RB6: Incident Transparency Report 29/05

[Krul]

 

This Monday, we've received several ban reports from our community, with no prior alerts from the already in-place safeguards we have against detections. It turned out that this was an unusual circumstance with extremely careless behaviour from BattlEye, dropping to yet another low, which I'll detail in this report. 

Anyone that visited our website recently may have been affected by this banwave regardless of whether or not they actually cheated, or for that matter whether or not it was our website at all. Upon our internal investigation, we have identified 193 users that  were affected, which accounts for less than 15% of our user base. We can only speculate that the BattlEye team is A/B testing this update.

We've identified and fixed this issue within 8 hours and although further testing is required, it should now be safe to browse the web and visit prosmokestore(dot)com or liveanddare(dot)com freely as long as you have RiftGuard running. 

However please keep in mind that banwaves, as implied by the name, happen in waves and you should consider any and all accounts prior to this announcement a tragic loss, or you can badger Ubisoft support mentioning that you just like vaping, whichever works for you.

We already knew how careless BattlEye team was, hence why we have dumb mitigations such as the titlebar clearing itself if client is running. We should have acted on the information we had earlier, and regardless of how unprofessional they are, this was our error and we are truly sorry for any loss our customers have encountered.

What has happened

BattlEye recently updated one of their dynamically ran anti-cheat challanges, which we internally identify as BF914188553446BD (Attached below). This is only delivered to Rainbow Six Siege users.

This routine includes a shocking number of lame detections from window name checks to searching for 'H*ckM*chine' in the memory. The interesting part that was recently added was the following snippet.

if (GetExtendedTcpTable(connection_list, &size, 0, 2, 8, 0) == OK) {
  for (int row = 0; row < connection_list->length; row++) {
    if ((connection_list[row].port == bswap(7777) && connection_list[row].pid == 4) ||
      (connection_list[row].ip == 0x72B42AC || connection_list[row].ip == 0xF92842AC)) // 172.66.40.249, 172.66.43.7
    {
      pid = connection_list[row].pid;
      NtQuerySystemInformation(0x58, &pid, 0x18, 0);
      GetProcessTimes(GetCurrentProcess(), &creation_time, &tmp, &tmp, &tmp);
      creation_time -= connection_list[row].time;
      
      // Appended to report, omitted for clarity's sake:
      // - Connection time relative to startup
      // - Process ID & name
      // - IP address & port
    }
  }
}

For those less familiar with technical jargon, this code essentially retrieves a list of all active connections in the system and reports it if it matches the blacklist or if it's a system thread opening a connection to port 7777.

Now we already knew that BattlEye is collecting data ignoring the GDPR policies enforced across Europe. But in fact, RiftGuard's connection does NOT go through the Windows Kernel, instead we issue DMA commands directly to your Ethernet or Wi-Fi cards bypassing Windows exactly for this reason. So our initial assumption was that this cannot be of any consquence to our members.

Come Monday 29/05,  our proprietary automated analysis tools indicates the root cause as this change. We have no user-mode code whatsoever and definitely no connection visible to anyone even from the Windows kernel-mode, so actually it turns out that BattlEye will ban people just for connecting to a website in their favorite browser.

Now what's even more interesting is that, these IP addresses are not owned by us! They are in fact owned by Cloudflare, used for their Load Balancer service, which we rely on to balance your connections coming from all over the world to the 12 servers we have. You can find all the sites you can get banned for visiting on your browsers here, and here, to use while making a ticket for your ban appeal.

Conclusion

Naturally, since we're a new brand, some panic among our early adopters is to be expected, but hopefully this report and our fast reaction to this change can demonstrate that:

• We put your trust and your accounts before anything else and will continue to do so. We've learned from this experience and will only improve as time goes on.
• We have a complete transparency policy as a company and will not go out selling detected software, gaslighting customers that they're getting manual banned like many others in the scene.
• We're here to stay.
• BattlEye is very deseperate.

We are very grateful to all of our users who reported their accounts being suspended through our support page which has enabled us to use our proprietary analytics tools to identify the root cause and address the issue in less than 8 hours. We thank you for your patience and look forward to your continued patronage.

Detailed Timeline

All times are UTC.

2023-05-28 23:30 - First two ban reports received.
2023-05-29 00:11 - Reports reached the threshold level triggering an alert.
2023-05-29 01:55 - Our security engineers have started analysis of the incident.
2023-05-29 07:50 - An experimental build addressing the issue was deployed.

BF914188553446BD.zip