Hackers Exploited a PC Driving SIM to Pull Off Disney Data Breach

I work on and co-own BeamMP[1], an open-source multiplayer mod for BeamNG.drive (the driving simulation game at the core of this breach) with about 1M registered users/ >20k daily active users. I missed the original thread[2].

I can add some context on how this (likely) happened.

BeamNG.drive runs a Lua scripting engine, in which they also run a large amount of their own game / simulation code. This Lua scripting engine uses LuaJIT[3], which includes C FFI functionality. This whole scripting environment is sandboxed, but the C FFI is obviously needed to allow optimizations between the game's Lua logic and the game engine (C++).

People I know personally have found various ways around this sandbox, which effectively allows any mod (which can contain Lua scripts), to bypass the sandbox. These were always disclosed immediately to BeamNG GmbH itself, sometimes against payment, sometimes entirely for free. These people continue to find and report ways to break the sandbox, and BeamNG GmbH is very quick to fix these issues before they ever get found and exploited.

The following is my opinion, and not that of BeamMP Ltd. or BeamNG or anyone but me: I think the BeamNG developers would do well with hiring or otherwise working towards fixing their sandbox. These issues have been in the sandbox for such a long time that it's almost emberassing that they still exist -- I won't go into detail, but some of the exploits found (and fixed) are incredibly trivial. Add to that the possibility that a lot of players run the game as Administrator when it errors in any way, and you have admin permissions on random foreign Lua code that is barely sandboxed.

Of course the blame is on the hackers, but I can't help but feel like at least the more common hacks could be prevented. By hiring a security engineer or two, or not (occasionally) ghosting people who do this work for free, for example.

We (BeamMP, not affiliated with BeamNG.drive or BeamNG GmbH in any way, as they ignore any attempt we make at talking to them), are working actively to make sure players know that they cannot trust mods, especially mods from servers they join. But, sadly, we can't help them fix their game or their sandbox.

[1]: https://beammp.com and https://github.com/BeamMP

[2]: https://news.ycombinator.com/item?id=40955693

[3]: https://luajit.org/

> One of the people to unwittingly install it was a Disney software development manager, who also had the company’s Slack channels active on the same computer.

The issue here is the IT department allowing employees to install personal software or games on work computers, or access work-related materials on personal machines directly, without a VPN or similar security measures.

I feel like a step is missing. How does one go from having access to Slack channels to exfiltrating scads of sensitive data?

Did they impersonate the software development manager in order to steal credentials? Did Disney integrate their sensitive data storage with Slack?

> Convincing a tech professional with computer literacy that presumably far exceeds the average person’s to install a piece of software seems like a hard sell.

IT here. My developers like to think that knowing how to code gives them some kind of zenlike understanding of all things computer. But they still make the same boneheaded mistakes that all my other users do. And they're actually a bigger pain to deal with due to their overconfidence.

More discussion: https://news.ycombinator.com/item?id=40955693

The article asserts this.

    The group’s motivations, however, don’t really add up, especially given how the mod was likely delivered.

    Convincing a tech professional with computer literacy that presumably far exceeds the average person’s to install a piece of software seems like a hard sell.

This excludes the possibility that a a few sufficiently skilled furries were hanging together. The furries I know are intelligent to a fault and highly skilled in their crafts.

What seems very likely to me: A group of coders - some being familiar with remote access code and deploying payloads - found each other thru the furry community and formed a working group.

Even if the original headline is still not correctly capitalized ("Hackers Exploited a PC Driving Sim to Pull Off Massive Disney Data Breach"), we're not talking about a Subscriber Identity Module here.

And then people ask why game developers should care about security.

The cookie agreement on that website is pathetic. Choose a better source that doesn't force cookies on you.

>Convincing a tech professional with computer literacy that presumably far exceeds the average person’s to install a piece of software seems like a hard sell.

No.. that's actually very believable actually.

"you wouldn't order a turbo off Temu, would you? Actually wait, don't answer that"

You wouldn't download a car...

Um, so "installing compromised executable on desktop PC" isn't in the threat model for these folks??

For sure I wouldn't install a downloaded game mod (or...a game) on a PC with access to anything, but come on -- the probability that some user is going to install some compromised application, or view some video that has an exploit for the video codec, is 1.0. So you can't design a system that depends on that probability being 0.0

Meta: the abbreviated form of "simulator" in the title should not be all caps, that makes it look like it is about cell phone tech.