Operation NightScout: Supply-Chainattack targets online gaming in Asia

ESET Researchers uncover a supply-chain attack used in cyberespionage

operation targeting on-line gaming communities in Asia

 By Ignacio Sanmillan

 Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:

·                           use only HTTPS to deliver software updates in order to minimize the risks of domain                        hijacking and Man-in-the-Middle (MitM) attacks

·       implement file integrity verification using MD5 hashing and file signature checks

·       adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information

BigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.

ESET assumes no responsibility for the accuracy of the information provided by BigNox.

During 2020, ESET research reported various supply-chain attacks, such as the case of WIZVERA VeraPort, used by government and banking websites in South Korea, Operation StealthyTrident compromising the Able Desktop chat software used by several Mongolian government agencies, and Operation SignSight, compromising the distribution of signing software distributed by the Vietnamese government.

In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide.

This software is generally used by gamers in order to play mobile games from their PCs, making this incident somewhat unusual.

Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities.

We spotted similarities in loaders we have been monitoring in the past with some of the ones used in this operation, such as instances we discovered in a Myanmar presidential office website supply-chain compromise on 2018, and in early 2020 in an intrusion into a Hong Kong university.

About BigNox

BigNox is a company based in Hong Kong, which provides various products, primarily an Android emulator for PCs and Macs called NoxPlayer. The company’s official website claims that it has over 150 million users in more than 150 countries speaking 20 different languages. However, it’s important to note that the BigNox follower base is predominantly in Asian countries.

BigNox also wrote an extensive blogpost in 2019 on the use of VPNs in conjunction with NoxPlayer, showing the company’s concern for their users’ privacy.

We have contacted BigNox about the intrusion, and they denied being affected. We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation.

Am I compromised?

·       Who is affected: NoxPlayer users.

 

Complete article on

https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

 Hacker attempts to poison Florida city’s water supply

While the incursion was thwarted in time, cyberattacks targeting critical infrastructure are a major cause for concern

 Amer Owaida

Last Friday, an unknown attacker accessed the computer systems of a water treatment facility in Oldsmar, Florida, and attempted to poison the city’s water supply by manipulating the chemical levels of sodium hydroxide.

This substance, commonly referred to as lye or caustic soda, is used across various industries and can be found in liquid drain cleaners, detergents and is also used to control water acidity. However, if ingested, it can cause spontaneous vomiting, chest and abdominal pain, difficulty swallowing with drooling, and corrosive injuries.

Speaking at a press conference about the attack, Pinellas County Sheriff Bob Gualtieri said that at about 8:00 AM on Friday a plant operator noticed that someone remotely accessed the system he was monitoring. Since the system is often accessed using specialized software by authorized personnel to troubleshoot problems remotely and for monitoring purposes, the operator didn’t give it much thought. The plant serves approximately 15,000 residents.

However, at approximately 1:30 PM local time the operator noticed that the system was being accessed again. This time the perpetrator accessed various functions that control the water being treated including part of the software that controls the levels of sodium hydroxide in the water. They then proceeded to change the levels from 100 parts per million to 11,100 parts per million, after which they exited the system.

“The plant operator immediately reduced the level back to the appropriate amount of 100 parts. Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated. Importantly the public was never in danger,” said the sheriff.

While the name of the program used to access the system wasn’t specified, according to Reuters reporter Chris Bing, the hackers were able to infiltrate the systems through TeamViewer, widely used software for remote support and access.

Oldsmar mayor Eric Seidel said that the good news is that the monitoring protocols they have in place work. “Even had they not caught them, there’s redundancies in the system that would have caught the change in the pH level,” he added.

The Pinellas County Sheriff’s office is investigating the attack together with the Federal Bureau of Investigation (FBI) and the United States Secret Service. So far, no suspects have been identified and it’s unclear whether the attack originated from the US or abroad; however, they are following up on leads.

The breach of the water treatment plant has raised concerns about possible further attacks; all government authorities in the Tampa Bay area with critical infrastructure components were requested to actively review their computer security protocols.