A threat actor recently uploaded four “mods” containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.
Mods, short for “modifications,” offer in-game content that players create rather than the developers.
Users who installed the mods ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability (CVE-2021-38003) in the V8 open source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.
Avast researchers found the issue and reported it directly to Valve, Valve’s game developer. Valve immediately updated the game’s code to a new (patched) version of V8, and took down the rogue game mods from its Steam online store. The gaming company — whose portfolio includes Counter-Strike, Left 4 Dead, and Day of Defeat — also notified the small handful of users who downloaded the backdoor about the issue and implemented unspecified “other measures” to reduce Dota 2’s attack surface, Avast said.
Valve did not respond immediately to Dark Reading requests for comment.
Dota 2’s Customization Features: How to Take Advantage
Avast’s attack is similar to other instances where threat actors have uploaded malicious applications to Google Play or Apple’s App Store.
The code was uploaded to Valve’s Steam Store. This took advantage of Dota 2’s flexibility to allow players to personalize the game in many different ways. Dota’s game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes — or new games, Avast said. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use.
The researchers cautioned that because Steam’s security vetting process focuses more on moderation than security bad actors may be able to sneak malicious code into the store. “We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published,” according to Avast’s blog post. “There are many ways of hiding a backdoor in a game mode. It would be extremely time-consuming to try and detect them all during verification.”
Boris Larin, lead security researcher at Kaspersky’s global research and analysis team, says that while game companies are not directly responsible for malicious code embedded into third-party modifications, incidents like these still harm the company’s reputation. This is especially true when modifications are distributed through special repositories owned by the game developer that may contain vulnerabilities.
Larin states that “in this particular case, timely updating third-party components would help to protect the players.” “JavaScript engines, built-in Web browsers and other vulnerabilities can often be exploited to execute remote code. This is why special attention must be paid.”
Gaming Industry remains a huge target
The incident at Valve is the latest in a string of attacks that have targeted online gaming companies and players in recent years — and especially since the COVID-19 outbreak, when social distance mandates drove a surge in online gaming. Riot Games’ systems were hacked by attackers who stole the source code to its League of Legends (and Teamfight Tactics) games. In exchange for not leaking the source code publicly, the attackers demanded Riot Games pay $10 million. An attacker also broke into Rockstar Games systems last year and obtained early footage from the next version Grand Theft Auto.
Akamai’s last-year report showed that there was a 167% rise in Web application attacks against gaming companies and player accounts. A plurality of these Web application attacks — 38% — involved local file inclusion attacks; 34% were SQL injection attacks, and 24% involved cross-site scripting. Akamai’s survey revealed that 37% of all distributed attacks on service (DDoS), was attributed to the gaming industry, twice that of the second-most targeted sector.
Like others, Akamai attributed the large attacker interest in gaming to both the lucrative nature of the entire industry and the billions of dollars users spend on microtransactions in-game while playing games. In 2022 PwC The gaming industry’s revenues were estimated at $235.7 billion in the current year. According to the consultancy firm, industry revenues are expected to grow by at least 8.4% over 2026.
Gaming companies have been under increasing pressure to increase their security measures in response to the attacks. Industry experts have noted that major security incidents can lead to lost player trust and decreased engagement.
Larin states that gaming companies need to regularly scan and update their systems. They also need to use a comprehensive defense concept that guides, equips and informs their team against the most sophisticated and targeted cyberattacks.
“All repositories – whether an app store or an open source package repository – should be automatically checked to ensure that there is no malicious content,” he states. He notes that this should include static checks for dangerous or obfuscated functionality, and scanning with an anti-virus engine SDK.
Larin says that open source code repository poisoning is becoming more common in recent years. Early detection can help prevent bigger incidents.
