Games are developed by children and it is amazing the number of entry point binaries a single game might have to run, how often even "offline only" games still want to run binaries they copy or bury in random places in %LocalAppData% or worse %Temp%.
This has been an amazing bundle of joy~ and has basically stopped me from playing Steam games. (I believe that file no longer exists in recent Steam clients, at least.) For that reason, I've turned on Windows Controlled Folder Access (aka Windows Ransomware Protection) on all of my Steam folders. There's evidence that password hashes used to be leaked from a file in the Steam client's folder. I've removed all credit card data that I can and haven't bought or paid for anything directly in the Steam client in years.
I've removed all devices except my primary gaming desktop and mobile device. I disabled all OAuth applications on my account, no longer sign in under any web browser, and have refused to allow new applications. I only ever sign in to Steam now inside the Steam client and Steam Mobile app.
(These leaks and that fall back would have me believe it's one of the Password Recovery or 2FA Recovery endpoints.) Though I've not attempted to run such gists/"utility libraries" myself to verify (I'm too lawful neutral/not a black hat whatsoever), at a surface level it seems like more than enough evidence to suggest botnets would use such things if enough people were posting "helpful password recovery tools" on GitHub that password spray accounts you tell it to. Simple GitHub searches seem to indicate that there are known password spray capable Steam endpoints that currently still leak password correctness/verification data regardless of 2FA enabled (and also leak whether or not 2FA is enabled on the account) and always falls back to email-based 2FA. Given that not-varying the password length had a noticeable impact on time, the warnings from my email providers, and other increasingly paranoid measures I've taken, I have no reason to suspect that this anything but a very distributed password spray attack. I believe that the password spray capabilities of today's botnets on any endpoint that returns results as fast as network messages travel should not be underestimated in a distributed enough attack. Many of the common ones you see today are based on the added assumption that they aren't spraying directly at a password endpoint but are instead predicated on breaking the hashes and the extra (increasingly minimal in the age of Bitcoin) cycles needed to hash/salt/pepper the passwords and/or building rainbow tables. Most of those old password-length "time to crack" estimates are based on a single machine.
0 kommentar(er)
