Apex Legends streamers surprised to find aimbot and other hacks added to their PCs in the middle of major competition via anti-cheat software ( www.pcgamer.com )

Wow it finally happened. So glad I switched to steam running on linux mint last week. I refused to install helldivers because it wanted to install some no holds barred god level permissions anti-cheat software. Windows 11 was the last straw for me. Good times..

The volunteers at the Anti-Cheat Police Department have since issued a PSA announcing, "There is currently an RCE exploit being abused in [Apex Legends]" and that it could be delivered via from the game itself, or its anti-cheat protection. "I would advise against playing any games protected by EAC or any EA titles", they went on to say.

As for players of the tournament, they strongly recommended taking protective measures. "It is advisable that you change your Discord passwords and ensure that your emails are secure. also enable MFA for all your accounts if you have not done it yet", they said, "perform a clean OS reinstall as soon as possible. Do not take any chances with your personal information, your PC may have been exposed to a rootkit or other malicious software that could cause further damage."

unreasonabro , (edited )

Apparently the "easy" in EAC means easy like when you call a woman easy...

ShepherdPie ,

It ain't easy being sleazy.

Mango ,

Hahahaha fuck them enabling customers.

merthyr1831 ,

The missing context here (not your fault, i think people reporting this are being misleading) is that they were using their personal systems in this tournament. That means whatever dodgy software they've installed can't be monitored in a controlled environment, and claims of it being EAC's fault is unfounded.

A proper tournament would have controlled hardware and software, even if playing remotely at a professional level. You can't guarantee these systems haven't been tampered with, even if the players insist on proper security measures.

veniasilente ,

So, lemme get this straight: allowing remote parties to install malware (DRM) on your system results in allowing remote parties to install malware on your system? Wow, who could have known! Certainly not the distributors of the step-one malware, am I right?

I'm certain there's a couple of lessons to be learned here (install and run games as normal, non-elevated users, people! It's easy to do on Linux) but I'm also somehow certain Big Corpos are going to stick their heads into the sand regarding such lessons.

Oh well, the pirate way it is.

tapo ,
  • This isn't DRM, but an anti-cheat
  • The game is free, there's nothing to oirste
  • The developer has announced that it's not the anticheat's fault after all, but a remote execution vulnerability in the game itself
TheDarksteel94 ,

There's a super interesting video by PirateSoftware on YouTube about this too.

Blackmist ,

Sounds fanciful.

EAC doesn't open up ports into your network as far as I'm aware.

Pretty much the only way to do RCE in games with no direct P2P connection is to send malformed data to the server, and then it sends that to the other clients, relying on things not being checked in two places. We've seen this a few times, in Dark Souls series and GTA Online.

I can't see for the life of me how EAC would cause that.

RememberTheApollo_ ,

So what's going on? These players all had cheats loaded and this is the excuse they came up with when it was detected on their systems? Cheats are pretty rampant, but they've mostly shifted to people using external hardware like XIM or Chronos to bypass cheat detection and abuse the Aim Assist function. It's blatantly obvious in competitive games, especially first-person shooters. Ah well, get gud kid. Learn how to aim.

Blackmist ,

Considering it's two high profile players, I'd say the most likely is that they were tricked into downloading something, or some other software they were using had an exploit (I've had one from a browser plugin before now). There's a video elsewhere in this thread of one of them downloading Malwarebytes for something, so maybe they didn't manage to get rid of whatever it was.

Other option is an exploit on the server. Maybe there's some way of sending malformed data to a player you're not currently in a game with to exploit an RCE. It's not completely impossible, but I figure we'd see it a lot more if that was the case.

I'd put money on option 1 though.

Buddahriffic ,

In another thread for this, someone posted links to streams of the players when it happens. They immediately notice and adjust their playstyle to avoid the cheat (one guy with wall hack leaves the game, another guy with aim bot stops shooting anything). It wasn't a case of "game detects cheating and player tries to explain after the fact", but "cheat suddenly and obviously enabled, player announces it immediately in voice chat and team advises to leave".

BURN ,

It’s very likely not EAC that’s the problem. Best guess is the hacker has some kind of server side access, be it allowing unsigned/unauthorized operations to be executed from a client or having access to the servers themselves via rce

520 , (edited )

EAC doesn’t open up ports into your network as far as I’m aware.

