Hackers infect multiple game developers with advanced malware

[Pickles von Brine]

Quote

Researchers from Slovakian security company ESET have tied the attacks to Winnti, a group that has been active since at least 2009 and is believed to have carried out hundreds of mostly advanced attacks. Targets have included Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent technology organizations. Winnti has been tied to the 2010 hack that stole sensitive data from Google and 34 other companies. More recently, the group has been behind the compromise of the CCleaner distribution platform that pushed malicious updates to millions of people. Winnti carried out a separate supply-chain attack that installed a backdoor on 500,000 ASUS PCs.

 

The recent attack used a never-before-seen backdoor that ESET has dubbed PipeMon. To evade security defenses, PipeMon installers bore the imprimatur of a legitimate Windows signing certificate that was stolen from Nfinity Games during a 2018 hack of that gaming developer. The backdoor—which gets its name for the multiple pipes used for one module to communicate with another and the project name of the Microsoft Visual Studio used by the developers—used the location of Windows print processors so it could survive reboots. Nfinity representatives weren't immediately available to comment.





...

Windows requires certificate signing before software drivers can access the kernel, which is the most security-critical part of any operating system. The certificates—which must be obtained from Windows-trusted authorities after purchasers prove they are providers of legitimate software—can also help to bypass antivirus and other end-point protections. As a result, certificates are frequent plunder in breaches.
 

Despite the theft coming from a 2018 attack, the certificate owner didn’t revoke it until ESET notified it of the abuse. Tudor Dumitras, co-author of a 2018 paper that studied code certificate compromises, found that it wasn’t unusual to see long delays for revocations, particularly when compared with those of TLS certificates used for websites. With requirements that Web certificates be openly published, it’s much easier to track and identify thefts. Not so with code-signing certificates.

Source

Is nothing sacred anymore? These kinds of attacks have been going on for a while. MSPs have been attacked by bad actors due to it being a similar method of getting into many many systems. I guess this is a stretch of the imagination on this one. It really makes you just not trust anything at all. Will it be we have to worry about installing games from Steam in the future? One would hope not.  The fact the bad actors took advantage of code signature and certificates isn't a new idea, but can be devastating in the log run if not detected. 

It is unfortunate things have come to this. However, it goes to show game devs now have to be even more conscious of security than ever before. Nothing is to sacred to be exploited. 

[TempestCatto]

 Ya mon, pass the 

6 minutes ago, Pickles - Lord of the Jar said:

PipeMon

 

 

[Eigenvektor]

8 minutes ago, Pickles - Lord of the Jar said:

It is unfortunate things have come to this. However, it goes to show game devs now have to be even more conscious of security than ever before. Nothing is to sacred to be exploited. 

Good thing game devs don't write kernel level code or use DRM that makes use of such code. Just imagine if a developer infected this way is exploited to put code into the kernel. Oh, wait…

[WkdPaul]

It's sad that infosec isn't taken more seriously. I see it often with smaller clients, they won't do anything until it's too late, many of our recent clients from the last 5 years are from smaller companies that got compromised by a virus or cryptolocker and contracted us to do damage control.

 

Then a year or 2 later, they fall back into that sense of protection because "they did something", without really aknowledging they have to stay up to date on everything, including backup infrastructure. And when we propose something, it's often questioned as either "does it need to be that expensive" or "are you guys trying to sell us unnecessary stuff?".

 

Thankfully it's not an issue we have with bigger clients.

[Franck]

the problem is that the name pipe is an open connection. Yes is one of the many possible IPC (inter process communication protocols) but it's not a 1 to 1 connection like the more common TCP is. anything can read from it once it's running. It's useful for sending harmless informations such as notification but for actually sending sensitive data is simply ridiculous. Whoever let that pass is completely insane. I doubt it's the developper fault. He must have been forced to use that method as it's not ethical.

[Eigenvektor]

3 minutes ago, wkdpaul said:

It's sad that infosec isn't taken more seriously.

