These operations reveal how the Democratic People’s Republic of Korea (DPRK) uses fraudulent IT workers and cryptocurrency heists to fund its weapons programs while evading international sanctions.

Facilitators in the United States and Ukraine helped North Korean actors secure remote IT jobs with American companies.

North Korean State-Sponsored Cybercrime

The scheme involved using stolen or false identities and hosting company-provided laptops at U.S. residences to create the false appearancethat workers were based in the U.S.

This elaborate fraud impacted more than 136 U.S. companies, generating over $2.2 million in revenue for the North Korean regime and compromising the identities of over 18 American citizens.

According to the Justice Department, five individuals have admitted they are guilty of their roles in these schemes.

Three U.S. nationals, Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis, admitted to providing their identities to overseas IT workers and hosting laptops at their homes.

Travis, an active-duty U.S. Army member at the time, received at least $51,397 for his participation. Their scheme alone earned approximately $1.28 million from victim companies.

Ukrainian national Oleksandr Didenko pleaded guilty to stealing U.S. citizen identities and selling them to overseas IT workers, enabling fraudulent employment at 40 U.S. companies.

Didenko agreed to forfeit more than $1.4 million. Additionally, Erick Ntekereze Prince admitted to supplying falsely certified IT workers through his company, earning over $89,000.

Separately, the Justice Department went to court to get back over $15 million in cryptocurrency stolen by APT38, a North Korean military hacking group.

The group executed four major heists in 2023, stealing virtual currency from platforms in Estonia, Panama, and Seychelles, totaling approximately $382 million.

These enforcement actions demonstrate the government’s comprehensive approach to disrupting North Korean revenue generation schemes that fund weapons development and threaten national security.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post North Korean Hackers Infiltrated 136 U.S. Companies to Generate $2.2 Million in Revenue appeared first on Cyber Security News.

The cyber incident took place on June 5, 2025 and was discovered nearly two weeks later on June 19, 2025. Chess.com confirmed that the breach was the result of an external hack, where attackers gained unauthorized access to sensitive data.

The company reported that hackers were able to obtain names and personal identifiers, though it did not provide a full breakdown of all the data elements exposed. The breach affected users across multiple regions, including one resident of Maine.

Chess.com Response

Chess.com began notifying impacted individuals on September 3, 2025 through written notices. To help protect its community, the company is offering 12 months of complimentary identity theft protection services.

The notification was formally submitted by Elias Colabelli, Head of the Legal Department and Data Protection Officer at Chess.com, who emphasized that the company is strengthening its systems to prevent similar incidents in the future.

Although the number of affected users may seem low compared to other large-scale data breaches, the incident underscores how even major online platforms remain targets for cybercriminals. With more than 150 million users worldwide, Chess.com holds a vast amount of personal data, making it a lucrative target for hackers.

Cybersecurity experts warn that breaches of this nature can pave the way for identity theft, phishing attempts, and further fraud if stolen data circulates on underground markets.

Chess.com has not yet disclosed whether law enforcement is involved in the investigation. The company says it continues to work on tightening security protocols and monitoring its systems closely.

We have reached out to Chess.com for further details regarding the breach and are awaiting their response. This article will be updated as soon as new information becomes available.

For users, the breach is a reminder to stay vigilant, monitor financial accounts, and be cautious of suspicious emails that could exploit stolen personal details.

                   Find this Story Interesting! Follow us on X, Google News, LinkedIn, and  to Get More Instant Updates.

Recent Data Breaches:

1. PagerDuty Confirms Data Breach After Third-Party App Vulnerability Exposes Salesforce Data
2. Cloudflare Confirms Data Breach, Hackers Stole Customer Data from Salesforce Instances
3. Palo Alto Networks Confirms Data Breach – Hackers Stole Customer Data from Salesforce Instances
4. Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance and Stole Customer Data
   
   
   
   

The post Chess.com Data Breach – Hackers Breached External System and Gained Internal Access appeared first on Cyber Security News.

