www.vice.com Open in urlscan Pro
151.101.193.132  Public Scan

Form analysis
2 forms found in the DOM

<form><label class="sr-only" for="search-bar__input">Input for searching articles, videos, shows</label><input type="text" id="search-bar__input" role="searchbox" value="" placeholder="Search articles, videos, shows" required=""><button type="submit"
    role="button" aria-label="Search" class="nav-bar__search-bar__button"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
      <path fill-rule="evenodd" clip-rule="evenodd"
        d="M6.55892 10.7328C8.86408 10.7328 10.7328 8.86408 10.7328 6.55892C10.7328 4.25376 8.86408 2.38506 6.55892 2.38506C4.25376 2.38506 2.38506 4.25376 2.38506 6.55892C2.38506 8.86408 4.25376 10.7328 6.55892 10.7328ZM6.55892 13.1178C10.1813 13.1178 13.1178 10.1813 13.1178 6.55892C13.1178 2.93653 10.1813 0 6.55892 0C2.93653 0 0 2.93653 0 6.55892C0 10.1813 2.93653 13.1178 6.55892 13.1178Z"
        fill="white"></path>
      <path fill-rule="evenodd" clip-rule="evenodd" d="M14.5219 15.9015C14.3906 16.0328 14.1777 16.0328 14.0464 15.9015L9.18249 11.0376L11.0376 9.18249L15.9015 14.0464C16.0328 14.1777 16.0328 14.3906 15.9015 14.5219L14.5219 15.9015Z" fill="white">
      </path>
    </svg></button></form>

<form class="user-newsletter__form" novalidate="">
  <div class="user-newsletter__form__wrap"><input type="email" name="email" id="email" class="user-newsletter__form__input" value="" placeholder="Your email address"><label class="user-newsletter__form__label" for="email">Your Email:</label> </div>
  <button aria-label="newsletter submit button" type="submit" class="vice-button vice-button--black user-newsletter__submit">Subscribe</button>
</form>

Text Content

Advertisement


Sign InCreate Account
+ English


VICE
 * Video
 * TV
 * News
 * Tech
 * Rec Room
 * Food
 * World News
 * The 8:46 Project
 * Games
 * Music
 * Health
 * Money
 * Drugs
 * Identity
 * Entertainment
 * Environment
 * Travel
 * Horoscopes
 * Sex
 * VICE Magazine
 * The Gender Spectrum Collection

VICE
 * 
 * 
 * 

Sign InCreate Account
 * Video
 * TV
 * Podcasts
 * Apps
 * VICE Voices
 * Newsletters
 * Rec Room

Input for searching articles, videos, shows
 * 
 * 
 * 
 * 
 * 
 * 
 * 

 * News
 * Tech
 * Rec Room
 * Food
 * World News
 * The 8:46 Project
 * Games
 * Music
 * Health
 * Money
 * Drugs
 * Identity
 * Entertainment
 * Environment
 * Travel
 * Horoscopes
 * Sex
 * VICE Magazine
 * The Gender Spectrum Collection

 * About
 * Jobs
 * Partner
 * VICE Voices
 * Content Funding on VICE
 * Security Policy
 * Privacy & Terms
 * Accessibility Statement
 * Do Not Sell My Info

© 2022 VICE MEDIA GROUP



HACKERS ARE USING ANTI-CHEAT IN 'GENSHIN IMPACT' TO RANSOM VICTIMS


The game’s anti-cheat system has well-known vulnerabilities that hackers are now
abusing to get access to sensitive parts of victims’ operating systems and
deploy ransomware.
by Lorenzo Franceschi-Bicchierai
August 26, 2022, 1:00pm
 * Share
 * Tweet
 * Snap

Image: HoYoverse
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and
reporting on the dark underbelly of the internet.
See More →

A ransomware gang is allegedly hacking victims by abusing the anti-cheat system
of the massively popular free-to-play game Genshin Impact.

The cybersecurity firm Trend Micro published a report on Wednesday with details
about the attack, highlighting how anti-cheat systems, which are installed by
default as part of many online games, can be abused to hack players. The unnamed
hackers are taking advantage of the fact that Genshin Impact’s anti-cheat system
has known vulnerabilities, that it’s signed by a legitimate company—meaning
Windows will run it—and because it has high privileges, meaning it has access to
sensitive parts of the operating system. 

Advertisement


“I’ve been expecting to see ransomware abuse an anti-cheat driver for a while.
We’ve seen cheats abuse anti-cheat drivers for years,” an employee of a games
company, who asked to remain anonymous because they weren't allowed to speak to
the press, told Motherboard. “It was just a matter of time before a ransomware
group noticed and started co-opting exploits that are openly shared.”

