These are not toys. Game vulnerabilities as a threat to the employer
Bugs and vulnerabilities in computer games are common, especially if they came out a long time ago. And this is logical: it is more profitable for developers to invest in new projects. As a result, favorite games gradually turn into a bridgehead for hacking. Everyone is under the crosshairs: developers, users and even their employers.
Yes, we may be thickening the paints. But news about dangerous defects in popular games appears regularly. At the same time, remote employees connect to corporate systems from the same PCs that run shooters with vulnerabilities from 2015.
In this article we will try to find out:
How often vulnerabilities are found and fixed in popular gaming products.
How potentially dangerous are employees who like to play computer games.
What means of protection are used to cover such threats in companies.
What are we talking about?
By and large, a computer game is an ordinary program. It is also developed by humans. They may write code with errors or miss bugs in the testing process.
A captain’s opinion, but a fact.
CVE (Known Vulnerabilities and Security Defects) lists are proof of this. For the sake of interest, we looked at the aggregator Vulnres and checked the data about the game itself in Steam — Dota 2. Found there and discovered 5 CVEand all are quite severe, with an average CVSS score of 7.8 out of 10.
Another example with a vulnerability in popular games. Counter-Strike. We found a shooter of all times and nations 5 CVE, the average CVSS of these is 7.76. By the way, the franchise remains a convenient option for training hacking skills. Yes, in December 2023 in the community Counter-Strike 2 showedhow you can conduct an XSS attack on users through the new functionality with adding pictures to the chat.
There were also problems in another bestseller. GTA Online. Bug reported as CVE-2023-24059, discovered and recorded in January 2023. The defect allowed not only to remove player accounts, but also to install malicious software on their devices.
Of course, CVEs do not give us a complete picture of the actual number of vulnerabilities in games. Such records indicate already corrected defects. How many problems in the products of the gaming industry, in fact, we can only guess.
At the same time, vendors often know about defects, but are in no hurry to solve them. This happened with Call of Duty: Black Ops III, which came out way back in 2015. The game has RCE vulnerabilities that have already been reported to the developer Activision. But the company has ignored such reports for many years.
Black Ops III vulnerabilities, meanwhile, allow an attacker in the same network as victims to take control of their computers. As a result, users are tired of waiting for updates and finish the game on their own. You can read how the process happens on GitHub.
The main threats
Most incidents involving gamer victims are pure phishing. Such schemes work most often through chats, forums and other community platforms. The popularity of phishing is explained simply – it is the easiest and cheapest way to achieve a criminal goal. The most banal example is a divorce for money in style.you bought something from me, but you didn’t pay“.
Exploiting game vulnerabilities is much more difficult. The attacker needs to have technical skills and experience. But such attacks are not uncommon. Although usually incidents are reduced to banal theft of user accounts. Somehow this happened with one of the most famous skin collectors in CS: GO. In 2022, someone intercepted data to his Steam account. And then he started selling skins, the total value of which was estimated at 2 million dollars.
Less often, hackers access the infrastructure of the development company due to vulnerabilities. And if you’re lucky: they can combine user credentials, encrypt company files, and more on the list of typical business attacks.
We did not find publicly available stories when companies not related to game development suffered from vulnerabilities in games. In any case, there is no official confirmation of this. (If you have examples, please share them in the comments.)
Although we can imagine such attack scenarios. To do this, let’s assume that the loudest vulnerabilities of 2022-2023 were not fixed by developers, but remained in the arsenal of hackers.
December 2023: Counter Strike 2
December 5 at 11:00 a.m. In the popular shooter found an XSS vulnerability, which allows access to players’ personal data. The community is asked to refrain from logging into the game until it is updated.
December 6, 7:30 p.m. Oleg, a fan of “contra”, returns home from work and sits down in his gaming chair. At this time, the attacker Anton changes his nickname in his Steam profile to an HTML code containing a link to an image with malicious code embedded in it. The hacker then initiates a vote in the game, excluding one of the team members. When the voting window appears on Oleg’s screen, the malicious code is executed and steals credentials.
December 17, 10.11. Anton puts the accounting database up for sale on the darknet. Ihor, who is well trained in phishing attacks, immediately buys it.
December 18, 12:19 p.m. Igor quickly compares the information with his databases and understands: he has the contacts of the director of a well-known network of beauty salons.
December 19, 3:30 p.m. Oleg, director and “contra” lover, receives a letter from Igor, who introduced himself as a system administrator. In the message, the attacker wrote that he was updating the credentials of the company’s employees. He asked Oleh to send the current logins and passwords for access to the employee’s workstation and domain resources. And then, for greater persuasiveness, calls him and says all the same orally.