Getting & Applying Free Threat Intelligence

Enriching your indicators with threat intelligence is a process that shouldn’t be overlooked. It equips SOCs with data and tools for the achievement of key goals of security teams, such as:

• Acceleration of alert triage
• Detection rate growth
• Reduction of alert fatigue

The first step to take in this direction is to find a reliable source of data on attacks, which can be quickly and effortlessly accessed during triage. For that, you can try Threat Intelligence Lookup, a searchable database of threat intel.

By accumulating data from public malware investigations done by over 15,000 SOC teams and 500,000 individual researchers, it makes valuable indicators and their context available to you.

This means that in one simple query, you can tap into millions of malware analyses to identify and enrich your indicators, as well as find new ones for updates of proactive defense systems. For instance, during alert triage, you can verify a suspicious domain with a TI Lookup query like this:

domainName:”technologyenterdo.shop”

Almost instantly you’ll be given the answer: the indicator is malicious. More info can be found in ANY.RUN Sandbox. That’s where TI Lookup’s data comes from, so each indicator you can find there is tied with a corresponding analysis session.

For proactive investigation of current threats in your location, try a compound search like this to collect IOCs and update detection rules in advance:

threatName:”tycoon” AND submissionCountry:”de”

It includes the name of the threat (Tycoon) and the short name of the country it was detected in (de—Germany). Moments after you enter it, TI Lookup will return the overview of fitting threats and up to 20 recent analysis sessions done in ANY.RUN’s Interactive Sandbox. Use this info for proactive detection of potential threats and renewal of detection systems.

Other use cases of Threat Intelligence Lookup include checking not only domains, but also IPs and file hashes, as well as tracking threats by TTPs via interactive MITRE ATT&CK matrix. Through them, TI Lookup brings significant improvements to SOC performance rates:

• Deeper and Faster Threat Investigations: Uncover rich data by linking artifacts to real-world attack patterns and cut MTTR by understanding threat behavior and TTPs.
• Stronger Proactive Defense: Track relevant threats and stay ahead of them by making smarter detection rules in SIEM, IDS/IPS, and EDR.
• Better SOC Expertise: Close the knowledge gap in your team—analysts can study malware and adversary TTPs within the interactive sandbox and MITRE ATT&CK matrix.

Achieve faster, data-fueled triage and response -> Enrich IOCs for free 

Premium Access to Threat Intel for Enterprises

The use cases described above are available in the free version of TI Lookup. This can be enough to simplify and accelerate your threat investigation. But in case you’re looking for an enterprise-grade solution with unlimited functionality, consider trying TI Lookup Premium.

It unlocks access to extra query operators and over 40 parameters, all available analysis sessions, private searches and YARA search. With these features, you can create more advanced requests and see all threat data there is. The paid version of TI Lookup can also be integrated using API and SDK for an automated and smooth workflow.

• Automated, Real-Time Detection: Correlate alerts against extensive IOCs, IOBs, and IOAs, while integrating TI Lookup with SIEM, TIP, or SOAR platforms for continuous monitoring.
• Precision Hunting & Investigation: Build and search custom YARA rules in ANY.RUN’s database, and refine investigations with 40+ parameters and advanced operators.
• Proactive Threat Awareness: Automate alerts for specific IOCs or behaviors, and leverage expert TI Reports to stay ahead of evolving malware trends across industries.

Unlock Premium threat intelligence -> Try TI Lookup

The post How SOCs Triage Incidents in Seconds with Threat Intelligence appeared first on Cyber Security News.

WinRAR has released version 7.13 to address a critical security vulnerability that has been actively exploited by cybercriminals, marking another significant security incident for the popular file compression software.

The vulnerability, designated CVE-2025-8088, allows attackers to execute arbitrary code through maliciously crafted archive files, prompting immediate action from users worldwide.

