Some further details from an article released after this video was uploaded (I also joined PirateSoftware's stream to discuss this, VOD available soon): techcrunch.com/2024/03/20/apex-legends-hacker-said-he-hacked-tournament-games-for-fun/ - Destroyer2009 claiming responsibility for the incident - Not sharing further details on "how" until everything is patched - Claimed they did it just for the lolz, but has nothing to do with the server and did not go outside the Apex process - Didn't do vulnerability disclosure process because there is no bug bounty/vulnerability disclosure program 🤪

Damn you know it’s real when John Hammond gets involved in this

I agree with John H. opinion and Thor's. I can't wait to see the security report for this incident.

Seeing you and Thor aka Pirate Software talk about this as an apex fan that was watching this tournament live is great to see

Something similar happened in Battlefield and Call of Duty (when it wasn't owned by Blizzard). Hackers were messing with OFFICIAL servers where players were joining from legal client. They could do literally everything for example "turn off gravity in entire lobby", "level up all players and weapons to max level", "unlock literally everything possible in the game for everyone in the lobby", "make ammo unlimited" etc and everyone who even accidently joined this lobby (you can't pick lobby yourself in CoD, game do it for you) was getting banned at later time (I was one of them, I still have VAC ban on steam because of this).

Really enjoy these kind of videos where gaming and cybersecurity collide. Would love to see more of these videos breaking down things like game hacks 🔥

Thank you for all your insigbt into the field. Yourr professional experience and field impressions are always greatly appreciated, Sir. I clicked immediately! Great and much needed to know info! I like the format and pacing 👍🏽 keep fighting the good fight

Well, Source based games that Respawn have developed in the past haven't been really well known for their security in the back end. Like it drove a few players to develop their own fully disconnected from Respawn multiplayer instance for Titanfall 2, where each induvidual could host their own servers because there was supposedly some vulnerability in the back end that dealt with the hosting of official servers. Sure they came along and fixed it but that took them over a year and probably the help of some graduate that asked to do it as a passion project on the side of other work. Hopefully the issue is discovered and the information can be dispersed out into the wider gaming community in the coming days or weeks.

Made some excellent points, Waiting to see how this all plays out. Kinda excited to hear more…from all vendors and analysts

Pirate Software actually went through some steps in a live stream yesterday showing exactly what you're taking about here, Mr. Hammond.

A while back Secret Club claimed that one of their members discovered an RCE affecting ALL Source Engine games triggered by invites which they disclosed to Valve a few years back, but have been prevented from releasing a write-up on it as it is still yet to be patched. There also exists a video demo of the exploit in action, but no detailed information besides.

I'll be damned, nice collab with Pirate Software IMMEDIATELY after this upload! 😂

1:50 how can you NOT link to this moment in descriptions... I never ever seen you this perplexed!!!

Nice video but I'm a little bit confused; you mention this could be directX hooking/hijacking and then say that's not code execution? To me, the fact that you're creating your own directX object from within the game process means you're running your own code. There's nothing preventing you from popping calc.exe instead of an in game window at this point. Am I missing something?

I would love to see a John Hammond and Thor colab video!

I really like you theory on a vulnerability in the game API. It seems very realistic that the hacker found a way to manipulate api requests and control the server; just by joining the game and modifying their client's requests.

What keyboard are you using looks amazing

Looks like I've been living under a rock

Half-expecting this to become a more common occurrence. Once something like this happens once, in this day and age, you can expect it to happen over and over again, especially on older games.

btw, Thor figured out that the IP is just from a scanner, but he is a bit concerned that it could actually reach their computer, since it shouldn't be able to do that by default, so maybe some messed up port forwarding, or maybe some remnants the hacker didn't clean up.

