Hand holding game controller showing 2K Games helpdesk system breached to send malware

Hacker Gained Access to 2K Games Helpdesk System, Used Customer Service Tickets To Send Malware Links to Players

Some 2K Games customers may have received malware links from the company’s helpdesk system, after a hacker was able to breach the platform on September 19.

2K Games is best known for its sports titles affiliated with professional leagues such as the NBA, PGA and WWE, and for the popular online multiplayer game Borderlands. Players with the 2K Accounts used for the online component of these games may have received unexpected messages from the helpdesk system in the past week claiming to be a response to a request. The messages look authentic, but conclude with a link to the RedLine malware.

Hacker used 2K Games system to distribute credential-stealing malware

2K has yet to release much information about the breach, so it is unknown how many of its customers received the malicious messages. The hacker may have been targeting users that had open support tickets, but posts from 2K customers across Reddit and Twitter indicate that the hacker was likely sending messages out indiscriminately.

The malicious messages look similar to a standard automated reply from the helpdesk system at a glance, but share some common features. All of the messages come from a 2K Support agent called “Prince K.”, and they conclude with a link to a fake “2K Launcher” file that appears to be hosted by a 2K Games Zendesk site. The “2ksupport.zendesk.com” site that it links to is a creation of the hacker, however, and users that download and run the supposed launcher will instead be infected with RedLine malware.

The malware file is a 107MB executable called “2K Launcher.exe” and is listed as “5K Player” in its Windows file description. RedLine Stealer is a widely used piece of malware that rifles through various stored authentication elements such as browser cookies and saved passwords looking for credentials, also exfiltrating a number of sensitive items that could contain personal information such as browser history.

Helpdesk system temporarily offline; similarities noted with recent attacks on tech and entertainment companies

The 2K helpdesk system was taken offline for some time as the incident was investigated. A tweet from September 24 indicates that the system is once again working.

2K Games and Rockstar are both subsidiaries of Take-Two Interactive, but there is not yet any firm indication that the helpdesk system hack has a connection to the recent breach of Rockstar’s internal Slack channel. That hack caused a good deal of in-game development footage of the hotly anticipated Grand Theft Auto 6 to be leaked to the public, and the hacker claimed that they had stolen source code as well. There is still no official word on the breach perpetrator from Rockstar, but some security analysts are pointing the finger at Lapsus$, a team comprised largely of teenagers that has been on a hacking spree since 2021 and has breached quite a few major tech companies.

Malwarebytes, which provides a widely used anti-malware program, says that users of its “Premium” active scanning service were protected from the helpdesk system attack as the command-and-control server the malware was called from was already on their blocklist; it may have been known to other antivirus and antimalware companies as well.

Video game platforms have been of increasing interest to hackers, for a variety of reasons. And the targets are not necessarily individual gamers. For example, North Korea’s state-backed Lazarus hacking group recently pulled off a record-setting heist involving the pioneering NFT game Axie Infinity. However, the game provided a unique opening into the Ronin bridge network used to pass cryptocurrency, which is what the hackers were really after. Over the pandemic period hackers also showed an increased interest in the C-suite executives of gaming companies; this is due to a combination of a perception of lax security at these firms, remote work being common, and the possibility of leveraging gamer accounts as a means of initial access.

As the recent Rockstar attack also demonstrates, hackers are interested in the protected source code of games, which can be auctioned for potentially millions of dollars on the dark web. Buyers are interested in code even for games that have already been released, looking to use it to create “cracks” that bypass digital rights management protections and sell bootleg copies. This scenario happened to developer CD Projekt SA in early 2021 when the source code to their hit title “The Witcher 3” and the then-forthcoming Cyberpunk 2077 was stolen and reportedly sold at a dark web auction for $7 million to an unknown buyer. EA also saw the code for its FIFA 21 game stolen, and it was also reportedly put up for auction on the dark web.

Surja Chatterjea, Head of Product and Alliances at Skybox Security, elaborates on this increasing risk to video game companies: “Earlier this year, Skybox Research lab found that crypto jacking and ransomware programs increased by 75% and 42%, respectively. Video gaming platforms have now become the target of threat actors, as the widely popular 2K Games and Rockstar Games have both suffered breaches this week. The 2K attack was a result of threat actors utilizing RedLine Stealer malware to gain access to a wide range of sensitive data, such as browser history and credentials.”

“To stay ahead of cybercriminals, companies must address vulnerability exposure risks before threat actors can exploit them. That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape. Organizations should also ensure they have solutions capable of quantifying the business impact of cyber risks with economic impact factors. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them, how urgent it is to remediate, and what options are there for said remediation,” noted Chatterjea.