Critical Security Flaw Exploited by Russian Hackers

The newly discovered vulnerability represents a serious threat to Windows users, with security researchers confirming that it has been exploited in active campaigns.

CVE-2025-8088 is a path traversal vulnerability that affects the Windows versions of WinRAR, UnRAR, and associated components, allowing specially crafted archives to bypass user-specified extraction paths and write files to unintended locations on the file system.

This capability enables attackers to execute arbitrary code on compromised systems, making it a particularly dangerous security flaw.

ESET researchers have linked this vulnerability to exploitation by the Russian RomCom group, which has been targeting companies across Europe and Canada.

The cybersecurity firm’s research team, including Anton Cherepanov, Peter Košinár, and Peter Strýček, discovered the vulnerability and reported it to WinRAR developers.

The vulnerability has been assigned a CVSS score of 8.4, classifying it as HIGH severity, which underscores the critical nature of this security issue.

Technical Details and Affected Systems

The directory traversal vulnerability is distinct from a previously patched security flaw that was addressed in WinRAR version 7.12, indicating that this represents a new attack vector that required separate remediation. The affected systems include:

• WinRAR for Windows – All desktop installations of the primary software.
• RAR and UnRAR command-line utilities – Windows versions of these tools.
• UnRAR.dll and portable UnRAR – Dynamic library and standalone versions.
• Version range affected – All WinRAR versions from 0 through 7.12.
• Unaffected platforms – Linux/Unix builds and RAR for Android remain secure.

The vulnerability affects all WinRAR versions from 0 through 7.12, meaning that virtually all existing installations require immediate updating.

The path traversal mechanism allows malicious archives to escape their intended extraction directories, potentially overwriting system files or placing executable code in locations where it can be automatically executed by the operating system.

This type of attack can lead to complete system compromise, data theft, or deployment of additional malware payloads.

Immediate Action Required for Users

WinRAR users must immediately update to version 7.13, which was released on July 30, 2025, with updated release notes published on August 12, 2025.

The update addresses not only the critical security vulnerability but also fixes several bugs from the previous version, including issues with the “Import settings from file” command and recovery size settings for older compression profiles.

The urgency of this update cannot be overstated, particularly given the confirmed exploitation in the wild. Organizations and individual users should prioritize this update across all Windows systems running WinRAR.

Beyond the immediate security fix, WinRAR 7.13 continues to offer advanced NTFS features that distinguish it from other compression tools, including built-in options to preserve symbolic links and archive Alternate Data Streams (ADS).

These capabilities remain valuable for backup, deployment, and forensic environments, but users must ensure they are running the latest secure version to benefit from these features safely.

Users who cannot immediately update should consider discontinuing use of WinRAR until the update can be applied, particularly in environments where untrusted archive files are regularly processed.

Uncover full scope of any attack any attack from hidden redirects to payloads in minutes — Try ANY.RUN free for 14 days.

The post CISA Added WinRaR Zero-Day (CVE-2025-8088) Vulnerability That is Actively Exploited In the Wild appeared first on Cyber Security News.

The update includes fixes for 90 vulnerabilities, classified as follows: 13 are Critical, 76 are Important, one is Moderate, and one is Low. Notably, none of these vulnerabilities are listed as actively exploited zero-days, which provides some relief for IT administrators.

The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.

On August 12, 2025, Microsoft released its monthly Patch Tuesday security updates, addressing a significant number of vulnerabilities across its product ecosystem.

Remote Code Execution (RCE) Vulnerabilities: 36 Total

Remote Code Execution vulnerabilities dominate this month’s Patch Tuesday, with 36 vulnerabilities patched, 10 of which are rated Critical. These flaws could allow attackers to execute arbitrary code, potentially compromising entire systems. Key RCE vulnerabilities include:

Windows Graphics Component (CVE-2025-50165, Critical): An untrusted pointer dereference in the Microsoft Graphics Component allows unauthorized attackers to execute code over a network.

