Mama mia! Nintendo in need of a plumber after leak sprays N64, GameCube, Wii code

Roundup It has been a full week in infosec news. Here are a few things you should know about, beyond what we've already covered.

Nintendo console details leak

Fans of Nintendo were treated this week to a rare look at the most basic workings of some of the gaming giant's best-known consoles.

An anonymous hacker leaked some 2TB worth of source code related to the Nintendo Wii, GameCube, and Nintendo 64 designs. This cache includes Verilog code for the hardware – essentially the coded blueprints for the various chips.

While a neat peek into the inner workings of Nintendo and a rare look at the low-level design of the specialized chips that go into consoles, don't expect much to come out of this. While in theory the Verilog code could be used to turn FPGAs into clones of some Nintendo chips, the equipment and expertise needed to do that would be well upwards of $50k and not the sort of thing any hobbyist could do. Any commercial efforts would no doubt be torn to shreds by Nintendo lawyers.

The leak also, apparently, won't be of any use to the developers of emulators, who can only legally do what they do by reverse engineering. Here's how the developers of the Dolphin Emulator explain it:

We cannot use anything of any sort from a leak. In fact, we can't even look at it. Dolphin is only legal because we are clean room reverse engineering the GameCube and Wii. If we use anything from a leak, Dolphin is no longer legal and Nintendo *will* shut us down.

— Dolphin Emulator (@Dolphin_Emu) May 3, 2020

Elsewhere, while there was a claim that Microsoft source code had leaked, all indications suggest that was a hoax, with most of the code shown by the alleged hacker already being available on Microsoft's public GitHub pages.

Malware creeps hit German medical group

European hospital operator Fresenius has become the latest organization to fall victim to ransomware.

The German company, said to be one of the largest operators of private hospitals in the region, is reportedly dealing with an infection from the Snake ransomware, a relatively new malware group that exclusively targets large businesses.

For those wondering, Snake was not one of the malware crews that agreed to halt attacks against hospitals during the malware outbreak, so it would be unfair to claim the truce was broken.

Cognizant counts cost of malware attack

IT services company Cognizant has put an eye-watering price tag on the damage from its April ransomware ordeal.

CEO Brian Humphries told analysts tuned into the company's quarterly earnings call that the clean-up from the infection would be as high as $70m.

"As a result of this ransomware attack, our Q2 revenue and margins will both be negatively impacted," Humphries said.

"While we anticipate that the revenue impact related to this issue will be largely resolved by the middle of the quarter, we do anticipate the revenue and corresponding margin impact to be in the range of $50m to $70m for the quarter."

WebEx in the crosshairs for phishing

With so many people working from home, it should come as no surprise that WebEx accounts have become a target for phishing. A stolen account would let an attacker potentially spy on company meetings and social engineer further accounts and data thefts.

To that end, the team at Abnormal Security has a report of a phishing operation that aims to harvest WebEx credentials. The mark is sent a phony notification that their account has been locked and needs to be restored with the password. The user is then sent to a lookalike domain.

Pretty standard phishing operation, but for people not used to having their WebEx accounts targeted, it could prove effective.

Watch out for phishers in the Digital Ocean pool

Web hosting platform biz Digital Ocean sent out an email out to some of its customers last week to let them know a file containing some user data had been exposed to the internet via a public link and accessed 15 times.

The note said that the info included user email addresses "and/or" account names, as well as data such as "Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018..."

While the file did not include login credentials and none of Digital Ocean's services were compromised, the note does mean that if you're a user, you should be on the lookout for phishy emails, as one user pointed out: "We see you've spent $X on your two Digital Ocean droplets in 2018, click here to save" – disturbingly, the sort of info "you'd think only the provider should know".*

More Citrix bugs

Considering what a mess the last major Citrix bug turned out to be, admins should be paying very close attention to a recently posted security bulletin.

ShareFile and Storage Zones have each been issued updates to address a trio of remote takeover vulnerabilities.

"These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users’ documents and folders," Citrix warned.

Fortunately, not all customers are affected. Because Storage Zones is also sold as a hosted service by Citrix, a number of those instances have already been protected and users will not be at risk.

Everyone else will want to get their software updated as soon as possible.

Phishing crooks having to hustle

It's getting harder to turn a quick buck in cybercrime, it seems.

Researchers with GroupIB have said that the crooks running phishing scams are having to work a lot harder these days to keep up with the security campaigns that remove their phony pages.

The security firm said that over the second half of last year, the number of phishing pages it took down more than tripled over the same period in 2018. This is not because there are more campaigns, but rather because the bad guys are replacing their pages rather than just giving up.

"This sharp upsurge in the number of blockages stems from the growing duration of phishing attacks: cybercriminals used to stop their fraudulent campaign as soon as their web pages were blocked, quickly mobilizing efforts for attacks on other brands," GroupIB explained.

"Today, they no longer dwell on it and continue replacing removed pages with new ones."

NBA star loses Twitter account to rude hackers

Without any games to play, pro athletes are just as bored as the rest of us, and as they spend more time on social media, they are also more prone to having their accounts hijacked.

Such was the case with NBA star Giannis Antetokounmpo, whose account was taken over and used to make a series of profane and insulting tweets about, among other people, the late Kobe Bryant and his daughter.

According to Ashlee Benge of security company ZeroFox, the "Greek Freak" isn't the only celeb to fall victim lately. "There has been a rash of lower-echelon hacking teams that target high-profile accounts," the researcher explained.

"With these kinds of attacks, it is often less of a typical compromise and more of a drive-by graffiti of these accounts."