No but the game code does. And that game code also interacts with EAC. You can argue it's a bug in Apex Legends, and it would be that too, but the fact is that EAC shouldn't be executing arbitrary commands based on what the game code has given it, so if that possibility exists in EAC, it is still an RCE in Apex Legends and a kernel privilege escalation flaw in EAC.

anarchy79 ,
@anarchy79@lemmy.world avatar

[Thread, post or comment was deleted by the moderator]

    •
    jinwk00 ,

    Iirc Apex Legends and Denuvo are never correlated (unless they added Denuvo AC at some point)

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    [Thread, post or comment was deleted by the moderator]

    •
    jinwk00 ,

    I didn't downvote that

    sp6 ,

    The clips of the hacks being installed/activated are pretty crazy:

    Note that the title has been edited: we do NOT know if this was EAC yet. The article says it "may have been." EAC has claimed it wasn't them (but of course they're going to claim that). Instead, it could have been Apex's source engine. Or, it could have been two individually compromised machines from software completely unrelated to Apex; remember, these are two high-profile targets, after all. We just have to wait and see what the real cause was. Regardless, I wouldn't play Apex for at least the next day or two, just to be safe.

    isles ,

    I'm not in the community at all, but I have to respect how these players reacted to getting hacked. I'm sure it was devastating to have their tournament run ruined in that way.

    BmeBenji ,

    I imagine their surprise came across kind of like this

    “what is this? I bought a xbox card! what is this? i don’t even know what that is!”

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    Wooof I can feel his body temperature rising by about 150 degrees in two seconds right there when he realizes he forgot he ordered that when he was very very blazed.

    tal ,
    @tal@lemmy.today avatar

    So glad I switched to steam running on linux mint last week.

    Doesn't EAC work on Linux?

    googles

    It sounds like it has for two years:

    https://www.forbes.com/sites/jasonevangelho/2022/03/01/apex-legends-now-works-on-linux-with-official-eac-support/

    ‘Apex Legends’ Now WORKS On Linux With Official EAC Support

    I mean, I use Linux myself. But I don't know if Linux is a fix for "game I use may have vulnerabilities".

    In theory, maybe Linux/Steam could isolate individual games (might be further along with Wayland than Windows is), but that's not how things work today. If you install software from Steam, it's got access to act as you, and if it has vulnerabilities that permit for remote compromise, then you'd be vulnerable as well.

    loutr ,
    @loutr@sh.itjust.works avatar

    Under linux EAC runs as your normal user, so it can't install system-wide malware but it can read/write your personal data. If you create a dedicated user for gaming you should be safe from this kind of stuff.

    merthyr1831 ,

    What about on Windows? I assumed it would work similarly on there too, even if Windows has a different privilege escalation system to Linux.

    xthexder ,
    @xthexder@l.sw0.com avatar

    On Windows, EAC runs at the kernel level and basically has full access to everything about your system. It only works on linux because newer linux kernels support emulating system calls in user-space (this might not be 100% accurate, but it's the general idea).

    Wes_Dev ,

    “I would advise against playing any games protected by EAC or any EA titles”, they went on to say.

    Easy. I specifically blocked all titles with the tags "EA" and "EA Play" on Steam. Never have to worry about it.

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    [Thread, post or comment was deleted by the moderator]

    •
    PraiseTheSoup ,

    Whhaaat they made good games at least until 1998. It was right around the time they switched from using the full Electronic Arts moniker to just "EA" that the quality really tanked.

    Silentiea ,
    @Silentiea@lemm.ee avatar

    They must pay the long price, I guess.

    noevidenz ,

    There is currently no evidence of an RCE exploit in EAC, and EAC themselves as well as their owner, Epic, have both denied the existence of an RCE in their software.

    There's a video from about a month ago in which ImperialHal and Genburten (on separate occasions) are in a match against the person named in the messages sent by the exploit on Genburten's machine.

    It's possible that they were in contact with the hacker after that point and that he tricked them into downloading something they shouldn't have.

    Otherwise, it's also possible that there is an exploit in Apex/Source that the hacker used. He may have been able to get their IP during the public match a month ago and then use it to target them during the competition.

    Beyond what was seen during the competition, the hacker was also able to gift thousands of Apex packs to several players (seemingly without paying for them) and was able to get 40+ "bot" players into a single match and to all target an individual player. He also claimed to be able to open crates on another player's account. These other exploits seem to indicate that he has elevated access to both the server and to multiple APIs, but none of them indicate elevated access to user machines in general.

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    In other news, Boeing swears their planes are perfectly safe, and any evidence to the contrary lies at the bottom of the ocean.

    merthyr1831 ,

    Cancel my comment about this being a possible 0day or whatever. They were playing this tournament on their personal systems, which makes it way easier for someone to accidentally download malicious software without players' consent.

    cybersandwich ,

    Is there any actual evidence that this was done via an EAC exploit?

    These could be two spear phished players with hacked PCs. (2 of the best and biggest audiences making them ideal targets). People have also mentioned r5 potentially being a culprit.

