No announcement yet.

Hackers infect multiple game developers with advanced malware


  • Hackers infect multiple game developers with advanced malware


    Researchers from Slovakian security company ESET have tied the attacks to Winnti, a group that has been active since at least 2009 and is believed to have carried out hundreds of mostly advanced attacks. Targets have included Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent technology organizations. Winnti has been tied to the 2010 hack that stole sensitive data from Google and 34 other companies. More recently, the group has been behind the compromise of the CCleaner distribution platform that pushed malicious updates to millions of people. Winnti carried out a separate supply-chain attack that installed a backdoor on 500,000 ASUS PCs.


    The recent attack used a never-before-seen backdoor that ESET has dubbed PipeMon. To evade security defenses, PipeMon installers bore the imprimatur of a legitimate Windows signing certificate that was stolen from Nfinity Games during a 2018 hack of that gaming developer. The backdoor—which gets its name for the multiple pipes used for one module to communicate with another and the project name of the Microsoft Visual Studio used by the developers—used the location of Windows print processors so it could survive reboots. Nfinity representatives weren't immediately available to comment.


    Windows requires certificate signing before software drivers can access the kernel, which is the most security-critical part of any operating system. The certificates—which must be obtained from Windows-trusted authorities after purchasers prove they are providers of legitimate software—can also help to bypass antivirus and other end-point protections. As a result, certificates are frequent plunder in breaches.


    Despite the theft coming from a 2018 attack, the certificate owner didn’t revoke it until ESET notified it of the abuse. Tudor Dumitras, co-author of a 2018 paper that studied code certificate compromises, found that it wasn’t unusual to see long delays for revocations, particularly when compared with those of TLS certificates used for websites. With requirements that Web certificates be openly published, it’s much easier to track and identify thefts. Not so with code-signing certificates.


    Is nothing sacred anymore? These kinds of attacks have been going on for a while. MSPs have been attacked by bad actors due to it being a similar method of getting into many many systems. I guess this is a stretch of the imagination on this one. It really makes you just not trust anything at all. Will it be we have to worry about installing games from Steam in the future? One would hope not.  The fact the bad actors took advantage of code signature and certificates isn't a new idea, but can be devastating in the log run if not detected. 

    It is unfortunate things have come to this. However, it goes to show game devs now have to be even more conscious of security than ever before. Nothing is to sacred to be exploited. 

      Posting comments is disabled.



    Article Tags


    Latest Articles