The Rockstar breach last month resulting in the leak of Grand Theft Auto 6 is another example of how privilege escalation can happen even among a team of smart, well-intentioned developers making world-class software. It’s all too easy for attackers to find and use poorly stored credentials, resulting in severe data leaks.
Everything We Know About the GTA6 Leak So Far
On September 18th at 3:26am Pacific, a user by the name “teapotuberhacker” created a forum post on GTAForums. This post contained 90 screenshots and videos of the game, which is still in early development. In the post, the hacker also claimed that they might leak more data including GTA5 and 6 source code and assets as well as a GTA6 test build. The hacker also claimed to be the same hacker who recently breached Uber just a few days earlier.
Teapotuberhacker indicated that he retrieved this data from Rockstar’s Slack and Confluence systems. Just a few hours after the initial post, Bloomberg reporter Jason Schreier tweeted confirmation the leak was real, although there was no official word given from Rockstar at this point.
On Monday, Rockstar posted a confirmation that their systems had indeed been breached on twitter. In the tweet, Rockstar indicated “an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.” By this time, legal teams were involved in getting content removed from the Internet, and the original post on GTAForum was also locked.
Finally, Uber provided an update to their breach event which took place last week. The Uber update provided Monday talks about the hacker possibly being affiliated with a hacking group called Lapsus$. Additionally, Uber called out Rockstar as being a related hack and that they are working with the FBI and DoJ on the investigation.
At this time, neither Rockstar nor their parent company Take Two has released any specific details of the hack, nor what data has been compromised. However, there are now reports that GTA5’s source code is indeed being leaked on the Internet.
How did it happen?
Rockstar and Take Two have not released any details about the hack at this point. What we know for sure is that the hacker indicated they had access to Rockstar's Slack environment, and potentially Confluence as well. However, given that the hacker also claimed to have source code for two games and additional content it is likely the hacker had additional access not yet revealed.
While many details still remain to be revealed and we do not yet have a complete picture of how this hack happened, there is enough information to draw some conclusions. The hacker used a social engineering attack to gain initial access to systems. Typically during these kinds of attacks, additional methods can be used to get around bypass such as a further social engineering attack to convince an individual to allow the MFA request.
Once the hacker was on Rockstar’s network, they would have initiated a scan of the network looking for additional credentials that could be used to gain more access. This is a standard practice among attackers to quickly scan for information and credentials. It is likely the hacker would have found a method such as credentials in a script on the network which allowed them to gain more access to the network. This in turn would allow access to the source code for the two games.
This attack method would match up with what we saw in the Uber breach. Uber has confirmed in their statement the hacker gained access through a combination of malware and social engineering. Once the attacker had access to the system, the attacker scanned the network and found a PowerShell script containing admin credentials for the company's PAM tool. With access to their PAM solution, the hacker essentially had the keys to the kingdom.
Storing credentials in scripts in this manner is a known bad security practice. And yet it has been found to be the cause of countless data breaches including these recent ones. So what can be done to prevent a similar type of event in other organizations?
How can you prevent a similar breach?
Two main factors contributed to the breach:
- Social Engineering used to compromise user credentials.
- Privilege escalation using passwords stored in scripts on the network.
To address the first concern, there are two solutions:
The first is implementing a security training program. A training program that informs users of the dangers of Social Engineering, not sharing passwords, and when not to approve MFA access. Most critically it is important to make users aware never to share passwords, even with IT staff. It is not typical for IT staff to need user passwords, and too many users still are not aware of this fact and share passwords too easily.
Second, implement a good Multi-Factor Authentication (MFA) solution. MFA is a method of implementing more authentication factors than just a user password. Commonly an app on a phone is used to push a notification for approval. Other factors exist as well such as facial recognition, and token access using a third-party device or smart card. However, as we have seen in these and several other recent breaches, MFA cannot solve an issue when a user falls for a Social Engineering attack.
In those cases where an attacker has already breached the network, containment is important. Not allowing the attacker to find additional mechanisms to gain further access to the network is critical. As discussed above, the first thing any attacker is likely to do after gaining access to the network is to scan for additional credentials.
This is where Soteri’s Enhanced Secret Scanning can help. Soteri offers secret scanning which would have detected and flagged the password stored in a script. Soteri offers products for several use cases which can help organizations avoid security issues which can lead to a breach like this one.
While these two breaches are unfortunate events, they are a reminder that security is critical to every organization, and with a little up front work they can be prevented. With Soteri’s scanning service, secret scanning is fast, robust, unobtrusive and easily automated. Try Soteri for free today!