Game Hackers And You: Knowledge Extraction From Toxic Places - Morgan Brazier

Thanks. Yeah. Um So, quick, who am I? My life story, student researcher, self-proclaimed hacker. Uh got my start, uh well, hacking games being a cheat developer about 7 years ago. Don't do that anymore, but it's how I got uh my experience in exploit development and reverse engineering. Uh so, outline, what can I hope to achieve by the end of this talk? Introduce game hacking as a concept, see how this community overlaps with the infosec community, endure the toxicity that well, you know, places like this are kind of known for, and potentially extract some vital knowledge. So, uh a quick jargon buster before we get started. And the main thing I kind of wanted to explain first was the the

difference in my mind and within the cheating community between a cheater and a hacker. Um so, cheaters are usually unskilled people who use or pay for game cheats. And a hacker, at least in these communities, are considered skilled. Uh can include the former, but importantly is capable of creating uh their own cheats. You know, they have those skills in exploit development, the skills in reverse engineering. Uh P2C, that just means pay to cheat. And the rest of these terms, EDR, APT, those kind of and UEFI, I'm pretty sure everyone in this room is is aware of, but I just put them up there just in case. So, why uh bother hacking a video game in the first place? Well, for a start,

we have a gaming market worth, you know, over half a trillion US dollars. And a lot of these games are often competitive requiring uh large time commitments for often diminishing rewards. If we have any uh Escape from Tarkov players in the room, I think they'll know that struggle. Um so, players naturally look for ways to increase their performance in these games. And so, well, hackers come along and develop exploits to allow for that better performance. Think of it like doping in sports. And it turns out some, you know, less technical-minded players are willing to pay for access to those exploits. And a new underground market and cheats as a service is born. And as of last year, that underground economy

was worth, in China alone, about half a billion US dollars. So, there's kind of two sides to this. You have the closed-source community, or as it's known within these circles, the P2C community or pay to cheat community. Secretive, very secular. Their methods are sold. They're they're not shared. They operate entirely as a business. Um and back when I was doing this, you know, about 7 years ago, kind of a little-known fact was worldwide, to my estimate, there were only really about 100 genuine P2C developers, mostly just um resellers, people who would take code with the developer's permission and just repurpose it, just repackage it different GUI, and sell it to a different customer base. Uh a lot of these larger P2Cs are backed

by larger, more legitimate businesses, and sometimes having ties to genuine cybercriminals, threat actors, and even APTs. But what we're going to be looking at today, um is the open-source community, which is comprised of three primary forums, which is Unknown Cheats, uh Multiplayer Game Hacking Forum, and Guided Hacking. Uh the forum rules here kind of go completely against the ethos of paying for uh cheats in any way. Um they're there to to to to share knowledge. Um and as a security researcher, really, this is where you want to be. Now, before I continue, I have to kind of give credit where it's due. If you want a better look at the P2C side of things, I have to recommend Bushido

Token's 2022 blog post, Gamer, Cheater, Hacker, Spy. It treads a lot of similar ground to this talk, uh but takes a closer look at the threat actors tied to the gaming uh the gaming industry. Um so, there's a term that I used a couple slides back, anti-cheat. You think of it like EDR for video games. And I kind of want to go over what exactly that is. So, as it says in big, red, bold letters back there, hacking is kind of the easy part when it comes to cheating video games, but not getting banned is is is the hard part. Uh all modern multiplayer competitive games will have anti-cheat at some point, either server-side or client-side, but

the best in class will be both. Usually with the client-side part being always on on the on the person's computer, um and being running at kernel level. Um and running at kernel level all the time and running on the person's computer can, you know, cause security issues. In fact, a couple of years ago, ESEA, who I would consider the world leaders uh in the anti-cheat industry, um sorry, pardon me. The world leaders in the anti-cheat industry, not for market share or anything like that, that'd be BattlEye, but for the quality of their products. They protect all the biggest leagues uh for things like CS:GO, actually got caught um installing uh Bitcoin miners on all their clients' PCs.

