Valve Adds Extra Security After Shadow PC Gets Pwned

Valve, the company behind the Steam video game platform has announced a new security feature after multiple reports of game updates being poisoned with malware:

As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing. The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now. We also plan on adding this requirement for other Steamworks actions in the future.

This action was timely as Shadow PC got pwned because one employee downloaded a Steam game boobytrapped with malware.  Ken Westin, Field CISO, Panther Labs had this comment:

“This reflects a trend Panther has been seeing over the past few years as adversaries shift the focus of their attacks to developers who often have access to the crown jewels of tech companies — their source code. When attackers gain access to code repositories, DevOps tools, and cloud infrastructure it can be quite lucrative as they can not only steal code and deploy malware, but also inject malicious code to infect customers downstream. This trend is increasingly being utilized by not only criminal groups, but also nation-state actors as we have seen with the Lazarus Group out of North Korea. Organizations need to take additional measures to not only secure developers themselves, but also the environments they interact with on a daily basis — those with privileged access are particularly vulnerable.”

Perhaps other game platforms, or other platforms that distribute software should look at their security measures so as not to be the next vehicle for an attack. I say that because this is a great move by Steam to ensure the security of its platform.

Leave a Reply

%d bloggers like this: