Urgent Announcement

[Ryan 873]

We regret to inform everyone that our web servers have recently been breached, and as a result user information may have been compromised.

At around 9:00 AM CST today (April 18th, 2018) the hacker(s) had infected the game client with malware, causing anyone who opened the launcher/auto-updater to potentially be infected. After some analysis it appears that the malware steals login data from user web browsers whenever launched.

Our systems are once again secure, and the infected client has been removed from our servers (at approx. 6:00 PM CST).

Here's what we encourage ALL players to do to:

1. If you had opened the launcher during April 18th, 2018 we recommend you run a virus scan from a reliable antivirus software
   • If you aren't sure or can't remember if you ran the launcher, we recommend doing this just in case
2. Change any important passwords if you believe you've launched the infected client
   • Using a program like http://www.nirsoft.net/utils/chromepass.html allows you to see what logins are stored on your chrome browser
   • We don't believe passwords were compromised unless they were stored in google chrome's auto-fill, but we recommend changing just to be safe.
3. Make sure to reset your in-game passwords and PINs, as well as your forum password
   • Account PINs were not included in the compromised data, but we recommend a change just to be safe
     • You can type ::changepin to prompt an account PIN change

We sincerely apologize for this ordeal, and we'll be taking further steps to prevent anything like this from happening in the future.

Feel free to private message me on forums if you have any questions or need any assistance regarding this issue

Sincerely,
The Staff Team

 

[Aaadrum 60]

smh ill eat their ass

[Jaedmo 4]

Pathetic. This isn't something anyone should ever have to worry about lol. Get your security under control.

Edited April 19, 2018 by Jaedmo

[Lauren 116]

if anyone doesn't have an antivirus and doesn't want to pay or know what to get, mbam is extremely reliable and you get a free 14-day premium; https://www.malwarebytes.com/mwb-download/

[Alpha Rye 91]

Thanks for the heads up!

[Aaadrum 60]

im not even gonna run a scan thuglife

[Vise 178]

shet

[Breh 37]

9 minutes ago, Murdaaa said:

im not even gonna run a scan thuglife

Same... 

[Jehsee 0]

epic 

[Iron Logic 910]

42 minutes ago, Jaedmo said:

Pathetic. This isn't something anyone should ever have to worry about lol. Get your security under control.

We do apologise for the breach but this is something every company that handles data can face, big and small.

But on the bright side, at least the situation is now under control and our users have been informed as soon as possible (Unlike some companies).

 

We will also be taking big steps into assuring that this never happens again.

[I am daddy 3]

Two things. 

First I appreciate you being responsible enough to let us know about it so we can take action on our end. 

Secondly,

how did someone breach your web server that the client runs through. It’s one thing to lose a forum to an SQL attack or another error. But to actually have your dedicated server compromised to the point someone was able to modify your updater to include a malware redirect is beyond me. I hope you are more transparent on this issue moving forward. 

Did someone that had access to the server get ratted? Did you get personally attacked? Surely not many people have access to your files, and from my understanding you are very knowledgeable. 

I apologize if I come off as a dick, but when it comes to my personal data it bothers me. I trust you guys will implement more security protocols moving forward and something like this won’t happen again. 

[MoleManMode 3]

So, thanks to you, I had to reset all my passwords, call and cancel my credit cards and request new ones, same with my bank card, as well as go through the headache of resetting all of my authenticators. unacceptable. Officially quitting and already passed my items over to the newbies. If you didn't take your security serious enough from the beginning to protect your server information, I damn sure don't trust you to protect my information anymore. The times were fun, The server is awesome, but you have a lot of things to figure out about how Cyber-anything works. i wish you the best of luck with your servers and in life.

 

Edited April 19, 2018 by MoleManMode

[Forensics 0]

1 hour ago, MoleManMode said:

So, thanks to you, I had to reset all my passwords, call and cancel my credit cards and request new ones, same with my bank card, as well as go through the headache of resetting all of my authenticators. unacceptable. Officially quitting and already passed my items over to the newbies. If you didn't take your security serious enough from the beginning to protect your server information, I damn sure don't trust you to protect my information anymore. The times were fun, The server is awesome, but you have a lot of things to figure out about how Cyber-anything works. i wish you the best of luck with your servers and in life.

 

Wah.

[London 7]

free $100 bonds for everyone@!!@!@!@!@

[Ya Blewit 1]

What he said ^^

[vaya1 0]

I ran a scan but have found no problem. Although I've changed the majority of my passwords, which was quite annoying.

I understand that a breach would be possible, but the fact they could inject malware into the launcher seems a bit odd to me.

 

I hope a reply will be given with a proper explanation how this was possible.

[Kliksa 162]

3 hours ago, MoleManMode said:

So, thanks to you, I had to reset all my passwords, call and cancel my credit cards and request new ones, same with my bank card, as well as go through the headache of resetting all of my authenticators. unacceptable. Officially quitting and already passed my items over to the newbies. If you didn't take your security serious enough from the beginning to protect your server information, I damn sure don't trust you to protect my information anymore. The times were fun, The server is awesome, but you have a lot of things to figure out about how Cyber-anything works. i wish you the best of luck with your servers and in life.

 

The exploit used was with IBP and not with the security parameters Ryan had in place.

[Ryan 873]

5 hours ago, vaya1 said:

I ran a scan but have found no problem. Although I've changed the majority of my passwords, which was quite annoying.

I understand that a breach would be possible, but the fact they could inject malware into the launcher seems a bit odd to me.

I hope a reply will be given with a proper explanation how this was possible.

Only our web servers were compromised, but the game client is hosted and downloaded from the web server (HTTP) by the auto-updater launcher.

The dedicated servers in which we host the actual game was not breached.

Clarification/update on the malware:

After reverse engineering the infected client it appears that the malware does not actually execute (those who understand some Java may be able to see in this decompiled class https://i.imgur.com/4w0lpl4.png)

This may be good news, because there is a chance that the malware was not programmed properly for those who launched it, meaning no personal data was stolen. But in case we're wrong or missing anything in our analysis, I had administered this warning for everyone to be completely safe.

EDIT: It appears after testing with a more reliable decompiler, it unfortunately does in fact execute.

[I am daddy 3]

Thank you for replying Ryan. I was monitoring outgoing connections Incase of malware and did not notice anything unusual and all scans came back clean. I run keyscrambler so I wasn’t concerned about losing financial information I just did not know how deep the exploit went and panicked. 

Thank you for posting the decompile and handling this professionally. 

[mekanism 0]

Wait, did you just post what kind of encryption you use by showing us the decompiled 'malware'? Crypt32? Lol

[Lauren 116]

18 minutes ago, mekanism said:

Wait, did you just post what kind of encryption you use by showing us the decompiled 'malware'? Crypt32? Lol

It's an image of the infected, decompiled client. It's showing the execution and default utility, that's it.

[forgiveiron 0]

Any chance you know where this malware may plant itself, as in what the file may be named or where it is located?

[Vintage 40]

1 hour ago, forgiveiron said:

Any chance you know where this malware may plant itself, as in what the file may be named or where it is located?

I asked him yesterday, he said from the analysis he concluded the file just scraped the chrome saved password data then wiped itself from the pc

Edit: He said ; From the analysis it isn't a virus that stays on your computer or launches on startup, it would just scrape and send off your google chrome data when the client was first loaded. We recommend players to run a virus scan to be 100% safe

Edited April 20, 2018 by Vintage

[Ryan 873]

8 hours ago, Vintage said:

I asked him yesterday, he said from the analysis he concluded the file just scraped the chrome saved password data then wiped itself from the pc

Edit: He said ; From the analysis it isn't a virus that stays on your computer or launches on startup, it would just scrape and send off your google chrome data when the client was first loaded. We recommend players to run a virus scan to be 100% safe

This is correct, the malware does not appear to plant itself, its only functionality we found was stealing Chrome passwords upon launching the client.

15 hours ago, mekanism said:

Wait, did you just post what kind of encryption you use by showing us the decompiled 'malware'? Crypt32? Lol

No, that's the encryption Google Chrome uses to store auto-fill passwords on your computer.

[kalylia 1]

@Ryan

So, if I did not log on Wednesday during 9 AM CST to 6 PM CST, and logged on around 11 PM  to 12 AM CST am I safe from this attack?

Or was I still affected?

Thank you in advance for your insight.