And overnight, pretty much creating a 500,000-member botnet. Um they were running for about 2 weeks, managed to keep all the money for it, and faced no legal repercussions. Um yeah, how they got away with that, I'm not too sure. Uh brings me neatly onto bypassing anti-cheat. And the levels that the game hacking community will go to to get their new their hands on a new anti-cheat bypass should really never be underestimated. Um multiple zero-day exploits um have been discovered in the game hacking community first, and then later extrapolated uh into the wider world. And a big uh example that comes to mind is is Log4j, which I'm pretty sure everyone in this room has heard of, and I don't need me

to explain it. Um in fact, only recently, a new UEFI bootkit was developed inspired by BlackLotus, known as RedLotus, with the intention of being an anti-cheat bypass. Now, it doesn't really take a genius to kind of figure out that, although their intentions were somewhat pure, just wanting to use it as an anti-cheat bypass, it could quite easily be repurposed and used for more devious means. Um although I do want to kind of take a change of pace here and ask when you in the room first heard of BYOVD, or bring your own vulnerable driver, for those who have heard about it. So, what I'm going to do is I'm going to name a year, and I want you to put your hands up if

that's the year that you heard about BYOVD. So, we'll start with 2023. Is that the year that anyone heard of it? Or have you heard of it earlier? Yeah, 2023, okay. 2022? Yeah, okay. Few people, few hands. I think apparently most people haven't heard of BYOVD, so this isn't working out for me. So, we'll just we'll just go on to the next slide. Uh the BYOVD timeline um starts I'm going to kind of ignore 2010. Uh the only reason I left it in there was because it was the first uh example of a UEFI bootkit um being kind of used in a lab environment. Uh 2015 rolls around, though, and BYOVD is first discussed in a public setting on on on

UC. Theorized for being able to use it as an anti-cheat bypass. 2 years later, 2017 rolls around, and we get the first public guide on how to use BYOVD as an anti-cheat bypass, an actual genuine guide, and it working and being used in the public. Uh at the at the same time, um I see this first example of a UEFI bootkit being used as an anti-cheat bypass uh a year before LoJax, actually, which is uh according to ESET, the first uh publicly documented UEFI bootkit in the wild. Uh as noted in the 2018 section behind me. Um 2019 rolls around, and we get something known as the vulnerable uh driver megathread, uh which was a kind

of milestone release on on UC, uh listing over 130 drivers from a lot of different manufacturers. Um that, combined with the previous guide, allowed for many less technical users to use the method uh for anti-cheat bypass. And another 2 years later, we get a pretty important CVE, uh a vulnerable Dell driver, which was then later used uh by Lazarus. Now, I consider this kind of not necessarily the first example of BYOVD being used by an APT group, but probably one of the most popularized. And this kind of the point in time where BYOVD comes into the infosec zeitgeist. And then later, Q1 2022, ESET discovers the Lazarus attack and creates their write-up. Some other notable releases um that are

you kind of originated in the cheating community are Log4j, obviously. Um RedLotus, the aforementioned UEFI bootkit. PCI leech, an interesting one, and something I'm actually writing my dissertation on. Um is a DMA attack framework, mostly used by or was created with the intention of being used as a forensic toolkit. Uh massively popularized by the cheating community, and then later used for things like implants. Uh Alcatraz, a binary obfuscator. Um I don't think I have to explain why that would be useful for people like malware developers. Um and I've highlighted here in red these two uh red because they've already been seen in the wild by cybercriminal groups. And here in yellow, although I haven't personally seen it in the wild

yet, as it's quite new, I'm pretty confident we will, probably within the next year or two. So, cool. I've just talked, you know, for the past couple minutes about a bunch of cheating stuff. And probably a bunch of you coming to a security conference are wondering why that's actually relevant. Um so, um uh some some good places to start when you're actually looking for information on this kind of thing. Um Unknown Cheats, personally, as a security researcher, this is probably where you want to start. Usually has the highest quality posts. Uh Guided Hacking um the quality of the posts here not as great, but importantly, it's where you're going to see that transition point between something people

developing something as a cheat, and then other people, cuz it's a mix of video game cheating forum and actual classical hacking forum. Um I've been told I have about 3 minutes, so I've got to speed up. Um I'm going to skip this one. Um so, some other important releases that were found within, you know, the fairly recently, other EFI bootkits, entire memory hacking libraries, bunch huge huge amounts of vulnerable driver releases. Um scripts for finding vulnerable drivers in automated fashion. Uh methods then to load these drivers, um huge guides on how to do it. Uh this was kind of the big one that I wanted to get to, exploits that haven't actually been reported, that were only really

shared on UC. Um this was part of someone's DMA uh hacking framework and a cheat that they were using. They gave up on trying to maintain it, um and then just released it into the wild about 3 years ago with pretty much no fanfare and no attention. They later realized it actually contained two zero-days that they were using for Logitech uh devices. Um and they did the respon- the responsible thing. They decided to to try and report them. They got a CVE for one of the exploits, and decided the whole rigmarole of going through and reporting it was too much hassle, so they didn't bother with the second one. And there was just a Logitech zero-day