DirectX Graphics Kernel (CVE-2025-50176, Critical): A type confusion flaw in the Graphics Kernel enables local code execution by an authorized attacker.

Microsoft Office (CVE-2025-53731, CVE-2025-53740, Critical): Multiple use-after-free vulnerabilities in Microsoft Office allow unauthorized attackers to execute code locally.

Microsoft Word (CVE-2025-53733, CVE-2025-53784, Critical): Flaws in Microsoft Word, including incorrect numeric type conversion and use-after-free issues, permit local code execution.

GDI+ (CVE-2025-53766, Critical): A heap-based buffer overflow in Windows GDI+ allows network-based code execution.

Windows Hyper-V (CVE-2025-48807, Critical): An improper restriction of communication channels in Hyper-V enables local code execution.

Microsoft Message Queuing (MSMQ) (CVE-2025-50177, Critical; CVE-2025-53143, CVE-2025-53144, CVE-2025-53145, Important): Multiple vulnerabilities, including use-after-free and type confusion flaws, affect MSMQ, allowing network-based code execution.

Microsoft Excel (CVE-2025-53741, CVE-2025-53759, CVE-2025-53737, CVE-2025-53739, Important): Heap-based buffer overflows and use-after-free issues in Excel enable local code execution.

Windows Routing and Remote Access Service (RRAS) (CVE-2025-49757, CVE-2025-50160, CVE-2025-50162, CVE-2025-50163, CVE-2025-50164, CVE-2025-53720, Important): Heap-based buffer overflows in RRAS allow network-based code execution.

Microsoft Patch Tuesday August 2025 – Vulnerabilities list

The post Microsoft Patch Tuesday August 2025 Released – 107 Vulnerabilities Fixed Including 36 RCE appeared first on Cyber Security News.

These systems, using multisignature wallets and automated release mechanisms, aim to ensure transaction security and facilitate dispute resolution.

However, vulnerabilities in centralized dispute processes and the persistent threat of exit scams highlight significant risks, as detailed in a recent analysis of darknet market operations.

Multisig Escrow: Balancing Security and Trust

Modern darknet markets commonly employ multisignature (multisig) escrow systems, typically using a 2-of-3 signature model involving the buyer, vendor, and market administrator. 

When a buyer places an order, funds are locked in a multisig address requiring two signatures to release—usually the buyer and vendor for successful transactions, with the administrator stepping in for disputes. This setup prevents any single party from accessing funds unilaterally, offering stronger security than centralized escrow systems where markets hold funds directly.

According to Sam Bent Report, In a typical transaction, the market platform generates the multisig address, distributing private keys to the buyer and vendor, though some markets allow users to supply their own keys for added control. Successful transactions see buyers and vendors signing to release funds to the vendor without administrator involvement.

 In disputes, administrators use their key to allocate funds based on evidence like shipping confirmations or product photos. While multisig wallets reduce the risk of funds theft if market servers are compromised, they still rely on trust in administrators for fair dispute resolution and require users to safeguard their private keys.

Automated Timers and Exit Scam Vulnerabilities

To streamline operations, many darknet markets use automated escrow release systems, transferring funds to vendors after 7 to 21 days unless buyers initiate disputes.

These timers, shorter for domestic orders and longer for international shipments, assume buyers will receive goods within the timeframe and only dispute problematic transactions.

Buyers can manually release funds early upon satisfactory delivery, benefiting vendors with faster payouts, while graduated release systems for large orders provide partial payments to vendors while protecting buyers.

However, these automated systems burden buyers with monitoring orders to dispute issues before deadlines, and extended escrow periods can strain vendor liquidity or tempt administrators into exit scams, where they abscond with all escrowed funds. Historical data shows exit scams dominate darknet market closures, often timed during high escrow volumes like holiday seasons. 

The centralized dispute resolution process, reliant on administrators reviewing evidence, introduces risks of bias or corruption, as administrators earn fees from transactions and resolutions, potentially skewing decisions to favor market continuity over fairness.