December 19, 16.05. Igor receives the cherished credentials, enters the corporate network and downloads the database with the personal data of the company’s clients.
Of course, actually carrying out such an attack is much more difficult. It is not the beginning of zero outside, users have become more vigilant. Most likely, the criminal will have to use a fake domain, adapt the design of the page as much as possible to the corporate style of the company, develop a false form for collecting data, etc. But by and large, the scenario itself will remain similar.
January 2022: Dark Souls
January 11 at 7:00 p.m. Within a few years, Bandai Namco had arrived many reports from users about RCE vulnerabilities, which can be used to gain control over the player’s device. Oleg ignores all such news, so he sits down in his favorite gaming chair, disables the antivirus (we will discuss this point later) and starts Dark Souls.
January 11, 19.22. Attacker Anton exploits the vulnerability and installs a keylogger on the victim’s PC in the background.
January 12 at 10.30. Zlovred intercepts Oleg’s data for remote access to the corporate SED and passes them to Anton.
January 12, 11.23. Anton works for a group of extortionists. The attackers gain access to all the company’s documentation, encrypt the files and demand a ransom of 10 million rubles from Oleg.
This case also does not reveal all the details and variations of the possible stages, but the essence remains the same – it is better not to use vulnerable software.
What other risks are there?
We love computer games. But at the same time, we understand that gamers are a very diverse community. Therefore, among them there are both cautious users and characters that are particularly attractive for hacking.
Of course, torrent lovers belong to the latter. As they write “Data” with reference to the XYZ School expert, in 2023, 73% of Russian gamers played at least one pirated copy. At the same time, the share of such users increased: in 2022, they were 69%.
Illegally obtained installation files often contain malware. At the same time, the majority of pirated software, especially downloaded from torrents and similar resources, is usually supplied by backdoors, notes the Positive Technologies expert. in an interview for Habr.
Another caste of gamers are characters who disable antiviruses and firewalls during the game (like the victim Oleh from the example above). Some abandon protections altogether because they reduce performance and interfere with gameplay. Although how critically the indicators change is a controversial issue.
Many threats also carry programs that gamers actively use in addition to games. They also have critical security flaws
Steam and other sites for hosting games
There was a particularly dangerous vulnerability in Steam discovered in 2020. Using it, an attacker could take over hundreds of thousands of computers without requiring gamers to click on a malicious email or link. Unlike other vulnerabilities, victims were unwittingly affected by the hacker. To do this, they just needed to enter the game.
In 2023, intruders hacked the accounts of hundreds of developers on the Steam platform and added malware to their games. But the vendor quickly discovered the problem and informed users about it.
Discord and other utilities for communicating with the team
There are many reports of problems with the product. For example, last year the developer acknowledged the data leak 760 thousand users, which happened due to the employee’s fault.
GeForce Experience, OBS Studio and other programs for video recording, FPS estimation, etc.
In 2020, the developer of GeForce Experience patched two serious holes at once. One of the vulnerabilities (CVE-2020-5977) received CVSS 8.2 and could lead to a variety of malicious attacks on affected systems, including code execution, denial of service, elevation of privilege, and information disclosure.
AutoHotKey and analogs for configuring keyboard and mouse buttons
Morphisec Labs experts in 2021 reported about malicious campaigns that used AutoHotkey. With it, criminals distributed Trojans for remote access to victims’ devices, including Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm.
Spotify and other services for listening to music while playing
In 2020 due to a data leak Spotify has reset 350 thousand passwords users Although in an official statement, the owner of the product said that the problem affected only a small part of the accounts.
And, finally, the danger can be represented by game mods. Examples are rare, but they do exist. Yes, in 2022 Steam banned modder Chaos (Holy Water)which built an auto-updater into mods for the game Cities: Skylines. With its help, he remotely installed Trojans and other malware on the devices of 35,000 players.
How to protect your company
Computer games are software that are often installed on end devices. So, the main thing here is to ensure security at the endpoint level.
The tips are obvious, but it is better to remember them than to be silent:
check whether the antivirus is activated on the devices and when it was last updated,
monitor the versions of the operating system used,
monitor devices connecting to the network,
we are implementing Zero Trust – a security model with constant checks of devices, IDs and services,
we use data encryption and a password policy,
we control the programs.
Fortunately, many tasks and threats are closed with standard functionality NGFWVPN solutions, multi-factor user authentication and other common security measures.
And of course, it makes sense to think about VDI. The virtual desktop is isolated from the user’s device. And even if the PC has an old version of the operating system or no antivirus, it is unlikely to be a risk to the company’s security.