2K Games Support compromised to spread malware.
the cyberwire logoJust Now

Spoofed support communications that misrepresented themselves as coming from 2K Games' support desk were found to be spreading the RedLine Stealer.

2K Games Support compromised to spread malware.

A second Take-Two Interactive brand, 2K Games, has sustained a compromise. Family-friendly 2K's edgier corporate sister Rockstar Games had seen an intrusion (possibly by the Lapsus$ Group) that compromised some games under development. 2K's compromise was in some respects more serious in that it represents a threat to users and not simply a disclosure of intellectual property.

2K Support tweeted a warning yesterday that explains what it's determined about the incident. "Earlier today we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers. The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account." The communication goes on to recommend a range of best practices any affected users might follow to minimize the damage.

Attackers were distributing an infostealer.

The goal of the compromise was distribution of an infostealer. Techradar reports, "The attackers would first open up a fake support ticket, and soon after, reply to it. In the reply message, they’d share a file named “2K Launcher.zip”, inviting the players to run it on their endpoints. The file turned out to be RedLine Stealer, a known infostealer that’s capable of, among other things, grabbing passwords stored in the browser, stealing banking data, as well as cryptocurrency wallets. Furthermore, RedLine can grab VPN credentials, web browser history, and cookies."

There's no firm attribution of this second attack on a Take-Two brand, but BleepingComputer speculates on the basis of victimology and the method of approach that this attack, too, is the work of the Lapsus$ Group.

Industry reaction and advice. 

Surja Chatterjea, Head, Product and Alliances at Skybox Security.

“Earlier this year, Skybox Research lab found that crypto jacking and ransomware programs increased by 75% and 42%, respectively. Video gaming platforms have now become the target of threat actors, as the widely popular 2K Games and Rockstar Games have both suffered breaches this week. The 2K attack was a result of threat actors utilizing RedLine Stealer malware to gain access to a wide range of sensitive data, such as browser history and credentials. 

"This highly sophisticated yet low-cost infostealer is notorious in the Malware as a Service economy for its widespread impact. Earlier in the year, there were reports of RedLine Stealer being installed on computers of unsuspecting victims via an Internet Explorer vulnerability on outdated browsers.

"To stay ahead of cybercriminals, companies must address vulnerability exposure risks before threat actors can exploit them. That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape. 

"Organizations should also ensure they have solutions capable of quantifying the business impact of cyber risks with economic impact factors. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them, how urgent it is to remediate, and what options are there for said remediation.”