I'm fascinated to find out how they pulled this off. There's been cases before where a malicious gameserver controlled by an attacker could RCE clients which connect to it, but in this case the server was controlled by a trusted party, and the attackers shouldn't even have been able to know which server they were playing on, nevermind connect to it since they weren't invited. There must be layers to this one.
Yeah, or a RCE that allowed them to directly hit each individual client, rather than coming from the server?
Seems there are mentions of Easy Anti-Cheat having a vulnerability, but I'm not sure how trustworthy that is. It's a widely used anti-cheat, if it has a vulnerability, it would be big news, bigger than the "Apex Legends final being postponed" story.
But who would blow such a 0day on ruining a competition, instead of doing something profitable and sneaky? Gotta admire that, seems it was just for "fun".
Unless something similar happens in another game with EAC I would assume it's exploit(s) in the game itself - the remote attack surface of the game is orders of magnitude larger than the anti-cheat after all.
> Yeah, or a RCE that allowed them to directly hit each individual client, rather than coming from the server?
Maybe, but Apex has dedicated servers so there isn't a great deal of client-to-client communication to potentially exploit.
"Why would game developers care about memory safety, performance > everything"
At least this remote-code-execution was essentially "harmless" as these things go. Who knows if the next one will be, or even if this has happened with malicious intent before - without attracting so much attention.
Something similar happened with Dark Souls a while ago, someone found a client-to-client RCE in the P2P netcode and wasn't able to get the developers attention, so they launched a benign "attack" on some streamers which just played messages through text-to-speech on their machines. That resulted in enough noise that the developers had to address it.
It's honestly a miracle that these sorts of exploits in games haven't been used maliciously on any large scale.
Interesting event! One of those ones that really suddenly brings back to cyberpunk decades ago and makes me feel like we're living some of it now. One comment in their comment section caught my eye though:
>"It really is incredible that they would run these finals on the live internet."
I think they were thinking in terms of doing in-person physical LAN versions, and as another reply said that's a not insignificant undertaking in terms of cost (if nothing else, just plain having potential competitors from all over make their way there), though given all the amateur traditional sports that manage it for everything from surfing to dogsledding I'm a little skeptical that it'd be that impossible for these companies. But yeah it's a jump.
However, I do wonder if there's ever been any consideration to using VPNs to that end, at least for the finals? Have players set up a WG tunnel to the mothership with all other networking disabled just for the match, that'd be about as good and if it was super easy seems like players could be onboard for it as well. It wouldn't be some big interfering kernel thing like so much anti-cheat, not anti-cheat at all in fact just security against external griefing, they could turn it right off after. Given this is clearly unusual maybe not something to worry about in general, but could be an approach if it proves a bigger problem.
Apex does hold IRL "LAN" tournaments, but allegedly they're not held through an actual local area network—instead they're held on a private local server. Or so I've heard!
> Please contact us for the relevant SDKs and to talk about the fine print. We're still working through details of how to distribute this code, and at this time we might not be able to make cross-platform support available to all partners and all games.
There's the potential that for, say, consoles this might not be sufficient at this point in time sadly.
It's probably on a case-by-case basis, but Apex is actually running on a fork of Valve's Source Engine, so they have a pre-existing relationship outside of Steam.
Saw it live. Hardly believable: those kids were able to, while the game was running, install and enable hacks (xrays,walling,aim bot,etc) remotely on the msft windows of those competing electronic athletes.
Watched this happen in real-time last night. The stream cut to a generic "We'll be back" interstitial between rounds, which is normal, but it lasted longer than usual and eventually cut to a "Thanks for watching!" card. Stream ended. Chaos ensued.
What's interesting is that the two confirmed targets (Hal and Gen—not sure if any others were impacted) are two top dogs on the scene right now. IIRC their respective teams have a somewhat friendly rivalry going on. In other words, these are guys with lots of wins under their belt who don't need aimbots to take home cash prizes.
So I'm rabidly curious to know how the person behind the hack pulled this off, but also really want to how they chose the specific players to target or what their motivations were in the first place. Maybe they have some kind of grudge and they want to "expose" (read as: frame) these guys or just get their hands dirty.
> Official comment on the incident ends there, but clips circulating online showed players suddenly being given cheats like aimbots and wall hacks while matches were ongoing.
Those exploits require a client to connect to a hacked server, but Apex Legends has dedicated servers. You can't just randomly hack a client on the network. So it is not likely an RCE unless EA themselves got hacked.
However, I'm still leaning more strongly towards the theory that gamers who don't care about security got social engineered into downloading a RAT and have compromised computers.