FireEye examines MAZE malware's meatware network

Researchers with Mandiant's FireEye have popped the hood on the notorious Maze ransomware and how its operators conduct business.

Among the more interesting findings was that Maze doesn't have a core group that runs everything, but rather the crew subcontracts out much of their work.

"Direct affiliates of Maze ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment," FireEye explained.

"This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement – each of which who appear to work on a percentage basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues."

Santander leaves keys out, exposes customers

Banking giant Santander has reportedly exposed a set of critical keys that would have left customers wide open to fraud.

Researchers with CyberNews discovered that the company's website included a JSON file that had the unencrypted keys for Santander's AWS content delivery network. The researchers say that, in the wrong hands, these keys would have allowed someone to access the CDN and edit its contents (things like banking statements or web pages) to include whatever they wanted.

"For example, if a PDF or Word document was hosted on Cloudfront, and this document contained sensitive information – such as what accounts a customer should send money to – then the hacker would be able to switch that document out with their own version. In that way, they’d be able to change the real account number to his own, and thereby steal the customer’s money," the researchers explained.

"If a static HTML file was hosted, then the hacker would be able to switch that out with an entire webpage, allowing them to create a phishing page to steal the user's financial information, all while on Santander’s official Belgian domain."

MobiFriends loses customer data

Profiles of some 3.68 million people who use the dating app MobiFriends have been stolen and are being flogged around dark web forums.

While the passwords are MD5 hashed, the other exposed information is the sort of thing you wouldn't want a criminal to have: phone number, username, activity logs, birthdate, gender, and email address.

Anyone who uses MobiFriends would be well advised to change their password on any site where it was reused (and don't do that any more) and be on the lookout for spear phishing attacks.

Phisher pholk target EE and Hyperoptic customers

Cybercrooks are preying on Brits working from home during the coronavirus pandemic by sending them phishing emails masquerading as legit messages from their broadband ISPs.

EE and HyperOptic subscribers have been targeted in particular, judging by info shared with The Register and security researchers.

Everything Everywhere (EE) is said to be the target of a phishing operation intent on harvesting customer credentials.

Researchers with security company Cofense are reporting a crop of phony emails aimed at Office 365 users claiming to be from EE. The messages are part of a spear-phishing effort and have been reported by companies whose executives were on the receiving end of the card-slurping attempt.

The emails themselves claim to be from EE's billing department, using a moniquemoll.nl, and warn the target of a problem with their account. Upon following the link, the recipient is then sent first to a fake login page and then to a phony billing page that aims to collect their card details. To help sell the scam, the attackers obtained an SSL certificate for the phishing page.

The ruse does not end once the mark hands over their account and payment card details either, as the phishing page then throws up an error message and redirects back to the EE website.

"The peculiar aspect is the message in which the threat actor included: 'You will not be charged' to reassure recipients and trick them into providing their payment information," Cofense said.

"The user is then automatically redirected to the legitimate EE website to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped."

The attack appears to be trying to capitalize on the massive number of people now working from home rather than through their office. While home ISPs have always been a target for phishing, now that many more rely on those home connections for their jobs, the threat of losing your connection to a billing issue will be even more compelling.

In the case of Hyperoptic, a Reg reader pointed out that in recent days the carriers has been sending notification emails directly to customers warning of the ongoing phishing attack. The notifications warn users that pop-up ads have been spoofing notifications from the carrier in an attempt to harvest account information.

Hyperoptic confirmed the authenticity of the notifications and said that they were issued after it found ads for a phony contest claiming to be sponsored by the ISP.

"On Saturday Hyperoptic's customer service team was alerted to a pop-up competition for mobile phones, purportedly sponsored by Hyperoptic," the firm told The Register. "This is a phishing campaign and it has neither affected nor compromised any part of Hyperoptic ISP systems."

Needless to say, anyone who clicked on and gave info to a pop-up offering entry in a Hyperoptic contest should immediately change their password and report the incident to the company's support line.

What is not known at this time, including by Hyperoptic, is how the pop-ups are being served. While it's entirely possible these are just normal ads embedded in web pages, it has not yet been ruled out that a malware infection or other means of attack are being used to specifically target Hyperoptic customers.

Again, this attack looks to be a ploy to get as many credentials as possible at a time when many are online either for work or simply from boredom due to the lockdown. If ever there was a time to target home ISPs, this is it.

In both cases, users should follow best practices like never entering account credentials into unsolicited pop-ups or email messages and manually navigating to their ISP (or other account) billing and payment pages in a new tab rather than following links in emails.

More importantly (since most Reg readers already know these things) make sure family members who share accounts are also aware of these threats and what can be done to avoid them.

Google Authenticator 2SV codes transferable across Android devices

Lastly, in celebration of World Password Day (7 May), Google updated its Authenticator app to make it easier to transfer 2-Step Verification (2SV) codes from one Android device to another.

Touting it as "one of the most anticipated features", the Chocolate Factory said the ability to port "2SV secrets, the data used to generate 2SV codes across devices" would be particularly useful "when upgrading from an old phone to a new phone".

But only if your new phone is an Android too. The feature is available in v5.10 of Google Authenticator. ®

*Updated to add at 15:40 GMT on 11 May

Digital Ocean has been in touch to say: "We had a document that was discovered to be shared publicly and while we feel confident there was no malicious access to that document, we informed our customers regardless for transparency. Less than 1 per cent of our customer base was impacted, and the only PII included in the file was account name and email address. This was not related to a malicious act to access our systems."