New security prompts are intended to prevent malicious updates.
Valve implements additional security measures for Stream.
Valve will require additional security measures for game developers on Steam in an attempt to prevent compromised developer accounts from being used to push malicious updates, BleepingComputer reports. On October 24th, Valve will begin enforcing SMS-based security prompts for new updates to games’ default release branches. BleepingComputer notes that the move follows a spike in the use of compromised Steamworks accounts to distribute malware over the past few months.
New security measures might be insufficient to protect developer accounts.
Thomas Uhlemann, ESET security specialist, thinks any increase in security is to be welcomed, but also doubts that these new measures will be sufficient:
“While we welcome any increase in security measures, we doubt that this move will improve the security of developers and users alike considerably. To mitigate the issue of developer accounts being taken over or even worse - their equipment - other, proven tactics have to be applied.
“Firstly, for developers, we recommend applying non-SMS-based MFA to protect all of their accounts as with authenticator apps as a bare minimum, in addition to strong passphrases. Then, of course, the equipment used for development needs to be protected by strong security software as well to avoid information-stealing malware taking over the whole identity of a developer.
“For Steam/Valve, we would suggest introducing a certificate-based, strong MFA solution (as they could employ their own Steam Guard app) to maximize the security posture of their ecosystem as a whole. We must not forget that users trust the platform, believing they take care of the security of the individual developers.”
(Added, 1:45 PM ET, October 18th, 2023.) Ken Westin, Field CISO at Panther Labs, has seen a tendency for attackers to look for victims' source code. "This reflects a trend Panther has been seeing over the past few years as adversaries shift the focus of their attacks to developers who often have access to the crown jewels of tech companies — their source code," Westin wrote in emailed comments. "When attackers gain access to code repositories, DevOps tools, and cloud infrastructure it can be quite lucrative as they can not only steal code and deploy malware, but also inject malicious code to infect customers downstream. This trend is increasingly being utilized by not only criminal groups, but also nation-state actors as we have seen with the Lazarus Group out of North Korea. Organizations need to take additional measures to not only secure developers themselves, but also the environments they interact with on a daily basis -- those with privileged access are particularly vulnerable."