A
threat
actor
recently
uploaded
four
“mods”
containing
malicious
code
into
the
catalog
in
the official
Steam
store
that
players
of
the
popular
Dota
2
online
game
use
for
downloading
community-developed
game
additions
and
other
custom
items.
Mods,
short
for
“modifications,”
offer in-game
content
that
players
create
rather
than
the
developers.
Users
who
installed
the
mods
ended
up
with
a
backdoor
on
their
systems
that
the
threat
actor
used
to
download
an
exploit
for
a
vulnerability
(CVE-2021-38003)
in
the
V8
open
source
JavaScript
engine
version
present
in
a framework
called
Panorama
that
players
use
to
develop
custom
items
in
Dota
2.
Researchers
from
Avast
discovered
the
issue
and
reported
it
to
Valve,
the
developer
of
the
game.
Valve
immediately
updated
the
game’s
code to
a
new
(patched)
version
of
V8,
and
took
down
the
rogue
game
mods
from
its
Steam
online
store.
The
gaming
company
—
whose
portfolio
includes
Counter-Strike,
Left
4
Dead,
and
Day
of
Defeat
—
also
notified
the
small
handful
of
users
who
downloaded
the
backdoor
about
the
issue
and
implemented
unspecified
“other
measures”
to
reduce
Dota
2’s
attack
surface,
Avast
said.
Valve
did
not
immediately
respond
to
a
Dark
Reading
request
for
comment.
Taking
Advantage
of
Dota
2’s
Customization
Features
The
attack
that
Avast
discovered
is
somewhat
similar
in
approach
to
the
numerous
incidents
where
a
threat
actor
has
uploaded
malicious
applications
to
Google
Play
and
Apple’s
App
Store,
or
malicious
code
blocks
to
repositories
like
npm
or
PyPI.
In
this
case,
the
individual
who
uploaded
the
code
to
Valve’s
Steam
store
took
advantage
of
the
fact
that
Dota
2
allows
players
to
customize
the
game
in
many
ways.
Dota’s
game
engine
gives
anyone
with
even
basic
programming
skills
the
ability to
develop
custom
items
such
as
wearables,
loading
screens,
chat
emojis,
and
even
entire
custom
game
modes
—
or
new
games,
Avast
said. They
can
then
upload
those
custom
items
to
the
Steam
store,
which
vets
the
offerings for
unsuitable
content,
and
then
publishes
them
for
other
players
to
download
and
use.
However,
because
the
Steam
vetting
process
is
more
focused
on
moderation
than
security,
bad
actors
can
sneak
malicious
code
into
the
store
without
too
much
trouble,
the
researchers
warned.
“We
believe
the
verification
process
exists
mostly
for
moderation
reasons
to
prevent
inappropriate
content
from
getting
published,”
according
to Avast’s
blog
post.
“There
are
many
ways
to
hide
a
backdoor
within
a
game
mode,
and
it
would
be
very
time-consuming
to
attempt
to
detect
them
all
during
verification.”
Boris
Larin,
lead
security
researcher
at
Kaspersky’s
global
research
and
analysis
team, says
that
while
game
companies
are
not
directly
responsible
for
malicious
code
embedded
into
third-party
modifications,
incidents
like
these
still
harm
the
company’s
reputation.
This
is especially
true
when
modifications
are
distributed
through
special
repositories
owned
by
the
game
developer
that
may
contain
vulnerabilities.
“In
this
particular
case,
the
timely
updating
of
third-party
components
would
have
helped
to
protect
the
players,”
Larin
says.
“JavaScript
engines
and
built-in
Web
browsers
also
require
special
attention
as
they
often
contain
vulnerabilities
that
can
be
exploited
for
remote
code
execution.”
Gaming
Industry
Continues
to
Be
a
Massive
Target
The
incident
at
Valve
is
the
latest
in
a
string
of
attacks
that
have
targeted
online
gaming
companies
and
players
in
recent
years
—
and
especially
since
the
COVID-19
outbreak,
when
social
distance
mandates
drove
a
surge
in
online
gaming.
In
early
January,
attackers
broke
into
Riot
Games’
systems
and
stole
source
code
for
the
company’s
League
of
Legends
and
Teamfight
Tactics
games.
The
attackers
demanded
$10
million
from
Riot
Games
in
return
for
not
publicly
leaking
the
source
code.
In
another
incident,
an
attacker
breached
systems
at
Rockstar
Games
last
year
and
downloaded
early
footage
of
the
next
version
of
the
company’s
popular
Grand
Theft
Auto
game.
A
report
that
Akamai
released
last
year
showed
a
167%
increase
in
Web
application
attacks
on
player
accounts
and
gaming
companies
last
year.
A
plurality
of
these
Web
application
attacks
—
38%
—
involved
local
file
inclusion
attacks;
34%
were
SQL
injection
attacks,
and
24%
involved
cross-site
scripting.
Akamai’s
survey
also
showed
that
the
gaming
industry
accounted
for
some
37%
of
all
distributed
denial-of-service
(DDoS)
attacks,
which
was
double
that
of
the
second-most-targeted
sector.
Akamai,
like
others
previously,
attributed
the
major
attacker
interest
in
gaming
to
the
highly
lucrative
nature
of
the
industry
as
a
whole,
and
to
the
billions
of
dollars
that
users
spend
via
in-game
microtransactions
while
playing
games.
In
2022,
PwC
pegged
gaming
industry
revenues
at
$235.7
billion
for
the
year.
The
consulting
firm
estimated
that
industry
revenues
will
grow
at
some
8.4%
through
2026
at
least.
The
attacks
have
put
growing
pressure
on
gaming
companies
to
ramp
up
their
security
processes.
Industry
experts
have
previously
noted
how
gaming
companies
that
experience
major
security
incidents
face
the
risk
of
losing
player
trust
and
player
engagement
on
their
platforms.
“Gaming
companies
should
regularly
update
and
scan
their
systems
and
employ
a
comprehensive
defensive
concept
that
equips,
informs,
and
guides
their
team
in
their
fight
against
the
most
sophisticated
and
targeted
cyberattacks,”
Larin
says.
“All
repositories,
whether
an
app
store,
an
open
source
package
repository,
or
even
game
modification
repositories,
should
be
automatically
checked
for
malicious
content,”
he
says.
This
should
include
static
checks
for
obfuscated
or
dangerous
functionality
and
scanning
with
an
antivirus
engine
SDK,
he
notes.
Larin
adds:
“Open
source
code
repository
poisoning
has
become
more
widespread
in
recent
years
and
its
early
detection
can
prevent
larger
incidents.”
About Author
