[Updated] Remote Code Execution Apex Legends security issue

If you have been looking at the news recently, or watching certain twitch streamers, you’ve heard about a massive security concern regarding Apex Legends. Two streamers, Genburten and ImperialHal, were playing the global series live when suddenly a text message stating “Apex hacking global series by Destroyer2009 & R4ndom“ appeared on the bottom left of their screens, a software they hadn’t installed popped up and suddenly they had aimbot and wall hacks enabled.

While one of them immediately disconnected when this happened, the second decided simply not to shoot or abuse any of the hacks, and thus far haven’t been punished, as of my knowledge. This, however, sparked a massive fear in the community, since the player didn’t have any suspicious programs installed and, suddenly, in the middle of the match, without clicking any suspicious links, that happened. What is worse: they ran scans afterwards and their antivirus detected a couple viruses in their machines.

Here are the clips of those two moments:

Remote code execution

Remote code execution, or RCE, is a type of vulnerability of the highest level of severity. It allows for any individual to run code, remotely, on the victims computer/server, which basically means they can do anything they wish. A similar occurrence happened to several companies a while back who used Log4j in their projects: people could eventually get it to run code and take over basically any server with it installed and running.

Apex’s developers have been notified of the issue since day one but haven’t commented on the matter other than postponing the finals. On the other hand, Easy Anti-cheat(EAC) developers mentioned the issue on twitter, commenting that they heard about the reports and have investigated but “are confident the issue isn’t caused by their anticheat”

We have investigated recent reports of a potential RCE issue within Easy Anti-Cheat. At this time – we are confident that there is no RCE vulnerability within EAC being exploited. We will continue to work closely with our partners for any follow up support needed

— Easy Anti-Cheat (@TeddyEAC) March 18, 2024

Easy Anti-cheat

Easy Anti-cheat, or EAC as it is mostly known, is a piece of software used by majority of multiplayer games nowadays to protect themselves against cheaters and bad actors in general. To do so, it asks for Kernel permission on the installed system in order to check all processes at the time of running a game, to see whether they are suspicious in name, injecting code into some other process or behaving in a weird manner.

The kernel level access, however, has been target of great criticism for multiple reasons. Kernel access requirement can stop games from working on Linux or under virtual machines and, in some cases, even permit threats to piggyback on the anti-cheat to have full control over a victim’s computer. This later has been speculated to be the reason why this exploit happened: Some people believe EAC has some security issue that is allowing 3rd parties to run code remotely.

If this is the case, which isn’t confirmed as of yet, that means any and all games that have EAC are vulnerable. This means Apex, VRChat, PavLov, Rust, Halo, Warthunder and a whole long list of other games. The likelyhood of this being the case, however, is low as no other players of any of these have reported similar problems. TitanFall 2 however, had similar reports in the past but respawn, developer of both that game and apex, refused to acknowledge it.

Despite the low likelyhood, twitter Profile “Anti-Cheat Police Department” issued a PSA announcement recommending to not play any games with EAC protection

PSA: There is currently an RCE exploit being abused in @PlayApex. It is unsure whether it comes from the game or the actual anti-cheat (@TeddyEAC ). I would advise against playing any games protected by EAC or any EA titles once they have fixed this or can comment.

Currently,…

— Anti-Cheat Police Department 🕵️ (@AntiCheatPD) March 18, 2024

They’ve also seemingly been able to get hold of messages between Destroyer2009 and possibly the developer of R5Reloaded about the situation, confirming that is indeed a RCE but not one caused by the R5. Considering the source of such information though, its good to take all this with a grain of salt:

What to do

Until Respawn acknowledges the issue and implements a fix, or EAC in the case their software is the one responsible for the problem, there isn’t anything that can prevent further exploitation to happen while still playing. The best thing players can do, for now, is to avoid opening the game, run a full system antivirus scan(or re-install the system if you know how) and, above all else, change ALL passwords.

This vulnerability could allow any and all sorts of malware to be injected into your computer, and there’s no good way to know if your machine was affected, so avoiding playing ensures your machine isn’t at further risk, a virus scam should detect any malware inserted in your computer through the game and changing password can further guarantee that none of your accounts on other services get invaded. There isn’t, however, any need to uninstall apex, as no code can be executed if it isn’t open.

Update

March 23rd: Although there are no new updates from official sources, professional hacker and game developer behind “Pirate Software” made two long videos alongside ImperialHal and ThePrimeagen analyzing the situation and bringing some new insight on the matter:

Get articles on your E-mail

I accept the privacy policy