Current and Future Attacks Threatening Esports
Cybercriminals will increasingly target the esports industry over the next three years. Many underground forums already have sections dedicated to gaming or esports sales, and the goods and services offered in these forums generate a lot of interest.
Esports has evolved from niche entertainment into a highly lucrative industry. Growing ad revenue and sponsorships allow the tournaments to grow; and as the tournaments grow, the prize pool grows as well. Of course, growing popularity and increased funds open up the entities involved to cybercriminals looking for any opportunity to make a profit.
Cheats and hacks are widely available in underground markets, catering to players looking for an unfair advantage in tournaments. Criminal groups have also been known to leverage distributed denial of service (DDoS) and ransomware attacks, zero-day exploits, data breaches, and targeted malware for a profit.
We predict that more threats will target the growing esports industry over the next few years. Here are four threats that we expect to increase in the near future:
Professional tournaments often allow players to bring in their own hardware, such as a mouse and keyboard. Other specialized methods have also been crafted to get around cheat-detection mechanisms. For example, in 2018, “Ra1f” was caught using an advanced hardware cheat for Counter-Strike: Global Offensive, which was able to bypass ESEA anti-cheat technology.
This is how it worked:
- The main computer has both CS:GO and the needed ESEA client (anti-cheat software) installed, like any other ordinary CS:GO installation
- The second computer (let’s call it the “attack PC”) has a special software installed ready to receive data
- The main computer has a physical DMA (Direct Memory Access) device plugged into a PCI Express (PCIe) slot
- A USB cable connects the DMA device to the attack PC
- The DMA device sends data via the USB cable to the attacker PC, and the main computer captures and parses it
- After parsing the data, the attack PC sends it to a Raspberry Pi
- A mobile phone connected to the Raspberry Pi via Wi-Fi downloads the data, which includes all player locations and puts it on the screen, providing the cheater with the positions of his enemies
Figure 1. Page offering custom hardware hacks, with prices starting at US$500
Upon investigating available hardware hacks for sale in the underground, we saw hacks that require an Arduino or a Rubber Ducky USB. Both these devices have legitimate uses and are readily available on aboveground markets, but underground sellers offer the hardware with other cheats for an additional fee. These legitimate tools are reconfigured to carry cheating software and customized to evade detection — one website offered custom hardware starting at $500.
DDoS attacks can cause serious lag issues, which is a critical issue in competitions where matches milliseconds can determine wins and losses. A DDoS attack can cause reputational damage to a tournament, or used as a match-fixing tactic. It can also be used for extortion, wherein the criminals demand money from tournaments to stop the disruption.
A variety of DDoS-related items are already available in the underground, such as DDoS tools, paid services, and even DDoS protection.
Figure 2. Underground forum post offering an anti-DDoS application for players
Figure 3. Forum post advertising a DDoS service
Because these games are mostly consumed live, esports organizers might feel pressured to pay cybercriminal demands to prevent or stop any disruptions. And given the availability of DDoS services, it seems as if these and other extortion attempts might continue.
Vulnerable game servers
Servers will be a popular target for hackers — they are an avenue for game disruption and information theft. We scanned esports game-related servers using Shodan, including those run by private organizations and players and found 219,981 accessible assets as of July 25, 2019.
Servers are online by nature, and this exposes them to some level of risk. Shodan is an easy way for cybercriminals to conduct open-source intelligence (OSINT) gathering for different geographic locations, organizations, devices, services, etc. The software and firmware information collected by Shodan can potentially help identify unpatched vulnerabilities in accessible cyber assets. A deeper probe into these accessible servers revealed a number of critical vulnerabilities:
|CVE-2012-4558||Could allow remote attackers to inject arbitrary web script or HTML via a crafted string|
|CVE-2013-1896||Could allow remote attackers to cause a denial of service (segmentation fault) via a MERGE request|
|CVE-2012-3499||Could allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs|
|CVE-2014-0231||Could allow remote attackers to cause a denial of service (process hang) via a request to a CGI script|
|CVE-2017-7679||Could let actor read one byte past the end of a buffer when sending a malicious Content-Type response header.|
|CVE-2018-1312||In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.|
|CVE-2010-5107||Makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.|
|CVE-2016-0778||Could allow remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.|
|CVE-2012-2531||"Password Disclosure Vulnerability" could allow local users to discover credentials by reading Operational log|
|CVE-2018-10549||Servers with this vulnerability have an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.|
|CVE-2018-10548||Could allow remote LDAP servers to cause a denial of service|
|CVE-2018-10545||Could allow one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications.|
|CVE-2014-1692||Could allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition.|
|CVE-2017-15906||Could allow attackers to create zero-length files.|
|CVE-2019-11039||Could lead to information disclosure or crash.|
|CVE-2019-11040||Could lead to information disclosure or crash.|
There have been previous incidents of gamers specifically being targeted by ransomware. In 2018, criminals targeted gamers with ransomware that demanded people play PlayerUnknown’s Battlegrounds (PUBG) in order to unlock their files. We think this type of activity can escalate, given that the tournaments and players are increasingly in the spotlight, which makes them attractive targets. Elite accounts have already been compromised and are being sold in underground forums.
Figure 4. CS:GO accounts with The Global Elite rank sells for $99
Figure 5. Counter-Strike accounts for sale based on rank
Aside from selling elite accounts, attackers also compromise accounts to gain access to credit lines that allow them to buy in-game goods to resell. We also expect cybercriminals to compromise famous Twitch and YouTubers gamers’ social media accounts, either to hold for ransom or to use as a platform for spreading a message. Cybercriminals will look for accounts that have several million followers and will use targeted phishing attacks and malware to take over these accounts.
The esports industry will be facing the same level and type of cyberattacks that the gaming community is already facing — but on a larger scale. These are threats that all entities involved with esports face. Such exposure may lead to identity theft, financial loss, and even reputational damage.
All parties must be more cognizant of online security and ensure that profiles and accounts are kept secure. Organizers must be fully aware of the esports threat landscape and deploy proper security solutions for sophisticated cyberattacks such as DDoS, ransomware, known exploits, targeted malware, and more.
However, the esports industry is not unprepared. Gaming companies and organizers are always on the lookout for new cheating techniques and tools, and multiple anti-cheat services that are specifically geared towards protecting esports and gaming competitions are already available. This research effort was done to raise awareness about the biggest threats we predict evolving in the near future. For more on the threats facing esports, read our report “Cheats, Hacks, and Cyberattacks: Threats to the Esports Industry in 2019 and Beyond.”