The hackers’ goal is to “mass-deploying ransomware,” according to Trend Micro.
Genshin Impact was released in 2020 by Chinese developer HoYoverse (miHoYo in
China) and has millions of players, who log into its game world via mobile
devices, consoles, or on PC. 

From Trend Micro’s report, it’s unclear how the hackers gain the initial
foothold into a targeted computer. But once they are in, the hackers are
exploiting Genshin Impact’s anti-cheat system to get access to the computer’s
kernel, a core part of the operating system that controls and has access to most
of the computer's functions. At that point the hackers have the ability to turn
off antivirus and install ransomware on the victims’ computers. 

In other words, they are abusing the anti-cheat system as a way to get access to
more sensitive parts of the operating system and avoid getting caught by an
antivirus before deploying the ransomware.

Advertisement


Trend Micro researchers note that the game “does not need to be installed on a
victim’s device for this to work,” meaning hackers can just install the
anti-cheat system as a preliminary step to then deploy the ransomware. 

> Do you have information about these attacks? Or other ransomware incidents?
> We'd love to hear from you. Using a non-work phone or computer, you can
> contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382,
> Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com

Genshin Impact’s anti-cheat system is called mhyprot2. For years, security
researchers have warned about the anti-cheat’s flaws. In 2020, a researcher
showed that the system could be abused to read the computer’s memory and
processes. Then in July of last year, a researcher who goes by Kento Oki
published a proof-of-concept that turned the anti-cheat system into malicious
software that could access the kernel. 

These concerns have been publicly discussed outside security circles as well.
The website Pro Game Guides reported after the game’s launch that users were
concerned about the anti-cheat system because it had kernel-level privileges and
was running in the background even when the game was closed, going as far as
wondering if it was spyware. The company responded to these concerns by updating
the anti-cheat system so that it would turn off when users were not playing the
game. 

Advertisement


In other words, HoYoverse, the company that develops Genshin Impact, has known
that this version of the game’s anti-cheat system is vulnerable and can be
exploited for a couple of years. 

“We're currently working on this case, and will find a solution as soon as
possible to safeguard players' safety and stop potential abuse of the anti-cheat
function,” a HoYoverse spokesperson told Motherboard in an email.

Despite the long-running concerns, the vulnerable anti-cheat system is still
getting installed on players’ computers, and has not been patched. And,
according to Trend Micro researchers, “there are no solutions at this time”
because the anti-cheat system is a legitimate program signed by a real company,
and thus it’s not flagged by antivirus or Windows.

There are other anti-cheat systems that run in the kernel, giving them access
and visibility into what’s running on the operating system with the goal of
spotting cheat programs. The first one that gathered attention and led some to
ask whether it was going too far was Vanguard, the anti-cheat system for Riot
Games’ online first person shooter Valorant. Activision followed suit with
RICOCHET, a kernel-level anti-cheat system for its uber popular Call of Duty
games.

Advertisement


When making anti-cheat systems like these, developers have to be aware that the
system could be turned against users if there are vulnerabilities, according to
Paul Chamberlain, who was Riot’s anti-cheat lead when the company developed
Vanguard. 

“It was one of the primary worries we had when making Vanguard at Riot, we put a
lot of resources into security audits to try and ensure something like this
couldn't happen,” Chamberlain told Motherboard. 

Abusing drivers and other programs to push ransomware is a tried and true tactic
for cybercriminals, according to Allan Liska, a researcher at cybersecurity firm
RecordedFuture who focuses on ransomware. 

“Signed drivers are usually going to slip pass endpoint detection systems [such
as antivirus] unnoticed,” he said. 

UPDATE, Friday Aug. 26, 10:31 a.m. ET: This story was updated to include the
comment from a HoYoverse spokesperson.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.

Tagged:cybersecurityVideo
GamesCYBERcheatingcybercrimeransomwareanti-cheatworldnewsgenshin impactGame
Hacking


ORIGINAL REPORTING ON EVERYTHING THAT MATTERS IN YOUR INBOX.

Your Email:
Subscribe

By signing up, you agree to the Terms of Use and Privacy Policy & to receive
electronic communications from Vice Media Group, which may include marketing
promotions, advertisements and sponsored content.




MORE


LIKE THIS

 * Tech
   
   
   RUSSIA RELEASED A UKRAINIAN APP FOR HACKING RUSSIA THAT WAS ACTUALLY MALWARE
   
   Google researchers said the app was designed to figure out who may want to
   use this kind of app.
   
