Third party attack; aftermath

General chit chat regarding the GameSave Manager project, announcements and general feedback.
User avatar
InsaneMatt
Site Admin
Posts: 477
Joined: 22 Jan 2018, 00:33

Third party attack; aftermath

Post by InsaneMatt »

On Sunday 15th January 2018 a third party attack was detected. As such, we promptly took the website offline.
Thankfully, we were back mere hours later but were unable to host downloads for a day or two (thanks to MajorGeeks and Softpedia for being mirrors!).

Fast-forward to now and due to security concerns, we've opted to reset the forums.
This was done partially due to our last backup being ~3 months out of date, but also due to the time sink it would be to check every table and record for possible shenanigans. The original plan was to try and recover everything from the backup post attack, but after a week double-checking every file and record, it became apparent it's not very practical.
If you were a member of this forum prior to 14th January 2018 we strongly encourage you to reset all your login credentials that you may have duplicated here. While we've seen no evidence of the attackers gaining access to user records, there are signs of access to other tables in the database.

So what happened?
Over the weekend (13th / 14th January 2018), this project's website was the victim of a malicious attack
We believe they started planning this attack from around 6th January 2018, before setting it into motion over the weekend
From what we've deduced, the attackers gained access to the server via an exploit in some of it's software / technology. From there, they uploaded several scripts and their very own version of GameSave Manager (v3.1.455.0 wrapped in a 'Setup Wizard')

The 'Setup Wizard'
Their 'release' was a 18.6 MB executable 'Setup Wizard' which would extract GameSave Manager. In contrast, the official release is 7.44 MB in size
The 'payload' they seem to be using is a 2010 build of Mozilla Firefox
It isn't clear what they're doing with Firefox, but it's safe to assume they're likely exploiting vulnerabilities in it

Am I infected? How do I know?!
The way the hijack was implemented means that you had to initiate the download from our website, if you were referred to the '?s=download&a=dl' link from another website then you shouldn't have been affected. This also means that auto-updating within GameSave Manager doesn't seem to be affected
So then, the easiest way to check if you're infected / affected by this is by checking your installed program list. To do this, follow the steps below:
  • Click Start -> Windows System -> Control Panel
    Alternatively, click Start -> Control Panel
  • Click onto Uninstall a program
  • The entry we're looking for is titled 2.1.2.3, with no publisher and a size value of around 38 MB
If this entry exists, it's safe to assume you're affected by this

Looks like I'm infected, help!
Firstly, we need to make it clear; we're in no way experts at this sort of thing!
Also, please be aware that we'll be using the Windows Registry Editor. Follow at your own risk!
  1. Disconnect from the internet, immediately
  2. Start Windows Registry Editor
    To do this, hold the WinKey on your keyboard, while pressing R. Within the Run dialog, enter regedit.exe and click OK
  3. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    If an entry named 'firefox' is listed then delete it, reboot your system and start 'Windows Registry Editor' again
  4. Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall'. Look for a 'GameSavesManager_is1' key, note down the contents of the 'InstallLocation' value and then delete the key
  5. Close the Windows Registry Editor and delete the path that was specified within 'InstallLocation' (from the previous step) using Windows Explorer
  6. Within Windows Explorer, navigate to your %AppData% folder (typically 'C:\Users\your_username\AppData\Roaming')
  7. Delete / rename the folders AMozilla and ComObject (there's another AMozilla folder within AppData\Local too!)
  8. Reconnect to the internet and perform all your favourite anti-virus, anti-spyware, etc scans
While we can not guarantee you're no longer infected, you have at least undone everything we've managed to discover the malicious setup wizard performed

What's being done to prevent this occuring again?
As mentioned before, we're assuming the attackers gained access via a root exploit of the website's control panel.
We'd been putting off upgrading said control panel for ~3 years, but have now upgraded all technologies the website runs on. We're (or rather I, Gekz seems a little absent as of late) will be redesigning the website too. As such, the current 'maintenance' page will probably be there for some time.

We would like to thank you all for your patience and understanding while we try and get back to normal.

We apologise for the inconvenience this has all caused.
Regards,
InsaneMatt
tgp1994
Posts: 3
Joined: 23 Jan 2018, 00:19

Re: Third party attack; aftermath

Post by tgp1994 »

Thank you for keeping us informed! Since we're on the subject of security, could HTTPS be implemented soon too? Currently our passwords are being sent over plaintext!
User avatar
InsaneMatt
Site Admin
Posts: 477
Joined: 22 Jan 2018, 00:33

Re: Third party attack; aftermath

Post by InsaneMatt »

SSL (aka 'http' protocol) integration is something I'd like to have, but honestly don't see justification in actually paying for.
Right now (and even before this 'attack' occured) the website doesn't have any sort of transactions going on which would require a secure connection.

Okay, some may try and argue that the forum's login credentials should be secured.
I'd argue that a forum doesn't need secure connections, provided it's not transmitting any sort of high priority data (such as credit card numbers). As we use PayPal for donations, we honestly don't need SSL / HTTPS protection. It'll be nice to have, but not really required.

Thanks for the suggestion though, tgp1994.
tgp1994
Posts: 3
Joined: 23 Jan 2018, 00:19

Re: Third party attack; aftermath

Post by tgp1994 »

Fair enough, browsers are getting noisy these days when they detect a login forum on http. Thanks and good luck :)
carstorm
Posts: 1
Joined: 23 Jan 2018, 03:15

Re: Third party attack; aftermath

Post by carstorm »

InsaneMatt wrote: 23 Jan 2018, 00:40 SSL (aka 'http' protocol) integration is something I'd like to have, but honestly don't see justification in actually paying for.
Right now (and even before this 'attack' occured) the website doesn't have any sort of transactions going on which would require a secure connection.