As someone who has been in IT and gaming for a lot of years i wont out of hand dismiss the possibility of an RCE, some of the anti cheat software that comes with these games hooks into the system deep enough to be a real concern.. but that said there are only a few big ones out there, and a 0-day RCE in one big enough to be used in a large game like apex would be worth a metric sh*t tonne. to burn it on trolling some streamer on a game even if it was at the professional level, i cant see that happening. The supporting redistributable that was mentioned by your co-worker is also part of a massive number of games, so i would consider that being the 0-day or attack vector unlikely for the same reasons as above. The streamers themselves being infected with a RAT is far more likely, when you take into account that a lot of the more modern RAT's are capable of silently installing and running anything you want, my money would be on this vector not anything to do with the game, it's engine, supporting redistributables or anti-cheat

Primeagen + Thor + John i sense a great crossover incoming

I think it just came out last night that Thor found a rented server that was connected to ImperialHals PC. The thread begins to unravel.

Something to note, the cheat gui looking like it’s part of the game actually makes it more likely there either an rce or someone put a backdoor on their system, often for internal cheats (cheats that involve force loading a DLL into the process which either contains the cheat code or communicates with a corresponding driver to run the cheats) often will use whatever drawing apis are already used by the target, making it very common for the gui to be ingrained in the game (and makes it easier for the gui to have similar visuals to the game)

As a crossover between gaming, coding and cyber security, I'd like to put a game called "BitBurner" on your radar. I'd be super interested in hearing your opinion on it as a way to learn the basics of coding and security.

11:06 I am dying to see that collab

I hope to see a discussion between Piratesoftware and John on this subject among others that'd be amazing!!

You know the thing is getting real when Mr. Hammond speaks about it ❤ You, Thor, David Bombal and NetworkChuck should do a podcast about this one 😉 When this whole thing began to go viral most of the people started to abuse the word " RCE ", which kinda makes no sense since we have no official or correct info regarding to what kind of attack was it. Since the game engine is being an old one and being heavily patched; there might be a exploit with the client ( not offensively to EA..yk ). And when I saw the threat actor who claims to be " Destroyer2009 ", procceds to create a whole bot lobby using somewhat method ( I'm not a developer so I don't know about server or client side process that was behind this ) which began to follow a squad of 3 players ( ImperialHal and two more ) and in the end getting them eliminated, I thought " man, this guy got some real sh*t " 😅 So this seems this dude somehow has the ability to perform " Server-sided-actions " Assuming the server doesn't accept every command that the client sends, there'e been a server side error behind above action. And of course as Thor found out in Hal's PC, if there was access to the pc, this pc is most likely to be compromised using a server sided data strem ( like a reverse shell thing ) since this dude has no direct access to Hal's pc. There are lot of problems going around so as Thor and You said, we have to know more before concluding any statements. " The more you know, the better you become 😊 "

The more interesting question is how does EAC behave if the game itself is compromised

Wasnt that destory guy a well known titan 2 hacker? I swear he was doing this same shit there as well...

Those are the built in cheats shipped with the game. The interface is enabled if you sign contact with EA.

I wonder if their systems had something in particular. How come it didn't happen more?

Email security add . . . That's a new one 😂

keep us updated brother !

I just want to know what shirt that is and where to get one

Damn, as a security practitioner and forensic analyst i wish i had a chance to investigate the compromised clients :( My speculation is that they might have been compromised ahead of time via a different vector, and then the attacker used said compromise to showcase their tools capabilities. Yet i'm fairly sceptical that the game client could be abused to achieve RCE. unless that capability is coded in the client itself, but I mean.. come on? really? There's no way someone would code a game client in such a way that a backend service infrastructure could issue the execution of arbitrary code. And exploiting an RCE bug (memory corruption) in the game client by maintaining stability and preventing it from crashing? meh.. I know there are infinitely skilled hackers out there, but this would look REEEEALLY HARD.

maybe a tor collab that tor customises the browser with common stuff that you use

"in this industry there are no experts, just specialists"

I remember that once i was playing cod bo2 on ps3 and a hacker just gave everyone at the lobby a cheat menu

I remember that name destroyer... i got hacked by one with that name in Diablo 2 back when I as riding the top of the ladder in 2008-2010. I wonder if they are the same destroyer

Reminds me of the PS Network vulnerability that was discovered not long ago. No wonder those get the highest bounties (surprised they were actually paid) considering you figure that out, their entire network is toast. Remember when the PS servers went down for a week or so? Fun times.

