One of the most productive hacking groups in the world recently infected several massively multiplayer online game makers. This allowed attackers to send malware-loaded apps to a target’s users and steal the currencies of a second victim’s in-game players.
Researchers at ESET, the Slovak security company, have linked the attacks to Winnti, a group that has been active since at least 2009 and is believed to have carried out hundreds of most advanced attacks. The targets included Chinese journalists, Uyghur and Tibetan activists, the Thai government and well-known technology organizations. Winnti is tied to the 2010 hack has stolen confidential data from Google and 34 other companies. More recently, the group has stood behind the compromise of the CCleaner distribution platform, which has been used to distribute malicious updates to millions of people. Winnti carried out a separate supply chain attack in which a back door was installed on 500,000 ASUS PCs.
The latest attack used a never-seen-before back door called ESET PipeMon. To avoid security precautions, the PipeMon installers had the impression of a legitimate Windows signature certificate, which was stolen from Nfinity Games during a hack by this game developer in 2018. The back door, which takes its name from the multiple pipes used to communicate one module with another, and the project name of the Microsoft Visual Studio used by developers, uses the location of Windows print processors so it could survive restarts. Representatives from Nfinity were not immediately available to comment.
A strange game
In one Post published early Thursday morningESET revealed little about the infected companies, except that they included several MMO game developers based in South Korea and Taiwan that are available on popular game platforms and have thousands of players at the same time.
“In at least one case, the malware operators compromised a victim’s build system, which could have lead to an attack in the supply chain, allowing the attackers to trojanize the game’s executable files,” wrote ESET researchers. “In another case, the game servers were compromised, which could have allowed the attackers to manipulate game currencies, for example, to generate financial gains.” The researchers said that, in one way or another, they had no evidence that either result had occurred.
The ability to gain such deep access to at least two of the latest goals is a testament to the skills of Winnti members. Theft of the certificate from Nfinity games during a 2018 Supply chain attack on another group of game makers is another. Based on Winnti’s goals and people, researchers have tied the group to the Chinese government. Hackers often target Internet services and software and game developers with the goal of using stolen data to better attack the ultimate goals.
Windows requires a certificate signature before software drivers can access the kernel, which is the most security-critical part of an operating system. The certificates, which must be obtained from trusted Windows authorities after buyers have proven that they are legitimate software providers, can also help circumvent virus protection and other endpoint protection measures. As a result, certificates are often looted for violations.
Despite the theft from an attack in 2018, the certificate holder did not revoke it until ESET informed him of the abuse. Tudor Dumitras, co-author of a 2018 paper that investigated code certificate compromisesfound that it was not uncommon to see long revocations delays, especially when compared to TLS certificates used for websites. With the requirement that web certificates be published openly, it is much easier to track and identify thefts. Not so with code signature certificates. Dumitras said in an email:
This is mainly because the code signature PKI, unlike the web PKI, is opaque: Nobody has a glimpse of the certificates currently used because the code signature certificates are contained in executable files that are present on hosts around the world and not can be captured by internet-wide scans. This makes it difficult to find compromised certificates, especially those that are used in targeted attacks. We have estimated that even a large AV provider like Symantec can only observe about 36.5% of potentially endangered certificates (our paper was published in 2018 before Symantec’s business and customer businesses were split).
The number of MMO game developers in South Korea and Taiwan is high. In addition, it cannot be determined whether attackers have used their access to actually abuse software builds or game servers. This means that end users can hardly do anything to know if they are affected. Given Winnti’s success to date, the possibility cannot be ruled out.