Okay, some may try and argue that the forum's login credentials should be secured.
I'd argue that a forum doesn't need secure connections, provided it's not transmitting any sort of high priority data (such as credit card numbers). As we use PayPal for donations, we honestly don't need SSL / HTTPS protection. It'll be nice to have, but not really required.

Thanks for the suggestion though, tgp1994.
You realize someone could intercept the paypal button doing a MitM attack right. Also you say no high priority data is being transmitted yet you reset the entire forum because the passwords may have been compromised. They could potentially be getting compromised every time someone hits submit since there is no SSL. Also soon (within 2 years) many browsers will start blocking any non-SSL login page as insecure and eventually any non-SSL page as insecure.

There is the free and open Let's Encrypt that is easy to set up and after setup you don't have to deal with it as it auto renews if configured properly. With this (and other initiatives like it) in today's online world, there is no reason not to have SSL!
User avatar
InsaneMatt
Site Admin
Posts: 477
Joined: 22 Jan 2018, 00:33

Re: Third party attack; aftermath

Post by InsaneMatt »

carstorm wrote: 23 Jan 2018, 03:24 You realize someone could intercept the paypal button doing a MitM attack right.
Yes and no.
While technically possible the user could be redirected to another site, we don't interact with any PayPal API and therefore if the site isn't SSL'd to PayPal, it's not advisable to login to (as with any storefront that accepts PayPal). The transaction is 100% on PayPal's end.
carstorm wrote: 23 Jan 2018, 03:24 Also you say no high priority data is being transmitted yet you reset the entire forum because the passwords may have been compromised. They could potentially be getting compromised every time someone hits submit since there is no SSL. Also soon (within 2 years) many browsers will start blocking any non-SSL login page as insecure and eventually any non-SSL page as insecure.
The forum (and website) was reset as it was too much of a time sync to put into making sure everything was 'clean' of malicious content (to prevent an easy repeat attack). If the data was of high priority, we'd obviously would have been forced to do our best to recover said data. This wasn't the case.
Let's be clear: SSL / HTTPS implementation wouldn't have prevented this attack.
carstorm wrote: 23 Jan 2018, 03:24 There is the free and open Let's Encrypt that is easy to set up and after setup you don't have to deal with it as it auto renews if configured properly. With this (and other initiatives like it) in today's online world, there is no reason not to have SSL!
I wasn't aware of that 'project'.
Thanks for pointing it out, I'll definitely do some research on it.
hackerhorse
Posts: 1
Joined: 17 Feb 2018, 23:52

Re: Third party attack; aftermath

Post by hackerhorse »

I normally don't register on forums these days, but I was looking for a resolution to an issue in GSM, and came across this post.
No network should have to suffer a break-in, especially not one literally existing for the good of the community. (I came across GSM a few years ago, after losing some very important save files.)
I'm an infosec & operations consultant, and if you guys are interested, I'd be happy to donate some time to helping y'all out, and ensuring something like this doesn't happen again. (And implementing TLS, as carstorm has a very valid point.)
If the admins are interested, shoot me an email. We can sit down and talk about what my company might be able to do to lend a hand (and like I said, I'll be donating the time. It's not fully tax-write-off-able since you're not a 501(3c), but I still get a benefit from it come tax time, and it's a way I can give back to a community that's now saved my own ass about 5 times. Win-win situation.)
RytoEX
Posts: 1
Joined: 18 Mar 2018, 16:02

Re: Third party attack; aftermath

Post by RytoEX »

I agree with hackerhorse and carstorm. Implementing TLS with Let's Encrypt is free and pretty easy. Some webhosts even have a built-in option in their administration panels for enabling it and handling the certificate renewal. I'm a programmer by trade, but I've done some sysadmin and server work as well, and I've used Let's Encrypt for securing domains. If you still require help for setting up server security certificates, I'd love to help. If you've got all the help you need, but a vote of confidence in Let's Encrypt would help, I can give that too.
Natanji
Posts: 2
Joined: 13 Sep 2018, 10:12

Re: Third party attack; aftermath

Post by Natanji »

Hi,
it's been over half a year and Browsers are now showing warnings when entering stuff into input forms.
Setting up Let's Encrypt took around an hour of work on my server, it would be great if you could do it here too!
User avatar
InsaneMatt
Site Admin
Posts: 477
Joined: 22 Jan 2018, 00:33

Re: Third party attack; aftermath

Post by InsaneMatt »

Natanji wrote: 13 Sep 2018, 10:13 Hi,
it's been over half a year and Browsers are now showing warnings when entering stuff into input forms.
Setting up Let's Encrypt took around an hour of work on my server, it would be great if you could do it here too!
Working on it.
Having issues with the server and it's configuration. Contacted host today and they're looking into it.

All going well, we'll have SSL for the forum within a week or two (with minor downtime).

---
EDIT: Host got back to me earlier than anticipated.
After a few hours of tweaking the new server, I'm pleased to say we now have a SSL certificate. I've also moved the forums from http://www.gamesave-manager.com/forum/ to https://forum.gamesave-manager.com/.
Once more, the main site also has the SSL certificate implemented (i.e https://www.gamesave-manager.com/).
Last edited by InsaneMatt on 14 Sep 2018, 20:59, edited 1 time in total.
Reason: Status update on SSL certification
Post Reply

Who is online

Users browsing this forum: Majestic-12 [Bot] and 0 guests