Wow you have gotten 300,000 views in a few months, awesome :)

It’s funny the cheat menu said “vote Putin”. It could be that other players were effected but stayed quiet

I am a player of Apex Legends and I personally think it isnt a RCE exactly as RCE vulnerability exploit will affect the server side! Not selected players. But on the same time I also think it can be a successful phishing attack on the employees of respawn or It can be a vendetta against respawn as they recently laid off bunch of employees who have been working on the game since Day 1. I am open for a security perspective discussion on this! If anyone has any other things to add or modify please reply!

Thanks John for the information. It's possible to test the Apex video-game client in services like "Triage" and "App Any Run" ? Thanks!

I think some kids (from 2009 in name) put malware on the computers before the tournament started

I think it's insane to hold an event of that size with such a large cash prize online.

The fact that he can spawn bots in the servers at will is very concerning.....If he figured out how to do that to all the servers...he could make the game unplayable by constantly filling all the servers with bots so no human players can get in.

It's rather surprising that there hasn't been a Thor/Hammond collab yet. Would definitely like to see that 😃

Perhaps the two users already had software on their system that would allow said access?

thinking: 1) it's an audition for employment? 2) they had at least some monual process to it and only had the manpower to do the two?

How embarrassing for Respawn.

Is there any published documentation on the alleged Source Engine vulnerability?

There have been bugs in Titanfall 2 (the game the apex engine is based on) that allow anyone to inject scripts in the games scripting language (Squirrel) into other clients connected to the same server. This is a form of RCE but it might not allow Arbitrary Code Execution. Seems likely this is a similar situation given the Titanfall bug happened multiple times.

I believe Imperial Hal has chat disabled. Destroyer2009 purportedly said they "just did it for fun" and wanted EA/Respawn to fix the exploit.

Could it be a schudled task as the time of tournament was known?!

I got infected by another online multiplayer fps game that I used to play, it was open source, the dev basically gave the hackers a free for all, they did a lot of damage and were involved in cp/voyurism/identity fraud/stalking/harassment and more.... people are disgusting...

This was inevitable.

"This whole scene is just to big." You're an expert bro. The meaning is just less than people give it credit for. If you have expert experience in the industry, you're an expert in some way shape and form. My 2 cents: this wouldn't be the dumbest thing a 16 year old ever blew an RCE on. I do have to agree with your assessment in most other respects though. Also... why malwarebytes and no real IR? a pretty halfbaked velociraptor dump would be better. edit: Also games are just programs that are like a fungus with root systems touching tons of things on the internet with capability to send phishing or other malware loaded cheats or a ton of other tricks to get people to do things they shouldn't for threat actors of all kinds. Between tricking people into running stupid mods, to actual in game exploits, it's a massive attack surface and while those attacks aren't likely they can and will happen. Just my 2 cents after a bit more thinking.

As a cyber security student myself, , I'm just curious: if one TA took advantage of this zero-day vulnerability only for publicuty/awareness, what stops other TAs from taking advantage of and going after regular public users? Who knows what else this zero-day potential might be.

want a colab with Pirate Software!

John Hammond bro your the best for ever thanks for all videos & information security

I think a lot of it is Squirrel script execution. It's been around since Apex came out, and was present in past Respawn games. There was a huge vulnerability in TF2 where you could literally bind server commands to a key and execute them, and the server wouldn't do any checks and just do whatever you told it. Respawn tries to keep up and patch the methods, but people are usually able to find ways around it. But everything destroyer has annoyed streamers with has been around forever. It's documented and actually insane how badly the servers can be manipulated. But the only thing I've never seen is how destroyer was able to give them cheats if he claims to have never gone outside the Apex process. It's probably an internal cheat since the menu seemed to have been drawn in-game. But I would've thought you needed to have a RAT that could drop a DLL and inject it. So I'm very curious to see how that was done. Aimbot doesn't seem impossible, but silent aim is something else, and also the ESP that Gen had. Whatever the case, I wonder how it'll be handled and fixed. I've seen some people on forums suggest it's not a difficult fix, while others say Respawn should just rewrite all the server code. We'll see.

