WithSecure, on the recent Riot Games security breach

Development environments are extremely high value targets for attackers; where there are not secure development lifecycle practices employed it gives attackers the opportunity to hide a needle in an enormous stack of needles. A very basic example is a reverse shell or vulnerability can be opened in one/two lines of code, whereas a game may include millions of lines of code. The severity of this type of attack is compounded by the fact that it is almost certainly able to bypass security as poisoned software packages form the new ‘legitimate’ baseline. Software will be signed, users will execute and AV/EPP likely told to trust the programme.

It is likely Riot games are taking the time to ensure the integrity of the codebase is maintained, and/or restore from a previous backup to ensure no malicious functions have been added.

Such a supply chain attack can impact vast numbers of hosts from a single point as we saw with SolarWinds, an attack that was only tempered in scale by the motivations of the perpetrator, but still managed to compromise, in a really damaging way, an industry-leading capable cyber security vendor.

The best defence against a poisoned ‘legitimate’ software package is behavioural modelling of a system – understanding where and how software communicates internally and externally and identifying where behaviour differs from this baseline. Of course, this is difficult to do at scale in enterprise environments (albeit not where one might expect to find a computer game, although it is more common for users to install games than one might think). It is highly unlikely this will happen at all on consumer PCs.

There have been a few games companies targeted recently. Outside of the examples listed below, Rockstar was also hit and code was leaked by a social engineering actor Lapsus$. At first glance this looks like a similar MO (please don’t confuse this statement with attribution). Gaming companies do seem to be a popular target as in-game commodities are bought and sold for fiat, anti-anti-cheat is good business for gamers (and often a pathway into black and white hat hacking). We’ll have to wait and see for attribution and motivation behind this one.


Leave a Reply

Your email address will not be published. Required fields are marked *