Some further details from an article released after this video was uploaded (I also joined PirateSoftware's stream to discuss this, VOD available soon): techcrunch.com/2024/03/20/apex-legends-hacker-said-he-hacked-tournament-games-for-fun/ - Destroyer2009 claiming responsibility for the incident - Not sharing further details on "how" until everything is patched - Claimed they did it just for the lolz, but has nothing to do with the server and did not go outside the Apex process - Didn't do vulnerability disclosure process because there is no bug bounty/vulnerability disclosure program 🤪

Damn you know it’s real when John Hammond gets involved in this

I agree with John H. opinion and Thor's. I can't wait to see the security report for this incident.

Seeing you and Thor aka Pirate Software talk about this as an apex fan that was watching this tournament live is great to see

Really enjoy these kind of videos where gaming and cybersecurity collide. Would love to see more of these videos breaking down things like game hacks 🔥

Thank you for all your insigbt into the field. Yourr professional experience and field impressions are always greatly appreciated, Sir. I clicked immediately! Great and much needed to know info! I like the format and pacing 👍🏽 keep fighting the good fight

Something similar happened in Battlefield and Call of Duty (when it wasn't owned by Blizzard). Hackers were messing with OFFICIAL servers where players were joining from legal client. They could do literally everything for example "turn off gravity in entire lobby", "level up all players and weapons to max level", "unlock literally everything possible in the game for everyone in the lobby", "make ammo unlimited" etc and everyone who even accidently joined this lobby (you can't pick lobby yourself in CoD, game do it for you) was getting banned at later time (I was one of them, I still have VAC ban on steam because of this).

Made some excellent points, Waiting to see how this all plays out. Kinda excited to hear more…from all vendors and analysts

Pirate Software actually went through some steps in a live stream yesterday showing exactly what you're taking about here, Mr. Hammond.

I'll be damned, nice collab with Pirate Software IMMEDIATELY after this upload! 😂

A while back Secret Club claimed that one of their members discovered an RCE affecting ALL Source Engine games triggered by invites which they disclosed to Valve a few years back, but have been prevented from releasing a write-up on it as it is still yet to be patched. There also exists a video demo of the exploit in action, but no detailed information besides.

Well, Source based games that Respawn have developed in the past haven't been really well known for their security in the back end. Like it drove a few players to develop their own fully disconnected from Respawn multiplayer instance for Titanfall 2, where each induvidual could host their own servers because there was supposedly some vulnerability in the back end that dealt with the hosting of official servers. Sure they came along and fixed it but that took them over a year and probably the help of some graduate that asked to do it as a passion project on the side of other work. Hopefully the issue is discovered and the information can be dispersed out into the wider gaming community in the coming days or weeks.

1:50 how can you NOT link to this moment in descriptions... I never ever seen you this perplexed!!!

I really like you theory on a vulnerability in the game API. It seems very realistic that the hacker found a way to manipulate api requests and control the server; just by joining the game and modifying their client's requests.

I would love to see a John Hammond and Thor colab video!

Half-expecting this to become a more common occurrence. Once something like this happens once, in this day and age, you can expect it to happen over and over again, especially on older games.

Primeagen + Thor + John i sense a great crossover incoming

btw, Thor figured out that the IP is just from a scanner, but he is a bit concerned that it could actually reach their computer, since it shouldn't be able to do that by default, so maybe some messed up port forwarding, or maybe some remnants the hacker didn't clean up.

What keyboard are you using looks amazing

I hope to see a discussion between Piratesoftware and John on this subject among others that'd be amazing!!

It's rather surprising that there hasn't been a Thor/Hammond collab yet. Would definitely like to see that 😃

Nice video but I'm a little bit confused; you mention this could be directX hooking/hijacking and then say that's not code execution? To me, the fact that you're creating your own directX object from within the game process means you're running your own code. There's nothing preventing you from popping calc.exe instead of an in game window at this point. Am I missing something?