The inherent trust required in administrators, combined with the anonymity of darknet markets, leaves users vulnerable to systematic theft, prompting many to favor direct deals with trusted vendors or limit escrow use to minimize losses. 

As darknet markets navigate the balance between security and operational efficiency, the persistent threat of exit scams underscores the need for decentralized alternatives to reduce reliance on centralized trust models.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!

The post Darknet Market Escrow Systems is Vulnerable to Administrator Exit Scams appeared first on Cyber Security News.

The joint operation, dubbed “Eastwood,” coordinated by Europol involved 12 countries and resulted in multiple arrests, warrants, and the neutralization of a sophisticated distributed denial-of-service (DDoS) attack network that had been targeting Ukraine and its NATO allies.

Key Takeaways
1. 12 countries dismantled the pro-Russian group NoName057(16).
2.  100+ servers offline, 2 arrests, 7 warrants issued.
3. Gamified DDoS attacks with 4,000+ supporters.

The technical aspects of the operation were bolstered by private sector partnerships with ShadowServer and abuse.ch, demonstrating the critical importance of public-private collaboration in cybersecurity operations. 

Germany issued six arrest warrants for Russian nationals, identifying two individuals as the primary instigators behind NoName057(16)’s activities. 

The operation resulted in two preliminary arrests in France and Spain, 24 house searches across multiple countries, and the questioning of 13 individuals connected to the network.

DDoS Attacks Target Ukraine Supporters 

NoName057(16) operated as an ideological criminal network supporting the Russian Federation, utilizing sophisticated recruitment and motivation techniques to build a network of over 4,000 supporters. 

The group employed gamified manipulation tactics, including cryptocurrency payments, leaderboards, and badge systems to incentivize sustained participation in DDoS attacks against Ukrainian infrastructure and NATO member countries supporting Ukraine.

The cybercriminals leveraged platforms like DDoSia to simplify technical processes and provide operational guidelines, enabling rapid recruitment and deployment of new attackers.

These distributed denial-of-service attacks involved flooding target websites and online services with traffic to render them unavailable. 

The network constructed its own botnet comprising several hundred servers to amplify attack capabilities beyond individual volunteer contributions.

The operation’s success stemmed from extensive international coordination, with Europol facilitating over 30 meetings and two operational sprints while providing cryptocurrency tracing and forensic expertise. 

National authorities reached out to over 1,000 suspected supporters through messaging applications, informing them of potential criminal liability under national legislation.

Recent attacks linked to NoName057(16) included targeting Swedish authorities and banking websites in 2023-2024, over 250 German companies and institutions across 14 attack waves, and disruption attempts during the Ukrainian Peace Summit at Bürgenstock and the NATO summit in the Netherlands. 

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now 

The post Europol Disrupted “NoName057(16)” Hacking Group’s Infrastructure of 100+ Servers Worldwide appeared first on Cyber Security News.

Cameron John Wagenius, 21, who operated under the alias “kiberphant0m,” pleaded guilty to multiple federal charges related to a conspiracy that attempted to extract at least $1 million from victim organizations between April 2023 and December 2024.

Key Takeaways
1. Former soldier Cameron Wagenius, 21, pleaded guilty to hacking telecommunications companies using "SSH Brute" tool and alias "kiberphant0m."
2. Targeted 10+ organizations from April 2023 to December 2024, coordinating attacks through encrypted Telegram chats.
3. Attempted $1 million extortion by threatening to release stolen data on darknet forums and conducting SIM-swapping attacks.
4. Faces up to 27 years in prison with sentencing scheduled for October 6, 2025.

SSH Brute Force Attacks

Wagenius and his co-conspirators employed sophisticated technical methods to breach telecommunications networks, primarily utilizing a custom hacking tool called SSH Brute to obtain unauthorized login credentials. 

The SSH (Secure Shell) brute force attack tool systematically attempted multiple password combinations to gain access to protected computer networks. 

