Game Hacking Summary 2023

A Year in Review: Cyber Attacks on Game Companies in 2023

The gaming industry, a $184 billion behemoth, continues to captivate audiences globally. Yet, as its prominence grows, so does its vulnerability to cyber threats. As we reflect on 2023, a year marked by innovation and breakthroughs, it’s also evident that game companies faced an escalating barrage of cyberattacks. These incidents not only disrupted operations but also shook user trust. This blog post delves into the notable cyberattacks that targeted game companies in 2023, offering insights and analysis on the evolving threat landscape.

Each year the amount of players reaches new astounding heights. This year it is calculated that there were 3.38 billion players in the world, which is a 6.3% increase from last year. The hugh player base makes client-side attacks like malware or ransomware increasingly interesting for malicious players, attracted by the nature of the users that play games and because of the amount of money and information big companies manage.

Background

15 years ago the game industry was pretty straightforward, we had PC games (many of them without any online feature) and console games. As technology and communication capabilities evolved, possibilities of building greater and more complex games, for more accesible “consoles” like cellphones or the evolution of browsers reshaped the gaming reality, making it more accesible for people around the world in different locations and situations (even while commuting to their jobs) to get to games or even to build and deliver them, and earn enough money to make a living from game creation. We now even have professional game players or famous players and streamers.

From the cybersecurity perspective the industry have many new challenges that 15 years ago didn’t have:

• Many games have the possibility to add mods (e.g. Minecraft: https://therecord.media/minecraft-bug-allows-hackers-in) which add replayability at lower costs. The tradeoff here is that a malicious party has a perfect scenario to craft malware or ransomware with a genuine delivery mechanism.
• The increasing popularity of cellphones and casual games made easier and much more lucrative for attackers to create malicious modded applications that could be used as spyware or malware.
• In ancient times, gaming companies earned money with monthly subscriptions or by selling the game. Nowadays the popular way to earn money is with in-game purchases, which adds a whole new attack surface related to PII and Financial information being handled by the gaming company (therefore the increase on Data Breaches).
• Increasing communication between players (it could be directly or through servers), which makes it easier for attackers to reach another client through a vulnerability in the communication protocol or through a bug in the server (e.g.: https://www.eurogamer.net/genshin-impact-players-believe-hackers-are-bricking-progress-by-deleting-in-game-exploration-points)
• The previous points might be exclusive for the gaming industry, but gaming companies have still to face common threats like ransomeware, hackers targeting their employees through phishing and cloud environment vulnerabilities or misconfigurations.

Key Attacks of 2023

In order to analyze the types of attacks, and the impact of the hacks we did a review of the most important publicly known attacks on games or gaming companies during this year. We then worked on three different categories to group the attacks:

Attack Vector

An attack vector is a path or method used by attackers to gain unauthorized access to a system or network to deliver a malicious outcome. Attack vectors can be anything from software vulnerabilities, phishing emails, compromised USB drives, to unsecured network protocols.

The most used attack vector seen in cases where an attacker got access to a server typically was through a Social Engineering attack targeting companies’ employees with highly privileged access given the type of job or because of the lack of information segregation in the internal infrastructure.

In the case of attacks executed to other players the most common one was executed through malicious game mods that implied a sandbox escape of the modding framework. In this case we left asside the reports of individuals that downloaded malicios apps and got hacked, because there were countless of them and there was no specific game or company as a target.

Exploitation

Exploitation refers to the process by which an attacker takes advantage of a vulnerability or weakness in a system or network to achieve a specific malicious goal. This can involve using tools, techniques, or methods to manipulate or compromise a target.

In this case we have two different exploitations which were the most common ones:

a- RCE: mainly because the malicious mods leads to this type of exploitation scenarios

b- Data Leaks: In this case the specific exploitation is never too clear. In the cases of ransomware attacks the leak is probably executed through some information stored in buckets and dumped that way, or through a database exposition once the attacker got in the internal infrastructure. Most companies were resilient to explain in details how the attacker jumped from an external access through the exploitation of a CVE on a vulnerable component or by getting credentials of company employees.

Impact of Attack

The impact of an attack refers to the consequences or outcomes that occur as a result of a successful exploitation. This can range from data breaches, financial losses, system downtime, loss of user trust, regulatory fines, to more severe consequences like national security threats.

In this case we have three different consequences:

a- Client Compromise: In this case the RCEs dealt in most cases to client compromises at some extent, depending on the privileges of the corrupted component and the type of attack, or the skills of the attacker to elevate privileges.

b- Information leak: In this case the data leak was divided by the type of information being leaked, that goes from strategic information (like the case of Rockstar with the leak of information about GTA VI or the leak of Insomniac plans for future games and new revenues) to clients’ PII and sensitive information. An associated consequence to Information Leak related to clients PII is related to regulations where the company has operations.

Conclusion

The gaming industry, a dynamic and ever-evolving realm, stood at the forefront of innovation and entertainment in 2023. However, with great reach comes great responsibility, and the sector’s rapid expansion has inadvertently exposed it to a plethora of cyber threats. From the inception of game modifications introducing vulnerabilities, to the shift in revenue models focusing on in-game purchases, game companies are navigating uncharted waters fraught with cyber dangers.

Our deep dive into the year’s most prominent cyberattacks underscores the myriad challenges faced by the gaming ecosystem. Whether it’s the sophisticated social engineering tactics targeting privileged company insiders or the lurking threats of malicious mods and their exploitative aftermaths, the repercussions are profound. The ramifications stretch beyond immediate financial losses, tarnishing user trust and raising critical questions about data privacy and regulatory compliance.

As we move forward, the onus is on the industry stakeholders, from developers to publishers, to prioritize cybersecurity, foster awareness, and adopt robust defense mechanisms.

At VulturSec, we are committed to championing this cause and assisting game companies in safeguarding their digital realms. Don’t navigate these treacherous cyber seas alone; reach out to us today and fortify your defenses for tomorrow’s challenges.