And if it happened to two, it's infinitely more likely that could be leveraged to social engineer others in that group.
yeah - social engineering seems a common/likely approach. I'd assume their machines are on different (private) networks for each tournament/location. So, it would much easier to have a pre-installed exploit phone out to the attacker then trying to get in past NAT to exactly the right players ?
Post some links in their Twitch chat to i.e. images on a server you control. Correlate your access logs with geoip information and you have a good chance of getting their IP.
I would have expected the tournament to be behind NAT, so the the client machines would have unroutable ips, and the server would just get the IP of the router - not the individual clients ?
Has it been confirmed that there were no existing cheat/hack tools installed on the PC already? I'm possibly missing the smoking gun where it's definitely a remote code exploit and not just the player having cheat tools installed on their PC and accidentally activating them, then pretending to be very alarmed at what's going on.
Two players on two different teams had cheats appear simultaneously, it's quite unlikely they would both accidentally reveal their cheats at the same time.
The overlay that appeared with the "cheats" on it was full off inside jokes too and didn't look at all serious. One of the check boxes was labelled "Vote Putin".
There hasn't been any confirmation about how exactly it happened. It seems to me that the most likely scenario was these players got phished prior to the tournament and were already infected with malware.
There's a little bit of history here with the hacker Destroyer2009. He's been terrorizing Apex public ranked lobbies since at least December 2023. He's done the usual cheats of aimbot, walling, rage hacking, flying around, speed hacking, etc. He's done all this without being successfully banned via the anticheat as well as circumventing manual bans from the dev team. He's also been able to gift thousands of dollars worth of Apex packs to streamers in addition to spawning in dozens of bots in-game that chase and try to kill their target[1].
It's also important to note that the 2 players targeted in yesterday's games are both multiple LAN champions from rival teams so the likelihood that they themselves were cheating is quite low. Per another streamer targeted via the Apex packs, Mande, claims to have had a conversation with the cheater and was able to glean that the cheater was motivated via "fun" or attention. It'd likely stand to reason that the 2 players were victims of a phishing attack rather than an RCE in Apex/EAC. If it's an RCE, why waste such a big bad powerful vulnerability on just 2 players and not target as many as you can if the motive really is "for the lulz"? There'd sure be a lot more lulz to be had if the hacker targeted as many people as he could. Using Occam's Razer without context, it's again likely phishing. Destroyer2009 does seem to have some sort of server-side access given the gifted Apex packs and ability to spawn in and control bots in-game. It'll be interesting to see what Respawn/EA have to say about this incident though we'll likely never get the full technical picture.
As an aside, if the first player targeted, Genburten, never had the in-game chat show up and the second attack on ImperialHal never happened, Genburten's gaming career would've been in the gutter. How would he prove an isolated one-off attack on his PC that remotely installed cheats and turned them on?
Interesting discussion from Thor at PirateSoftware[2]
Phishing was my immediate hunch as well, but what do you think the vector was to nail both Hal and Gen? I'm wondering if pros ever download third-party tools for gameplay analysis or something like that. (e.g., years ago I used to connect my Overwatch account to some ranking platform that let me see more granular data than what's visible in-game)
I think the hacker specifically targeted two players with largest audiences who were both live streaming for maximum lulz.
I also think that he specifically did it in a way that would minimize the risk of those players being accused of cheating cause he respects them and doesn't want to ruin their careers.
In my mind this type of cheating can only happen one way. The client code that was being used by the players in this competition is a hacked version of the apex legends source code. What these players did not realize is that the software contained an open connection for the attacker to remotely exploit at his will.
What seems more likely, RCE in Apex or Easy Anti Cheat, that only targeted two players... Or that the two players, ImperialHal and Genburten had the hacks installed, and this was exploited by Destroyer2009 to prove that two top players have been hacking?
After all, given Destroyers track record posted here by someone else, they clearly have a close association with the cheat creaters. Since they have been using them for so long.
37 comments
[ 3.0 ms ] story [ 88.7 ms ] threadSeems there are mentions of Easy Anti-Cheat having a vulnerability, but I'm not sure how trustworthy that is. It's a widely used anti-cheat, if it has a vulnerability, it would be big news, bigger than the "Apex Legends final being postponed" story.
But who would blow such a 0day on ruining a competition, instead of doing something profitable and sneaky? Gotta admire that, seems it was just for "fun".
https://twitter.com/TeddyEAC/status/1769725032047972566
Unless something similar happens in another game with EAC I would assume it's exploit(s) in the game itself - the remote attack surface of the game is orders of magnitude larger than the anti-cheat after all.
