The gaming community of Dota 2 was attacked by four malicious custom game modes that were uploaded on Steam by the same author, all exploiting an old V8 vulnerability.
Unfortunately, Dota 2 was using an outdated version of V8, which had available proof-of-concept exploits on the internet, and the author of the malicious mods knew about it and took advantage of the situation to perform zero-day attacks.
“We discovered that one of these vulnerabilities, CVE-2021-38003, was exploited in the wild in four custom game modes published within the game. Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players.”
Avast informed Valve, the publisher of Dota 2, and the company released an update that upgraded V8 to a secure version on January 12, 2023.
Valve also removed the offending game mods from Steam and notified all players affected by the attacks.
Avast reports that the first of the four mods for Dota 2 was a test of the exploit uploaded to Steam to verify that the attack was possible without using a payload. The custom game mode also contained a file named “evil.lua” where the attacker tested various server-side Lua execution capabilities, including logging, dynamic compilation, executing system commands, and