Hacks confirmed at gambling and betting websites in Southeast Asia, rumors of other hacks in Europe and the Middle East. Hackers, reportedly out of China, are targeting operations in the region, and where successful, can gain access to entire gaming networks.
Cybercrime is a real threat that can compromise any online system. Gaming operators in Southeast Asia are now the targets of a Chinese-speaking cybercriminal group.
Cyberthreats are something any online site deals with. The online gaming segment isn’t immune, either. Any industry that deals with money and sensitive data is at risk.
A new threat is emerging that, according to cybersecurity firm Avast, mostly targets gaming operators in Southeast Asia. Hackers are launching sophisticated attacks that, where successful, could completely compromise networks.
New iGaming Cybersecurity Threat
There is a new advanced persistent threat (APT) that is going after gambling-related companies in locations such as Hong Kong, the Philippines, and Taiwan. Cyber analysts are still dissecting all of the details, but the threat is reportedly in Chinese, which may indicate its origin.
The attack, which Avast dubs Operation Dragon Castling (ODC), shares properties with other malicious programs, such as FFRat and MulCom. The former, according to the cybersecurity company, can be traced to the DragonOK group, a malicious entity that has been operating for years. DragonOK has ties to PoisonIvy and PlugX, two backdoor entry programs linked to Chinese-speaking hackers.
Avast confirmed in an email to Casino.org that it identified the gaming sector as the target through an email received by an unidentified gaming company. In the email, the attacker requested that the company “check for a bug in their software,” which served as the basis for Avast’s conclusion.
The company also indicates that multiple companies in the gaming industry have been targets. However, it isn’t able to disclose the names because of company policy.
While multiple initial access avenues were employed during the course of the campaign, one of the attack vectors involved leveraging a previously unknown remote code execution flaw in the WPS Office suite (CVE-2022-24934) to backdoor its targets. The issue has since been addressed by Kingsoft Office, the developers of the office software.
In the case observed by the Czech security business, the vulnerability was used to fall a malicious binary from a pretend update server with the domain update.wps[.]cn that triggers a multi-stage infection chain that sales opportunities to the deployment of intermediate payloads the permits for privilege escalation right before finally dropping the Proto8 module.
Cyber Analysts Smell a Rat
FFRat has been around for at least 12 years, although it has been difficult to determine its origin. As a result, ODC is in a similar position. Avast has not determined the motivation for the arrival of the malicious program, or what its developers hope to achieve, whether it’s for financial gain or system disruption.
The threat appears to be extremely advanced and can break through multiple layers of protection. Avast determined that its main objective is to exploit a vulnerability of WPS Office, a free Microsoft Office alternative.
ODC is able to take advantage of a flaw in the application’s automatic updater, exposing systems to attack. Avast already forwarded its findings to Kingsoft Office, the developers of WPS Office, which has reportedly addressed the vulnerability.
However, with 1.2 billion WPS Office installations around the world, there are likely a high number of systems open to compromise. Because the malicious program is able to determine the status of certain antivirus protection, it can install itself on unprotected computers and servers