   Lorenzo Franceschi-Bicchierai
   07.19.22
   
 * Tech
   
   
   EUROPEAN COPS HELPED 1.5 MILLION PEOPLE DECRYPT THEIR RANSOMWARED COMPUTERS
   
   The European Union law enforcement agency estimates it has helped around 1.5
   million people save $1.5 billion by providing decryption tools for popular
   ransomware strains.
   
   Lorenzo Franceschi-Bicchierai
   07.26.22
   
 * Tech
   
   
   HACKER ADVERTISES ‘CRAPPY’ RANSOMWARE ON INSTAGRAM
   
   An unknown hacker who is likely to be from a “lower-tier” ransomware group
   used the social media app to entice potential customers.
   
   Lorenzo Franceschi-Bicchierai
   06.14.22
   
 * Tech
   
   
   INSIDE UKRAINE’S DECENTRALIZED CYBER ARMY
   
   A loose group of thousands of technologists and hackers is attacking Russian
   services and websites—and scoring significant wins.
   
   Lorenzo Franceschi-Bicchierai
   07.19.22
   
 * Tech
   
   
   MEET THE ENVIRONMENTAL HACKTIVISTS TRYING TO ‘SABOTAGE’ MINING COMPANIES
   
   A group of environmental hacktivists are targeting mining and oil companies
   in Central and South America, leaking their internal emails.
   
   Lorenzo Franceschi-Bicchierai
   08.16.22
   

Advertisement





YOUMAY LIKE
Diese fantastische Smartwatch hilft Ihnen, Ihre Gesundheitsdaten jederzeit zu
verfolgen Advertisement: gadgets4-you.com
Velasca: Handmade shoes, with plenty of love. Advertisement: Velasca
Moving forward to develop the finest products Advertisement: Dassault Systèmes
New "Lung Cleaning" Device Is Going Viral Advertisement: Product Hunter
The Best Men's Shoes for Walking and Standing All Day Advertisement: Orthopedic
Shoes
[Pics] School expels teen over outfit, regrets it when they see who dad is
Advertisement: React Share
Investment Expert Reveals: “A Massive Change Is Coming to the Market”
Advertisement: Visionary Profit
The Best Walking Shoes Don't Sacrifice Style for Comfort. Advertisement: Comfy
Shoes



MORE


FROM VICE

 * Tech
   
   
   DISCORD IS THE WORLD’S MOST IMPORTANT FINANCIAL MESSENGER, AND A HOTBED FOR
   SCAMMERS
   
   Rampant spam, phishing attacks, scammers, and malware—Discord has a lot of
   challenges securing crypto projects.
   
   Lorenzo Franceschi-Bicchierai
   05.31.22
   
 * Tech
   
   
   HACKER DISCOVERS HOW TO REMOTELY PWN A GAME BOY USING ‘POKÉMON CRYSTAL’ AFTER
   22 YEARS
   
   A security researcher found a bug in the Japanese version of Pokémon Crystal,
   which he realized could be exploited via a mobile adapter to hack a Game Boy
   via the internet.
   
   Lorenzo Franceschi-Bicchierai
   09.01.22
   
 * Tech
   
   
   HEAD OF UKRAINE’S CYBERSECURITY SAYS RUSSIA HAS COMMITTED ‘CYBER WAR CRIMES’
   
   Victor Zhora, head of Ukraine’s defensive cybersecurity agency, visited one
   of the biggest hacking conferences in the world this week.
   
   Lorenzo Franceschi-Bicchierai
   08.15.22
   
 * Tech
   
   
   HOW CRYPTOCURRENCY GAVE BIRTH TO THE RANSOMWARE EPIDEMIC
   
   Ransomware gangs are targeting everyone from large and small businesses and
   government agencies to hospitals and schools.
   
   Lorenzo Franceschi-Bicchierai
   04.15.22
   
 * Tech
   
   
   CYBER: UBER’S BEEN HACKED AND SIM SWAPPERS ARE GETTING VIOLENT
   
   The Uber hack is another warning about using your phone for 2FA.
   
   Matthew Gault
   09.19.22
   
 * Tech
   
   
   THE UBER HACK SHOWS PUSH NOTIFICATION 2FA HAS A DOWNSIDE: IT’S TOO ANNOYING
   
   The Uber hacker appears to have gained access to the company’s systems after
   spamming workers with multi-factor authentication requests.
   
   Lorenzo Franceschi-Bicchierai
   09.16.22
   

Advertisement





 * About
 * Jobs
 * Partner
 * VICE Voices
 * Content Funding on VICE
 * Security Policy
 * Privacy & Terms
 * Accessibility Statement
 * Do Not Sell My Info

© 2022 VICE MEDIA GROUP