It's not just infosec, sadly. It's often any kind of maintenance that has no immediately obvious benefit to a company's bottom line. We've had to fight tooth and nail to be allowed to update some aging dependencies. Of course when those dependencies caused us to fail a pentest and risk losing an important client suddenly its maximum priority and we get the blame for not doing anything sooner

[WkdPaul]

6 minutes ago, Eigenvektor said:

Of course when those dependencies caused us to fail a pentest and risk losing an important client suddenly its maximum priority and we get the blame for not doing anything sooner

*sigh*

 

totally, that's the most frustrating part of the job!

 

Reminds me that time a clients got angry at us because part of their website wasn't properly secured (you needed to log into the website to view confidential information about orders and clients info, but that login was useless since you could browse the pages behind the login regardless, and so apparently Google crawler had mapped everything :O). We got blamed of course ... thing is, we don't do websites development, maintenance or hosting. It was quite a pleasure to see the boss email basically telling the client "sorry, not our problem, please check with your website dev for that!"

 

lol

Edited May 21, 2020 by wkdpaul

[jagdtigger]

3 minutes ago, Eigenvektor said:

has no immediately obvious benefit to a company's bottom line.

They will reject even those that have that, like ditching windows and small form factor PC's for displays that run a freakin web browser 24/7 in favor of rpi0's. I had a hard time keeping myself from laughing like a maniac. They basically rounded up all the lame excuses there is against linux....  

[straight_stewie]

57 minutes ago, Pickles - Lord of the Jar said:

Is nothing sacred anymore? These kinds of attacks have been going on for a while.

To nation state backed cyber operators no, nothing is sacred:
 

57 minutes ago, Pickles - Lord of the Jar said:

Targets have included Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent technology organizations. Winnti has been tied to the 2010 hack that stole sensitive data from Google and 34 other companies. More recently, the group has been behind the compromise of the CCleaner distribution platform that pushed malicious updates to millions of people. Winnti carried out a separate supply-chain attack that installed a backdoor on 500,000 ASUS PCs.

Some of these operations are only within the bounds of nation state actors. 

Notably, Winnti is widely believed to be, or at least be backed by, the Chinese government, and this target/op list supports that view: The Chinese government is known to dislike journalists, games, Taiwan (which is officially called The Republic of China, and which China believes it owns. They have also gone so far as to get organizations like the WHO to ban Taiwan from membership. China does not recognize the sovereignty of Taiwan), and Tibetan activists which are very free speaking about the oppression of the Chinese government.

[Curious Pineapple]

What I don't get is why is it possible to gain external access to security certificates anyway? Surely the safest option is to keep that certificate on an offline machine, you only need to use it once per build. Not exactly a labourious task to format a USB drive, copy the project over, do whatever needs doing, then copy it back.

[rcmaehl]

Supply chain attacks. Easy way to abuse trust (Oh, Windows defender just doesn't like this games' DRM update, I'll just allow anyway), and easily infect thousands.

[RejZoR]

It's why I always recommend disabling Print Spooler service if you don't even use a printer...

[rcmaehl]

3 minutes ago, RejZoR said:

It's why I always recommend disabling Print Spooler service if you don't even use a printer...

There's honestly a lot of Windows Services that don't need to be running 24/7. I'll eventually make a list of them all.

[jagdtigger]

45 minutes ago, rcmaehl said:

There's honestly a lot of Windows Services that don't need to be running 24/7. I'll eventually make a list of them all.

Yeah, and to make matters worse they also get a random character sequence at the end of their names so you cant just write a .reg file to kill them quickly.....

[rcmaehl]

2 hours ago, jagdtigger said:

Yeah, and to make matters worse they also get a random character sequence at the end of their names so you cant just write a .reg file to kill them quickly.....

Yep, per-user services. Thanks Microsoft

[Doobeedoo]

Big oof. Depends on machine though I do have ESET with MBAM heh. 

[Trik'Stari]

Based purely on the "groups targeted" list, one could make the conclusion that this was a state sponsored hacking group.

 

And whoever's behind it needs to **** off. Leave the game developers alone.