysis it isn't a virus that stays on your computer or launches on startup, it would just scrape and send off your google chrome data when the client was first loaded. We recommend players to run a virus scan to be 100% safe Edited April 20, 2018 by Vintage Share this post Link to post Share on other sites
Ryan 873 Posted April 20, 2018 8 hours ago, Vintage said: I asked him yesterday, he said from the analysis he concluded the file just scraped the chrome saved password data then wiped itself from the pc Edit: He said ; From the analysis it isn't a virus that stays on your computer or launches on startup, it would just scrape and send off your google chrome data when the client was first loaded. We recommend players to run a virus scan to be 100% safe This is correct, the malware does not appear to plant itself, its only functionality we found was stealing Chrome passwords upon launching the client. 15 hours ago, mekanism said: Wait, did you just post what kind of encryption you use by showing us the decompiled 'malware'? Crypt32? Lol No, that's the encryption Google Chrome uses to store auto-fill passwords on your computer. Share this post Link to post Share on other sites
kalylia 1 Posted April 20, 2018 @Ryan So, if I did not log on Wednesday during 9 AM CST to 6 PM CST, and logged on around 11 PM to 12 AM CST am I safe from this attack? Or was I still affected? Thank you in advance for your insight. Share this post Link to post Share on other sites