How do threat actors misuse cloud gaming services?


Cloud gaming is a computer gaming solution built on the cloud infrastructure to offload game execution and frame rendering from the player’s local machine.

One of the most appealing aspects of cloud gaming services is the ability to save players money on expensive gaming hardware. Cloud gaming services deliver enjoyable gaming experiences while providing top-tier computing hardware for a low monthly subscription fee.

However, if adversaries can exploit the vast resources of cloud gaming services for malicious purposes, it becomes an appealing target.

In this article, we show how cloud gaming services are vulnerable to resource misappropriation by demonstrating four scenarios in which adversaries could profit financially by exploiting cloud gaming services.

Malicious code

Modding in computer games allows players to add or modify games to their liking. Among the many add-ons that game mods contain, a subset of mods aims to fundamentally alter the gaming mechanisms. Such mods introduce new code into the game, executed alongside the original game. This allows adversaries to inject and execute malicious code via game mods.

Because malicious code is treated as a part of the game, it can be executed during a game session. Furthermore, because the adversaries inject malicious code, they would know the precise procedure for accessing the malicious function.

Furthermore, adversaries can use the mod debug tool, frequently built into many games as an extended feature by game developers. The modding community can easily test their code in a game session. Adversaries can use the mod debug tool to quickly find malicious code in their mod and execute it directly from the debug tool.

URL injection

Installing malicious URLs into cloud gaming services via game mods is simple. One simple method is to include malicious URLs in their built mods’ descriptions. A mod description is required for players to distinguish the mods to which they subscribe. Some game mods even include sections for mod developers to include URLs, such as the mod developer’s page and an external web page containing a comprehensive summary of the mod. Adversaries can use the mod descriptions to insert malicious URLs. Adversaries can create an empty game mod containing only the mod’s description and malicious URLs. The opponents subscribe to the game mod, which is automatically downloaded to the cloud gaming services when the game begins.

Adversaries would need to use other tools in other games that do not have this feature. Adversaries can convert raw URLs into hyperlinks by using the game chatrooms. Many chatrooms use this feature to recognize message URLs and create a hyperlink to the corresponding web page. Adversaries can easily generate hyperlinks for the injected malicious URLs using the URL detection feature. Adversaries can visit the corresponding web pages and execute malicious code and scripts by generating hyperlinks for the injected URLs.

Another method of injecting malicious URLs is to use computer game Wiki pages, forums, and blogs. Many game developers create these pages so that players can learn about game mechanics, discuss potential issues, and share their gaming experiences.

Many developers embed these sites directly into their games using buttons or icons to make them easily accessible to players. The game launches a web browser to display the corresponding websites when you click them. While game developers work hard to improve and polish their computer games, the content hosted on Wikis, forums, and blogs is frequently overlooked. This allows attackers to inject malicious URLs. By posting messages on wikis, forums, and blogs, adversaries inject URLs into these sites. Adversaries can create hyperlinks to their malicious websites manually. Adversaries can visit malicious websites by clicking the site icons in a game session and searching for their self-injected URLs.

GPU exploitation

Many security incidents of crypto-jacking have occurred in recent years, in which adversaries use the victim’s computing resources to mine cryptocurrencies. Crypto-mining software can be successfully run within all three cloud gaming services. Adversaries can profit from cloud gaming services to mine cryptocurrencies by leveraging the abundant computing power, particularly the provided top-tier GPU.

Bandwidth exploitation

Cloud gaming services and powerful computing hardware provide players with high-bandwidth, low-latency network connections. The network connection usage fee is included in the monthly subscription; no other fees are collected from the players. If adversaries use cloud gaming services to perform network-demanding tasks, they will avoid paying cloud computing services a fortune to use the network.

Many computer games, particularly multiplayer games, rely on peer-to-peer (P2P) UDP connections to exchange critical gaming data between multiple players. Due to security concerns, such a requirement inevitably prevents cloud gaming services from blocking UDP communications in/out of game hosts. From adversaries’ perspective, this presents a practical opportunity to exploit cloud gaming services for malicious data communications. While crypto-mining operations take advantage of the abundant computing resources provided by cloud gaming services, malicious Command & Control (C&C) takes advantage of the high Internet bandwidth provided by cloud gaming services. Adversaries can expose unoccupied UDP ports to the Internet by UDP hole-punching an external relay server. Any client with the game host’s port number and IP address can establish communications to send and receive data.