Earlier today, Crunchyroll parent company Ellation published a blog post about yesterday’s Crunchyroll hack. In the post, Ellation reps explained that, at 6:30AM Eastern (3:30AM Pacific), individuals gained access to Crunchyroll’s Cloudflare configuration.
These users set Crunchyroll’s DNS configuration to point to a non-Crunchyroll-hosted server. As many saw yesterday, this was the site that asked users to download malware “CrunchyViewer.exe”. According to Ellation, the application directly targeted Windows PC users.
Ellation pulled the main Crunchyroll page down at 9:00AM Eastern (6:00AM Pacific), and managed ot secure access to the Cloudflare dashboard, where they restored the proper DNS configurations. As a result, Crunchyroll was back up by noon Eastern (9:00AM Pacific), with full service restored by 12:30PM Eastern (9:30AM Pacific).
The attack was strictly targeted at Cloudflare, leaving Crunchyroll’s main servers unharmed. No user data was accessed, meaning that logins, credit card numbers, and the like were not at risk.
For folks who downloaded and installed CrunchyViewer.exe, Ellation offered the following to remove it from your system:
- Delete “CrunchyViewer.exe” from your file system
- Remove the malicious “Java” Run key (You can find Information on how to edit the Windows Registry in the Microsoft support database if you are unfamiliar with the steps)
- Open Regedit, and browse to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Delete the Java key
- Remove the malicious binary, by navigating to: %appdata%\Roaming (for example: C:\Users\Yourusername\AppData\Roaming\)
- Delete the ‘svchost.exe’ file
- Perform a scan with your installed antivirus product
Regardless of whether you actively ran the application, Ellation suggests a full virus scan with your chosen program. Further questions are being directed to Crunchyroll’s Customer Support line.
Ellation’s post comes on the heels of yesterday morning’s events, which saw the world’s biggest anime service slammed by a cyber attack. Specifically, the site was hit by a domain hijacking attack, which sees an attacker taking control of a domain, thus allowing them to redirect users to a potentially malicious website.
Crunchyroll’s German account were the first to raise the alarm for users. According to their account, the American social media managers “weren’t awake” at the time.
Our American Social Media colleagues aren't awake at the moment (it's 5 AM there)
— Crunchyroll.de (@Crunchyroll_de) November 4, 2017
This is the latest in a string of hacks targeting anime websites. In August, Anime News Network was taken down in a similar domain name hjacking attack. In September, we at Anime Herald were taken out by vandals.