Last month the world was reminded once again of the danger of supply chain attacks, as it was revealed that hackers had compromised the network of Taiwanese technology giant ASUS to push out a malicious software update to as many as one million laptops. The attack, dubbed "Operation ShadowHammer" by security researchers, saw hackers successfully sign their malware with two of ASUS's own digital certificates, increasing the chances that customers would not suspect anything awry. Now the same security experts have uncovered evidence that the same attackers also targeted Asian video game software houses by poisoning developer tools, that left game players with trojanised code running on their computers. The way in which the three video game developers came to have their systems compromised by the hackers are rather bizarre, and underline the difficulties that businesses can face in ensuring that they have an entirely secure supply chain. Back in 2012, a company called Hammerpoint Interactive developed an open world zombie-shooting game called "The War Z, published by OP Productions on Steam. The game's debut was marred by controversy, with disappointed players ultimately offered refunds as the game failed to live up to its marketing claims. Things were so bad that the game has even made it onto Wikipedia's list of the worst games of all time. Eventually, perhaps attempting to hide away from the bad publicity, the game was renamed "Infestation: Survivor Stories", but not before it was announced on April 4, 2013, that hackers had compromised the game's servers after exploiting security vulnerabilities. At the time it was reported that whoever hacked the video game's servers had stolen the email addresses, character names, IP addresses and hashed passwords of forum members and players. But in addition, it appears that the game's source code was also stolen, and published online. Bad news for the makers of "The War Z", but great news for any software game houses who discovered they wouldn't have to do quite as much work to create their own video game interpretation of a zombie-killing dystopian nightmare. Companies which appear to have used the code include Thailand's Innovative Extremist Co. LTD, which provides web and IT infrastructure services, and its Thai gaming partner Electronics Extreme, who researchers claim are distributing a trojanised version of the ironically named "Infestation." In addition, Kaspersky researchers have claimed that Asian gaming house Zepetto has released malware-infected versions of its PointBlank first-person shooter video game.
According to analysts investigating the attack, there is evidence that the source of the infections was a trojanised version of the Microsoft Visual Studio development tool, as Kaspersky explains in its blog post:
The attack is comprised of an infected Microsoft Incremental Linker, a malicious DLL module that gets loaded through the compromised linker. The malicious DLL then hooks the file open operation and redirects attempts to open a commonly used C++ runtime library during the process of static linking. The redirect destination is a malicious .lib file, which gets linked with the target software instead of the legitimate library. The code also carefully checks which executable is being linked and applies file redirection only if the name matches the hardcoded target file name.
In short, a poisoned version of the Microsoft Visual Studio churns out malicious code, which the software developer then unwittingly ships to its customers. The code is digitally signed because the software house believes it to be trustworthy. What isn't yet clear is whether the problem stemmed from a video game developer installing a trojanised version of Microsoft Visual Studio, or if hackers targeted video game developers with a view to ultimately hitting a potentially large number of game players' computers. Regardless, clearly there is a need for all software producers to take greater steps to verify that their development software has not been tampered with, and to verify the integrity of the code that they ship. Security researchers at Kaspersky say that they have recorded 92,000 computers running malware-infected versions of the games - although the total number is likely to be much larger. Malware analysts at ESET meanwhile say that they "wouldn't be surprised" if the number of victims is in hundreds of thousands, with the vast majority of victims located in Asia.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