sitting on this GitHub repo for about 3 years. It has been resolved now. Um So, some bad places to start. Um so, as I said, don't bother going into the replies. I'm not going to read all of these out, but um they're not a big fan of security researchers, and you'll probably go absolutely [ __ ] insane trying to read what they these people um say day in day out. Um let's skip. Ah, yeah. The the cheater to threat pipeline, right. So, this I wouldn't consider a rule of thumb or or anything like that. It's just a a pattern of observed behavior, if you like. Um so, as we covered in earlier, you gamers want

an advantage in their chosen game decide to utilize or purchase cheats. That eventually can lead to interest in game hacking. They maybe start pasting or learn to code their first local video cheat of some kind. And eventually, their interest can diversify into other areas of hacking. Their skills learn reverse engineering, uh games and programming exploits can come into play, um which can sometimes lead to exposure to more underground forums, um and then often into actual cyber crime taking place. Um so, yeah, right. How does this actually affect me? So, hopefully, I've somewhat illustrated in a really horrible and roundabout way uh the techniques used by game hackers are actually being used by much more and

more sophisticated uh threat actors. Um things like BYOVD, UEFI uh bootkits. Uh BYOVD particularly, um I think presents more of a unique threat actually being able to unhook EDR. Um some things you could probably do against that, you know, driver blocklisting virtualization-based security. Um Snap Attack, a platform that I was told about more recently, seems uh pretty useful. Um and as we've gone over earlier, you know, monitoring vulnerable driver releases and submitting their file hashes. Um so, take away guys, I'm yeah, I'm pretty much out of time. Um good releases and uh you know, important knowledge can be extracted from these places. There's a clear overlap between the infosec and hacking and cheating community. And that from, you know, a

CTI perspective, that uh monitoring the game hacking activities on these forums can, you know, be beneficial cuz releases made here can sometimes evolve into genuine and serious threats, like we've seen with Log4j and potentially Red Lotus. Um yeah, that's pretty much it. I apologize for the awful delivery. It's my very first talk. THANKS VERY MUCH.

THANK YOU. WE HAVE A COUPLE OF MINUTES SPARE FOR QUESTIONS. Anybody got any questions? You can fire another one at them if you want. Oh yes. Sorry, how did you get into this particular area? What into like CTI like CTI stuff or Yeah, like identifying that stuff like that. Oh, right. Um so, I went over in my first slide. I got into like infosec and hacking and what this kind of side of things because originally, when I was younger, I developed cheats. That's what I used to do. Like um yeah, like hacking games was kind of my hobby back when I was younger. So, I'll just back you up there. I've run instant response, threat

intelligence, and malware reverse engineering teams for the past decade or so. And quite a number of those are malware are cheat authors. Or and or aimbots, basically, uh in the old days. So, it's not uncommon. In fact, I'm going to raise a question myself is is it a fertile Why do you think it could be described as a fertile ground for that kind of high approach? Is it because it's low risk? Yeah, it's not it's not illegal Well, in Western cultures, it's not illegal really to like a place where, you know, hackers and very smart people to hack stuff and do exploit development with no repercussions. You know, it's perfectly legal for them to to to to hack video

games. There's no really I mean, apart from China, it's illegal there. Um which is odd, actually, cuz in China, there's a huge population of, you know, game hackers. But yeah, it's there's no repercussion for it. It's perfectly legal to do. It's unethical, sure. Now, it's considered that way. But it's perfectly okay for them to do. And we've got probably one more at the back after this. Hello. Um do you have any experience with game hacking and bug bounty? Or uh you talked about like the cheater to threat actor pipeline, do you think bug bounty will have much an impact on that? Um so, me personally, no real experience with bug bounties. Um I've like reported

vulnerabilities. Um I just not for any reward or anything, just things I found out of my own curiosity. Um so, I can't really comment to that personally. Um yeah, sorry. I think we had one more over here, didn't we? There's a I see the hand there. Is that

Unrelated, but how do you feel about the GTA 6 trailer? Um uh the trailer looks nice. It's not releasing for another year, and then Rockstar won't probably release it on PC for another two, so I'm not going to be playing it for a long time either way. Okay, one more. Okay. So, you just got it before you. Why did you stop? Um well, I like it's I kind of briefly went over in the pipeline there, you know, interest diversifies. It's my interest diversified. To put it succinctly. Thank you very much again. Thank you. Thanks.