> Yeah, or a RCE that allowed them to directly hit each individual client, rather than coming from the server?
Maybe, but Apex has dedicated servers so there isn't a great deal of client-to-client communication to potentially exploit.
The article points out:
> In the Genburten clip, the streamer’s chat can be seen to read “Apex hacking global series by Destroyer2009 & R4ndom.”
So maybe some other folks had their own CTF competition concurrently. Pretty cyberpunk. Who knows what the prize was.
At least this remote-code-execution was essentially "harmless" as these things go. Who knows if the next one will be, or even if this has happened with malicious intent before - without attracting so much attention.
It's honestly a miracle that these sorts of exploits in games haven't been used maliciously on any large scale.
>"It really is incredible that they would run these finals on the live internet."
I think they were thinking in terms of doing in-person physical LAN versions, and as another reply said that's a not insignificant undertaking in terms of cost (if nothing else, just plain having potential competitors from all over make their way there), though given all the amateur traditional sports that manage it for everything from surfing to dogsledding I'm a little skeptical that it'd be that impossible for these companies. But yeah it's a jump.
However, I do wonder if there's ever been any consideration to using VPNs to that end, at least for the finals? Have players set up a WG tunnel to the mothership with all other networking disabled just for the match, that'd be about as good and if it was super easy seems like players could be onboard for it as well. It wouldn't be some big interfering kernel thing like so much anti-cheat, not anti-cheat at all in fact just security against external griefing, they could turn it right off after. Given this is clearly unusual maybe not something to worry about in general, but could be an approach if it proves a bigger problem.
[1] https://www.oneesports.gg/league-of-legends/lck-spring-2024-...
There's the potential that for, say, consoles this might not be sufficient at this point in time sadly.
https://twitter.com/ZPostFacto/status/1395765704155033603
It's probably on a case-by-case basis, but Apex is actually running on a fork of Valve's Source Engine, so they have a pre-existing relationship outside of Steam.
What's interesting is that the two confirmed targets (Hal and Gen—not sure if any others were impacted) are two top dogs on the scene right now. IIRC their respective teams have a somewhat friendly rivalry going on. In other words, these are guys with lots of wins under their belt who don't need aimbots to take home cash prizes.
So I'm rabidly curious to know how the person behind the hack pulled this off, but also really want to how they chose the specific players to target or what their motivations were in the first place. Maybe they have some kind of grudge and they want to "expose" (read as: frame) these guys or just get their hands dirty.
Now that's what I call elite.
- stream sniped ImperialHal and Gen
- had some way of getting uuids from the client
- used those uuids in combination with an RCE
However, I'm still leaning more strongly towards the theory that gamers who don't care about security got social engineered into downloading a RAT and have compromised computers.
And if it happened to two, it's infinitely more likely that could be leveraged to social engineer others in that group.
It's also important to note that the 2 players targeted in yesterday's games are both multiple LAN champions from rival teams so the likelihood that they themselves were cheating is quite low. Per another streamer targeted via the Apex packs, Mande, claims to have had a conversation with the cheater and was able to glean that the cheater was motivated via "fun" or attention. It'd likely stand to reason that the 2 players were victims of a phishing attack rather than an RCE in Apex/EAC. If it's an RCE, why waste such a big bad powerful vulnerability on just 2 players and not target as many as you can if the motive really is "for the lulz"? There'd sure be a lot more lulz to be had if the hacker targeted as many people as he could. Using Occam's Razer without context, it's again likely phishing. Destroyer2009 does seem to have some sort of server-side access given the gifted Apex packs and ability to spawn in and control bots in-game. It'll be interesting to see what Respawn/EA have to say about this incident though we'll likely never get the full technical picture.
As an aside, if the first player targeted, Genburten, never had the in-game chat show up and the second attack on ImperialHal never happened, Genburten's gaming career would've been in the gutter. How would he prove an isolated one-off attack on his PC that remotely installed cheats and turned them on?
Interesting discussion from Thor at PirateSoftware[2]
[1]: https://youtu.be/7e3mia4b-_Q?t=192 [2]: https://www.twitch.tv/videos/2094227670?t=8h41m6s
I also think that he specifically did it in a way that would minimize the risk of those players being accused of cheating cause he respects them and doesn't want to ruin their careers.
After all, given Destroyers track record posted here by someone else, they clearly have a close association with the cheat creaters. Since they have been using them for so long.
All they did was enable it on their live streams.
Thanks for reading