The Week in Security: Researchers hack 'unbreakable' card-shuffling hardware, Discord.io shut after breach

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security. This week: Researchers kick it Ocean's Eleven style with an attack on card shuffling machines. Also: A software vulnerability could be behind a breach that shut down Discord's invite system.

This Week’s Top Story

Hackers Rig Casino Card-Shuffling Machines for ‘Full Control’ Cheating

History has shown us that there are few better ways of getting a piece of technology hacked than to declare it secure and "un-hackable." The latest case in point: the Deckmate 2, an automated card shuffling machine used in casinos around the world. After an investigation into an alleged incident of cheating in a high stakes poker tournament prompted an official investigation that declared the Deckmate shuffling machine one that "is secure and cannot be compromised,” three IOActive researchers took up the implicit challenge. Spoiler alert: the Deckmate was, in fact, hackable.

At a presentation at Black Hat, researchers Joseph Tartaro, Enrique Nissim and Ethan Shackelford of IOActive presented the results of a months-long investigation into the Deckmate. As reported by WIRED, the three found attackers could employ a simple USB-enabled minicomputer to gain total control over the machine, potentially allowing a poker player to know exactly what cards the dealer and other players hold and, thus, become unstoppable at the table.

Tartaro and his fellow researchers were able to alter the shuffler’s code to hijack the machine, and tamper the shuffling process. They also were able to access an internal camera on the Deckmate, giving them the ability to know exactly which cards were being dealt and to whom. However, as of yet the IOActive researchers have not been able to engineer a technique that allows for them to choose the exact order of cards via this remote access. Light & Wonder, the makers of Deckmate, said in emails to the researchers that they are in the process of patching the issues discovered by the researchers. The company denies the compromises have been used against machines deployed on a casino floor.

News Roundup

Here are the stories we’re paying attention to this week…

Discord.io Temporarily Shuts Down Amid Breach Investigation (Dark Reading)

Discord.io — a third-party service that allows for people to send Discord invites — has gone offline for the foreseeable future after a security breach that saw the information of 760,000 users downloaded by malicious actors and posted for sale on the dark web. No one has claimed credit for the attack, but the company believes the breach was made possible by a vulnerability in their code. The stolen information includes both sensitive and nonsensitive data including usernames, Discord IDs, email addresses, billing addresses, and passwords as well as coin balances, API keys, and more.

Hacktivists attack Japanese government over Fukushima wastewater release (The Register)

Operation ‘Tango Down’ launched this month. Run by hacktivist group The Anonymous Italia Collective, the operation included "cyber protests," (aka "attacks") against 21 facilities and websites associated with the Fukushima Daini Nuclear Power Plant. The group and operation is responding to the decision by the power plant, Japanese government, and the International Atomic Energy Agency to allow the release of a million tons of treated — radioactive — wastewater into the environment.

Threat actors use beta apps to bypass mobile app store security (Bleeping Computer)

The Federal Bureau of Investigation (FBI) issued a warning about malicious ‘beta’ versions of cryptocurrency investment apps that are promoted on popular mobile app stores by cybercriminals. The ‘beta’ versions are actually malware that is designed to steal cryptocurrencies, and personal identifiable information (PII). The reason these applications even make it on the app stores, is due to the ‘beta’ label which allows them to bypass the normal rigorous code review process.

QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord (The Hacker News)

A new remote access trojan (RAT) called QwixxRAT is being advertised for sale on Telegram and Discord platforms. The trojan is available in a limited free version, weekly access to the complete version for 150 rubles ($1.60 USD), and lifetime access for 500 rubles ($5.35 USD). Once installed onto Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attackers. The data it collects can be any combination of browser histories, bookmarks, cookies, credit card information, keystrokes, screenshots, files matching certain extensions, and data from various applications.

Microsoft Cloud Security Woes Inspire DHS Security Review (Dark Reading)

The US Department of Homeland Security (DHS) last week kicked off an investigation into the threat of cyberattacks against cloud computing environments. The announcement followed criticism of Microsoft’s handling of a major Azure cloud infrastructure attack. On August 11th, U.S. Secretary of Homeland Security Alejandro N. Mayorkas announced that the Cyber Safety Review Board (CSRB) will conduct its next review on the malicious targeting of cloud computing environments. In particular, CSRB will "assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers," the statement said. CSRB will develop "actionable recommendations" to advance cybersecurity practices for both cloud computing customers and cloud service providers, Mayorkas said.