What are your thoughts regarding League of Legends and Riot Vanguard being another Kernel-level anti cheat software? From the little research I've done so far, it seems like there's quite a bit of room for security problems. Some other games like Fortnite and Halo: MCC have kernel-level anti cheats, what makes Vanguard different? I'll continue looking into this but what's your take, and what are some resources I could help inform myself and friends. Thanks!

Are you saying thats just a theory... a "GAME THEORY" :O

Wouldn’t Hal need port forwarding enabled on his router to allow connections inbound on port 135? I don’t for one second think RPC was exploited. I would understand an outbound connection (reverse shell) but not some inbound connection in a well known port (hoping port forwarding was enabled). Inbound RPC hack sounds so unlikely. Why would an attacker burn a million dollar exploit on RPC to hack a pro gamer? Not likely.

Same take as me, glad I'm not crazy!

The hacker involved has been hacking pro's for a bit from what I understand, the pro's computer's were hacked not the game, I'd lay money.

Unless this was a test run for a larger attack.

Thor sends goblins

This guy says he's not a gamer as if he isn't a retired Meta Knight legend

Ironically I think this is one occasion people are right to blow it out of proportion, sure it's likely something less intimidating that is being portrayed but good on the people who actually avoided Apex for safety reasons - or any negative reason, legitimately some players are potentially addicted.

Coming from the counterstrike 1.5/6 days where you could push scripts and compromise users who connect to a game server. Nothing is really impossible these days. Some European servers created their own banning system that wiped the users system 32. 😂

They probably had it installed already!!! Some one just used a backdoor to get it activated in my opinion!!

I know how its done, but not gonna give it away for free to EA. That's smartest response a hacker can give. They dont even do bounty rewards

I beleave that they accidently turned on hacks UI and started shouting that they have been hacked :D

Congrats John your live with Thor rn!!!

Thor and Hammond next video? 😬

He spared no expense

Talk about Ivanti VPN hack. 😊

Great video

He should have a job at Hammond robotics

I wish the bot hackers for Team Fortress 2 got this much coverage... Then maybe something would be done about them after the 3+ years they been plaguing casual servers.

The guy that was like "I'm getting hacked, I'm getting hacked"... Then carried on playing. He should get a temp ban for that imo. Knew he was cheating, but kept playing.

I reckon this is my dad up to his mischievous adventures

the only way that's possible is if those streamers have a common enemy that is open to pay a lot of money for a 0day RCE to achieve this and hurt the reputation of the streamers. that's really unlikely but this is what's comming to my mind.

Just started playing this game on pc

you should stream live ctfs like before. Used to enjoy them a lot.

More likely to drum up biz, and second if they bet a large amount of money on the game and they wanted to disqualify these people. It's almost always about money.

They could have bet money on the matches and hacked to insure that they won thier bets

lmao, using a remote execution to inject an aimbot. That has to be the biggest troll someone did.

It better to wait but those just idea but good to be creative.

How to make TeddyEAC tweet after more than a year 😂

I wouldn’t say his machine got hack…

I stopped playing Apex because a bullet hit registration so knowing that they was hacked confirms there is no point to play this game anymore.

An apex hacker just responded

I want that shirt.. Where??

Tbh in this case even if the pros will get unbanned they would have been unbanned very soon. Nothing really bad happened. So chapeau to the hackers, something like that isn't easy and depending on what it was could have been used much more malicious.

Your last name the one your most commonly known by is literally on the map in the game Apex legends...

The fact that a colleague of yours is working on a bug like this tells me, there exists a likely RCE in the `Source` engine. It might not have been used here.