One of the world’s most prolific hacking groups recently compromised several Massively Multiplayer Online game makers, a feat that allowed attackers to push malware-infected apps to one target’s users and to extract in-game currencies from a player’s players. steal second victim.
Researchers from Slovakian security firm ESET have linked the attacks to Winnti, a group that has been active since 2009 and reportedly carried out hundreds of attacks, mostly sophisticated. Targets included Chinese journalists, Uyghur and Tibetan activists, the government of Thailand and leading technology organizations. Winnti has been linked to the 2010 hack that stole sensitive data from Google and 34 other companies. More recently, the group was behind compromising the CCleaner distribution platform that pushed malicious updates to millions of people. Winnti carried out a separate supply chain attack that installed a backdoor on 500,000 ASUS PCs.
The recent attack took advantage of a never-before-seen backdoor that ESET has called PipeMon. To evade security measures, PipeMon installers carried the ID of a legitimate Windows signing certificate stolen from Nfinity Games during a 2018 hack by that game developer. The Backdoor — which gets its name from the multiple tubes used for the one module. to communicate with another and the project name of the Microsoft Visual Studio used by the developers – used the location of Windows print processors so that it could survive a reboot. Representatives from Nfinity were not immediately available for comment.
A strange game
In a post published early Thursday morning, ESET revealed little about the infected companies, other than that they include several South Korea and Taiwan-based developers of MMO games that are available on popular gaming platforms and have thousands of concurrent players.
“In at least one case, the malware operators compromised a victim’s build system, which could have led to a supply chain attack, which allowed the attackers to trojanize game executables,” ESET researchers wrote. “In another case, the game servers were compromised, allowing the attackers to manipulate in-game currencies for financial gain, for example.” The researchers said they somehow had no evidence that either outcome occurred.
The ability to gain such deep access to at least two of the newest targets is a testament to the skills of Winnti members. The theft of Nfinity Games’ certificate during a 2018 supply chain attack on another group of game makers is another. Based on the people and organizations Winnti is targeting, researchers have linked the group to the Chinese government. Often the hackers target internet services and software and game developers with the aim of using the stolen data to better attack the ultimate targets.
Windows requires certificate signing before software drivers can access the kernel, the most security-critical component of any operating system. The certificates — which must be obtained from Windows trusted authorities after buyers prove they are legitimate software vendors — can also help bypass antivirus and other endpoint protections. As a result, certificates are frequently looted.
Despite the theft that resulted from a 2018 attack, the certificate owner did not revoke the certificate until ESET notified them of the abuse. Tudor Dumitras, co-author of a 2018 paper examining compromises with code certificates, found that it was not uncommon to see long delays in revocations, especially when compared to those of TLS certificates used for websites. With the requirement that web certificates be publicly published, it is much easier to track down and identify thefts. That is not the case with code signing certificates. Dumitras explained in an email:
This is largely because, unlike the Web PKI, the code signing PKI is opaque: no one can see which certificates are currently in use, as the code signing certificates can be found in executable files present on hosts around the world and cannot be collected through internet-wide scans. This makes it difficult to discover compromised certificates, especially those used in targeted attacks. We estimate that even a major AV vendor like Symantec can only see about 36.5% of potentially compromised certificates (our paper was published in 2018, before the split of Symantec’s enterprise and customer operations).
The number of MMO game developers in South Korea and Taiwan is high, and beyond that there is no way to know if attackers have used their access to actually abuse software builds or game servers. That means end users can do little to nothing to know if they’ve been affected. Given Winnti’s past successes, the possibility cannot be ruled out.