    If this was eac related or even a bigger client side hack (RCE), you'd think it'd be more wide spread.

    I wish the reporting on this was better all around. At this point I've seen no actual evidence of anything supporting RCE or that it was EAC to blame.

    FalseMyrmidon ,

    An EAC RCE 0-day would be worth a lot of money to nation states or organized crime.

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    [Thread, post or comment was deleted by the moderator]

    •
    cybersandwich ,

    [Thread, post or comment was deleted by the moderator]

    •
    anarchy79 ,
    @anarchy79@lemmy.world avatar

    [Thread, post or comment was deleted by the moderator]

    •
    catnip ,

    Shut up

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    [Thread, post or comment was deleted by the moderator]

    •
    noodlejetski , (edited )

    sadly it's been posted to Xitter, but I enjoy this 5 second clip of ImperialHal (one of the affected players):

    https://twitter.com/babyducksss/status/1769541847829913925

    yeah, totally not a compromised PC

    Thorny_Insight ,

    There's something deeply worrying about the fact that especially here on Lemmy people are so acutely aware of the audience they're speaking to that we need to preface our messages with "I'm really on your side on this issue BUT.." because we know how easy it is to say the wrong thing and then be mobbed for it.

    One shouldn't have to worry about any of that. Especially on anonymous internet forum. If someone comes at you for posting a twitter link then that's their issue, not yours.

    noodlejetski ,

    I mean, I despise Twitter myself and wish I didn't drive traffic to their website, but this clip is just too good not to share.

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    I get name resolution issue for twitter domain. I'd look into it, but I actually think this is an improvment.

    Syn_Attck ,

    By number of users, Lemmy is the worst forum for mobbing I've ever come across. You'd get similar mobbing on Reddit but there were 500x the number of users.

    I assume it's because a mass of people came here for a staunchly idealistic reason simply because it was the alternative to reddit.

    T156 ,

    Also that the people who don't care about that kind of thing wouldn't have bothered moving from Reddit in the first place, or be bothered enough to interact with the post.

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    Oh shit. Are we the Australia of the Internet?

    Or is this Plymouth Rock...

    anarchy79 , (edited )
    @anarchy79@lemmy.world avatar

    These words must be prefixed by long winded legal conditions to ever be used in any conversation on any topic ever:

    Woman.

    Trans.

    Gay.

    These words are HARAM, and can not be used unless you are one or more of them.

    Fucking social calvinism.

    Edit: like clockwork, here they come

    sp6 ,

    This clip is him installing Malwarebytes, after the hacking/cheating incident happened

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    [Thread, post or comment was deleted by the moderator]

    •
    anarchy79 ,
    @anarchy79@lemmy.world avatar

    [Thread, post or comment was deleted by the moderator]

    •
    merthyr1831 ,

    lmfao I thought these matches were being played in person with controlled hardware???? yeah they deffo just installed malware

    edit: yeah even if this is him installing malwarebytes, im sorry but you cannot guarantee these guys dont have compromised PCs just because they're streamers.

    NiPfi ,

    Is Helldiver's anti cheat that bad too? am I at least a little better off running the game through Proton on Linux or am I just providing a compatibility layer to a rootkit?

    fannymcslap ,

    Wait who TF is cheating in HD? It's pve?

    bjoern_tantau ,

    Some people might still want to be seen as the bestest Helldiver evar.

    n3m37h ,

    You would be surprised who will cheat.
    Watch Karl Jobst and some of the cheaters he has made vids on

    anarchy79 ,
    @anarchy79@lemmy.world avatar

    That guy's obsession with that King of Kong dude is pathological. Yeah, he is an asshole, but to keep whining about it for years just for clicks and ad revenue is grimy af.

    n3m37h ,

    And is fully deserving. Silly Bitchell is a pathological liar himself. Also his slapp suit was keeping this entire saga alive.

    Billy Schnitzel is the only one to blame

    wahming ,

    The latter

    InfiniWheel ,

    Doesn't the compatibility layer mean its restricted to its own wine prefix? Or am I misunderstanding?

    wahming ,

    In theory. However, wine was not designed as a security sandbox, and it might be possible (or even trivial) for something to intentionally break out of it. This gets more likely when considering the growing market share of linux.

    sp6 ,

    There isn't much sandboxing in Wine, but at least on linux, the AC is forced to run in userspace (instead of having root privileges). So it's not quite as invasive, but it still has access to everything your non-root account has access to. Which is still a lot. Probably not much better from a privacy perspective, but at least a little better from a security perspective.

    JDubbleu ,

    You could theoretically get around this issue by installing Steam via Flatpak so that everything is sandboxed though.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • technology@lemmy.world
  • test
  • worldmews
  • mews
  • All magazines
    •