11:06 I am dying to see that collab

Something to note, the cheat gui looking like it’s part of the game actually makes it more likely there either an rce or someone put a backdoor on their system, often for internal cheats (cheats that involve force loading a DLL into the process which either contains the cheat code or communicates with a corresponding driver to run the cheats) often will use whatever drawing apis are already used by the target, making it very common for the gui to be ingrained in the game (and makes it easier for the gui to have similar visuals to the game)

You know the thing is getting real when Mr. Hammond speaks about it ❤ You, Thor, David Bombal and NetworkChuck should do a podcast about this one 😉 When this whole thing began to go viral most of the people started to abuse the word " RCE ", which kinda makes no sense since we have no official or correct info regarding to what kind of attack was it. Since the game engine is being an old one and being heavily patched; there might be a exploit with the client ( not offensively to EA..yk ). And when I saw the threat actor who claims to be " Destroyer2009 ", procceds to create a whole bot lobby using somewhat method ( I'm not a developer so I don't know about server or client side process that was behind this ) which began to follow a squad of 3 players ( ImperialHal and two more ) and in the end getting them eliminated, I thought " man, this guy got some real sh*t " 😅 So this seems this dude somehow has the ability to perform " Server-sided-actions " Assuming the server doesn't accept every command that the client sends, there'e been a server side error behind above action. And of course as Thor found out in Hal's PC, if there was access to the pc, this pc is most likely to be compromised using a server sided data strem ( like a reverse shell thing ) since this dude has no direct access to Hal's pc. There are lot of problems going around so as Thor and You said, we have to know more before concluding any statements. " The more you know, the better you become 😊 "

Looks like I've been living under a rock

As a crossover between gaming, coding and cyber security, I'd like to put a game called "BitBurner" on your radar. I'd be super interested in hearing your opinion on it as a way to learn the basics of coding and security.

Those are the built in cheats shipped with the game. The interface is enabled if you sign contact with EA.

Email security add . . . That's a new one 😂

I just want to know what shirt that is and where to get one

thinking: 1) it's an audition for employment? 2) they had at least some monual process to it and only had the manpower to do the two?

The more interesting question is how does EAC behave if the game itself is compromised

"This whole scene is just to big." You're an expert bro. The meaning is just less than people give it credit for. If you have expert experience in the industry, you're an expert in some way shape and form. My 2 cents: this wouldn't be the dumbest thing a 16 year old ever blew an RCE on. I do have to agree with your assessment in most other respects though. Also... why malwarebytes and no real IR? a pretty halfbaked velociraptor dump would be better. edit: Also games are just programs that are like a fungus with root systems touching tons of things on the internet with capability to send phishing or other malware loaded cheats or a ton of other tricks to get people to do things they shouldn't for threat actors of all kinds. Between tricking people into running stupid mods, to actual in game exploits, it's a massive attack surface and while those attacks aren't likely they can and will happen. Just my 2 cents after a bit more thinking.

Wasnt that destory guy a well known titan 2 hacker? I swear he was doing this same shit there as well...

keep us updated brother !

I think it just came out last night that Thor found a rented server that was connected to ImperialHals PC. The thread begins to unravel.

I remember that once i was playing cod bo2 on ps3 and a hacker just gave everyone at the lobby a cheat menu

"in this industry there are no experts, just specialists"

As someone who has been in IT and gaming for a lot of years i wont out of hand dismiss the possibility of an RCE, some of the anti cheat software that comes with these games hooks into the system deep enough to be a real concern.. but that said there are only a few big ones out there, and a 0-day RCE in one big enough to be used in a large game like apex would be worth a metric sh*t tonne. to burn it on trolling some streamer on a game even if it was at the professional level, i cant see that happening. The supporting redistributable that was mentioned by your co-worker is also part of a massive number of games, so i would consider that being the 0-day or attack vector unlikely for the same reasons as above. The streamers themselves being infected with a RAT is far more likely, when you take into account that a lot of the more modern RAT's are capable of silently installing and running anything you want, my money would be on this vector not anything to do with the game, it's engine, supporting redistributables or anti-cheat

I remember that name destroyer... i got hacked by one with that name in Diablo 2 back when I as riding the top of the ladder in 2008-2010. I wonder if they are the same destroyer

Thanks John for the information. It's possible to test the Apex video-game client in services like "Triage" and "App Any Run" ? Thanks!

Damn, as a security practitioner and forensic analyst i wish i had a chance to investigate the compromised clients :( My speculation is that they might have been compromised ahead of time via a different vector, and then the attacker used said compromise to showcase their tools capabilities. Yet i'm fairly sceptical that the game client could be abused to achieve RCE. unless that capability is coded in the client itself, but I mean.. come on? really? There's no way someone would code a game client in such a way that a backend service infrastructure could issue the execution of arbitrary code. And exploiting an RCE bug (memory corruption) in the game client by maintaining stability and preventing it from crashing? meh.. I know there are infinitely skilled hackers out there, but this would look REEEEALLY HARD.