The cybercriminals coordinated their operations through encrypted Telegram group chats, where they exchanged stolen credentials and discussed strategies for penetrating victim companies’ security systems.

The technical sophistication of the operation extended beyond basic credential theft. The conspirators demonstrated advanced persistent threat (APT) capabilities by maintaining long-term access to compromised networks while remaining undetected.

Their methodical approach involved reconnaissance phases to identify high-value targets within telecommunications infrastructure, followed by lateral movement through corporate networks to access sensitive customer databases and proprietary information.

Following successful data exfiltration, the conspirators launched a multi-pronged extortion campaign utilizing both private communications and public cybercrime forums. 

They threatened to release stolen telecommunications data on notorious darknet marketplaces, specifically BreachForums and XSS.is, unless substantial ransoms were paid. 

These platforms serve as primary venues for cybercriminals to monetize stolen data and coordinate illicit activities.

The financial impact extended beyond direct extortion attempts. The conspirators successfully sold portions of stolen data for thousands of dollars and leveraged the compromised information for SIM-swapping attacks. 

SIM-swapping involves fraudulently transferring a victim’s phone number to a criminal’s SIM card, enabling unauthorized access to two-factor authentication systems and financial accounts. 

This technique demonstrates the cascading effects of telecommunications breaches, where initial data theft enables subsequent financial crimes.

Wagenius faces severe federal penalties following his guilty plea to conspiracy to commit wire fraud, extortion in relation to computer fraud, and aggravated identity theft. 

The wire fraud conspiracy charge carries a maximum sentence of 20 years imprisonment, while the computer fraud extortion charge allows for up to five years. 

Additionally, the aggravated identity theft conviction mandates a consecutive two-year sentence, meaning this time cannot be served concurrently with other penalties.

The case represents a significant victory for federal cybercrime prosecution, involving coordination between multiple agencies, including the FBI’s Cyber Division, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and the U.S. Army’s Criminal Investigative Division. 

Wagenius’s sentencing is scheduled for October 6, 2025, with final penalties determined by federal district court guidelines.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now

The post Former U.S. Soldier Pleads Guilty for Hacking Telecommunications Companies appeared first on Cyber Security News.

The attack, which occurred on July 2nd, represents a growing trend of sophisticated cyberattacks targeting high-end retail brands and their valuable customer databases.

Key Takeaways
1. Louis Vuitton confirmed a July 2 data breach affecting UK customers, the third LVMH attack in three months.
2. Customer names, contact details, and purchase histories were stolen, but no financial data was compromised.
3. The company notified authorities, isolated systems, and strengthened security protocols, including multi-factor authentication.
4. This follows similar attacks on M&S, Co-op, and Harrods, highlighting the need for enhanced cybersecurity in luxury retail.

Louis Vuitton’s Customer Data Exposed

According to Dior’s statement, the unauthorized third-party attackers successfully infiltrated Louis Vuitton’s UK operational systems through what security experts classify as a SQL injection or credential stuffing attack. 

The compromised data includes customer names, contact details, and complete purchase histories – information that could be leveraged for social engineering attacks and identity theft schemes. 

While the company has implemented encryption protocols for financial data, the breach demonstrates vulnerabilities in their perimeter security and network segmentation.

The attack vector likely exploited zero-day vulnerabilities in the company’s customer relationship management (CRM) systems, bypassing standard intrusion detection systems (IDS) and web application firewalls (WAF). 

Cybersecurity analysts suggest the breach may have utilized advanced persistent threat (APT) techniques, allowing attackers to maintain lateral movement within the network for extended periods before detection.

This breach is part of a broader pattern targeting luxury retailers, with Marks & Spencer, Co-op, and Harrods experiencing similar attacks. 

The threat landscape has evolved to include ransomware-as-a-service (RaaS) operations and supply chain attacks targeting high-value customer data. 