I think a good take away from this is to remember that Video Games are the same as any other software. People should take the same precautions as they would for browsing the internet.

So if the guy hacked the server wouldn’t almost ever be effected?

maybe a tor collab that tor customises the browser with common stuff that you use

I wonder if their systems had something in particular. How come it didn't happen more?

these two players were definitely running a background program, maybe it was disguised as something else or maybe they straight up knew it was a cheat. That program allowed backdoor access, it's really that simple.

I am a player of Apex Legends and I personally think it isnt a RCE exactly as RCE vulnerability exploit will affect the server side! Not selected players. But on the same time I also think it can be a successful phishing attack on the employees of respawn or It can be a vendetta against respawn as they recently laid off bunch of employees who have been working on the game since Day 1. I am open for a security perspective discussion on this! If anyone has any other things to add or modify please reply!

I believe Imperial Hal has chat disabled. Destroyer2009 purportedly said they "just did it for fun" and wanted EA/Respawn to fix the exploit.

The fact that he can spawn bots in the servers at will is very concerning.....If he figured out how to do that to all the servers...he could make the game unplayable by constantly filling all the servers with bots so no human players can get in.

Same take as me, glad I'm not crazy!

John Hammond bro your the best for ever thanks for all videos & information security

I think some kids (from 2009 in name) put malware on the computers before the tournament started

I think a lot of it is Squirrel script execution. It's been around since Apex came out, and was present in past Respawn games. There was a huge vulnerability in TF2 where you could literally bind server commands to a key and execute them, and the server wouldn't do any checks and just do whatever you told it. Respawn tries to keep up and patch the methods, but people are usually able to find ways around it. But everything destroyer has annoyed streamers with has been around forever. It's documented and actually insane how badly the servers can be manipulated. But the only thing I've never seen is how destroyer was able to give them cheats if he claims to have never gone outside the Apex process. It's probably an internal cheat since the menu seemed to have been drawn in-game. But I would've thought you needed to have a RAT that could drop a DLL and inject it. So I'm very curious to see how that was done. Aimbot doesn't seem impossible, but silent aim is something else, and also the ESP that Gen had. Whatever the case, I wonder how it'll be handled and fixed. I've seen some people on forums suggest it's not a difficult fix, while others say Respawn should just rewrite all the server code. We'll see.

I got infected by another online multiplayer fps game that I used to play, it was open source, the dev basically gave the hackers a free for all, they did a lot of damage and were involved in cp/voyurism/identity fraud/stalking/harassment and more.... people are disgusting...

Reminds me of the PS Network vulnerability that was discovered not long ago. No wonder those get the highest bounties (surprised they were actually paid) considering you figure that out, their entire network is toast. Remember when the PS servers went down for a week or so? Fun times.

Hacks like this are generally injected into the game via dll and they come with menus like this.

There have been bugs in Titanfall 2 (the game the apex engine is based on) that allow anyone to inject scripts in the games scripting language (Squirrel) into other clients connected to the same server. This is a form of RCE but it might not allow Arbitrary Code Execution. Seems likely this is a similar situation given the Titanfall bug happened multiple times.

Could it be a schudled task as the time of tournament was known?!

Wow you have gotten 300,000 views in a few months, awesome :)

"i don't call myself a cyber security expert..." jesus look at you channel and skill list YOU ARE FUCKING EXPERT MAN. Thanks for you efforts.

Are you saying thats just a theory... a "GAME THEORY" :O

Ironically I think this is one occasion people are right to blow it out of proportion, sure it's likely something less intimidating that is being portrayed but good on the people who actually avoided Apex for safety reasons - or any negative reason, legitimately some players are potentially addicted.

CS:go to COD ,apex legends these Fps games so overrated from past couple of years. I really miss cod as a single player shooter game.

It’s funny the cheat menu said “vote Putin”. It could be that other players were effected but stayed quiet

Perhaps the two users already had software on their system that would allow said access?

Is there any published documentation on the alleged Source Engine vulnerability?

This was inevitable.

What are your thoughts regarding League of Legends and Riot Vanguard being another Kernel-level anti cheat software? From the little research I've done so far, it seems like there's quite a bit of room for security problems. Some other games like Fortnite and Halo: MCC have kernel-level anti cheats, what makes Vanguard different? I'll continue looking into this but what's your take, and what are some resources I could help inform myself and friends. Thanks!

want a colab with Pirate Software!

I think it's insane to hold an event of that size with such a large cash prize online.

Coming from the counterstrike 1.5/6 days where you could push scripts and compromise users who connect to a game server. Nothing is really impossible these days. Some European servers created their own banning system that wiped the users system 32. 😂

This guy says he's not a gamer as if he isn't a retired Meta Knight legend

from what I’ve seen, you can play Apex on private and custom servers with a custom client ,so if they can have access to those files, they know the ins and outs of the game

Wouldn’t Hal need port forwarding enabled on his router to allow connections inbound on port 135? I don’t for one second think RPC was exploited. I would understand an outbound connection (reverse shell) but not some inbound connection in a well known port (hoping port forwarding was enabled). Inbound RPC hack sounds so unlikely. Why would an attacker burn a million dollar exploit on RPC to hack a pro gamer? Not likely.

The hacker involved has been hacking pro's for a bit from what I understand, the pro's computer's were hacked not the game, I'd lay money.

How embarrassing for Respawn.

Thor sends goblins

Unless this was a test run for a larger attack.

The guy that was like "I'm getting hacked, I'm getting hacked"... Then carried on playing. He should get a temp ban for that imo. Knew he was cheating, but kept playing.

They probably had it installed already!!! Some one just used a backdoor to get it activated in my opinion!!

It would be hella cool to see you collab with Pirate Software!

I wish the bot hackers for Team Fortress 2 got this much coverage... Then maybe something would be done about them after the 3+ years they been plaguing casual servers.

Congrats John your live with Thor rn!!!

The fact that a colleague of yours is working on a bug like this tells me, there exists a likely RCE in the `Source` engine. It might not have been used here.

you should stream live ctfs like before. Used to enjoy them a lot.

What if these guys had cheats installed and got into some sort of disagreement with the cheat providers? Wouldn't that be the most obvious option?

I know how its done, but not gonna give it away for free to EA. That's smartest response a hacker can give. They dont even do bounty rewards

Hey John! Yes, this is an RCE exploit, it was a test, more for fun than anything else. The UI you can see is drawn with Nuklear library. It was a small PoC (hence the VERY limited scope, it's only added to a private build not their public version)

How is your hair is so awesome like that and me in my twenties starting to get shiny bald ? How tf is that fair ???? You also have mad skills and me none , how tf is that fair huh. Im so damn angry 😡

As a cyber security student myself, , I'm just curious: if one TA took advantage of this zero-day vulnerability only for publicuty/awareness, what stops other TAs from taking advantage of and going after regular public users? Who knows what else this zero-day potential might be.

Talk about Ivanti VPN hack. 😊

I wonder if any of these streamers downloaded cheats in the past that the programmers left a back door to. Like if they are able to be remotely toggled and the cheat devs just waited until the main stage to expose them. I could see a group of pro players that use the same cheats from word of mouth and then they got Trojan horsed or something? @John Hammond is that possible?

It better to wait but those just idea but good to be creative.

More likely to drum up biz, and second if they bet a large amount of money on the game and they wanted to disqualify these people. It's almost always about money.

Tbh in this case even if the pros will get unbanned they would have been unbanned very soon. Nothing really bad happened. So chapeau to the hackers, something like that isn't easy and depending on what it was could have been used much more malicious.

Naah i think he has access to the servers somehow... could be via an employee's computer inside, maybe a friend that works at respawn installed some software a friend told him too ?... Could be that he had access long before the tournament seeing as he was spawning bots in... and it wont be the first time someone has access to their servers... looking back at titanfall, remember the great jeanu ? yeah i think the vulnerability definitely is employees... feel like this isn't the first time respawn gets hacked

it was me , ze hackerman

Your last name the one your most commonly known by is literally on the map in the game Apex legends...

I think its wrong to say only the messages and UI popped up, there was also the nameplates of all the other players and locations displayed as well. Also fully believe that the second person "Hal" wasn't hacked at all because there was such a different MO and nothing really happened to show he was hacked besides him just claiming wildly that he was. He landed a shot that looked more like a lag spike than a hack.