Recent arrests of four individuals, including a 17-year-old from the West Midlands, highlight the involvement of organized cybercrime groups utilizing botnets and credential harvesting techniques.

Louis Vuitton’s Incident Response

Louis Vuitton’s incident response team has implemented network isolation protocols and engaged digital forensics specialists to conduct a comprehensive threat assessment. 

The company has notified the Information Commissioner’s Office (ICO) in compliance with GDPR Article 33 requirements, which mandates breach notification within 72 hours of discovery. 

Penetration testing and vulnerability assessments are now being conducted across all LVMH subsidiaries to identify potential attack surfaces.

The organization has deployed additional endpoint detection and response (EDR) solutions and strengthened their multi-factor authentication (MFA) protocols. 

Security teams are implementing behavioral analytics and machine learning algorithms to detect anomalous access patterns and prevent future privilege escalation attempts.

Industry experts recommend implementing zero-trust architecture, regular security audits, and comprehensive employee training programs to combat these evolving threats. 

The luxury retail sector must prioritize data governance and privacy-by-design principles to protect customer information from increasingly sophisticated cyber adversaries.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now 

The post Louis Vuitton Hacked – Attackers Stole Customers’ Personal Data appeared first on Cyber Security News.

On Saturday, the Call of Duty development team announced that the PC version of Call of Duty: WWII had been taken offline following “reports of an issue.”

What initially appeared to be a routine technical problem has since been revealed as a critical security vulnerability that put thousands of PC gamers at risk.

The issue centers around a remote code execution (RCE) exploit that allowed attackers to run malicious code on victims’ machines without their consent or physical access.

This vulnerability became particularly problematic just days after the 2017 title arrived on Microsoft’s Game Pass subscription service, following Microsoft’s acquisition of Activision in 2023.

Hackers Wreaking Havoc During Live Games

Reports from affected players paint a disturbing picture of the exploit’s capabilities. During live multiplayer matches, malicious players were able to remotely access other participants’ computers and execute a range of invasive actions.

Victims reported that attackers were opening command prompts on their PCs, sending mocking messages through Notepad, forcing remote shutdowns of their computers, and even changing desktop wallpapers to display inappropriate content.

The vulnerability exclusively affects Windows PC gamers, as console systems generally don’t allow this level of code execution.

This technical limitation means that only players accessing the game through platforms like Game Pass and potentially Steam were at risk.

Peer-to-Peer Network Architecture Creates Security Gap

The root of the problem appears to lie in Call of Duty: WWII’s reliance on peer-to-peer (P2P) networking for its multiplayer matches.

In this system, one player’s machine acts as the server for the entire match, creating potential entry points for malicious actors to exploit vulnerabilities in other players’ systems.

This security flaw isn’t entirely surprising to the Call of Duty community, where the hacking of older titles has become something of an “open-air secret.”

Many experienced players have long avoided playing legacy Call of Duty games on Steam due to similar security concerns.

Activision’s Response and Future Updates

There is considerable speculation within the gaming community about Activision’s plans to update the game’s anti-cheat system, known as “Ricochet,” as the title has been increasingly plagued by various forms of abuse.

However, whether and how this update will address the specific RCE vulnerability remains unclear.

What Players Should Do

Security experts and gaming communities are urging players to take immediate precautions while waiting for an official patch.

The recommended steps include avoiding Call of Duty: WWII on PC entirely, particularly the Microsoft Store and Game Pass versions, until Activision releases a comprehensive security update.

Players should also ensure their systems are protected by installing security updates promptly, maintaining active anti-malware software, and monitoring official Activision channels for updates on the fix.

This incident serves as a stark reminder that even established gaming titles can pose significant security risks to players’ entire computer systems, extending far beyond mere gameplay disruption into the realm of serious cybersecurity threats.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now 

The post Gamers Playing Call of Duty Hacked – RCE Exploited Let Players Hack Other Players’ PCs appeared first on Cyber Security News.