For the week ended April 24, Threatpost editors discuss the hottest cybersecurity news stories, including:
- Apple zero days disclosed in the iPhone iOS that researchers say have been exploited for years. Meanwhile, Apple has pushed back and said there’s no evidence to support such activity.
- Nintendo confirming that over 160,000 accounts have been hacked, due to attackers abusing a legacy login system (NNID).
- With the NFL’s virtual draft kicking off this week, security researchers and teams have been sounding off on security issues leading to data theft or denial of service attacks.
Download direct here, or listen to the podcast below.
Below find a lightly edited transcript of the Threatpost news wrap.
Lindsey O’Donnell-Welch: Hello everyone, welcome back to the Threatpost news wrap. You’ve got the Threatpost team here today to discuss this week’s top cyber security news, including myself, Lindsey O’Donnell-Welch and Threatpost editors Tom Spring and Tara Seals. Tom and Tara, happy Friday.
Tom Spring: Hey!
Tara Seals: Hey, Lindsey. How are you?
Lindsey: Good. There’s been a lot of news from this week that we need to unpack. We’ve had leaked source code, Apple zero days, security issues around the NFL draft. So, Tom, I mean, starting with the Apple zero days, that was kind of a huge news item of the week, and there was some back and forth, and I think the most recent thing, was Apple having a statement come out today about the zero days. Can you kind of give us a sense of what that was all about?
Tom: Well, sure, sure. It’s an evolving story. And it started a couple days ago when a number of researchers and I’m probably gonna mispronounce the name of the security firm, ZecOps or something along those lines -I can never pronounce these names – But anyways, they found two zero days, or what they claimed are two zero days that are very, very troubling when described. An attacker can send an email to an iOS device. And if Apple’s default mail program receives that message, there are two vulnerabilities – an out of bounds write vulnerability and a heap overflow bug – that kick in when this specially crafted message arrives. In very simple terms, the bugs impact the way that the mail program processes memory. And I won’t get into the technical aspects of it, we’ve written about it, it’s on Threatpost. But essentially, the hackers can use this to either extract data from the mailbox itself, and or combine the flaw to actually take over the device or take control of the device. This was something that was very shocking considering that any modern patched version of the iOS was vulnerable to this attack. The researchers said that this is an attack that’s been used in the wild in a number of targeted attacks by some APTs. And so that story goes. Apple did release a beta update to iOS. And it was reported a couple days ago. And it seemed to suggest Apple was kind of quiet at the time. But given that Apple had released a beta version of its iOS, it seemed that Apple was was not explicitly stating that there was a problem, but suggested it by sending out a patch. Now today, Apple is downplaying the impact of the bug and saying that it has found no evidence that that the bug, number one, has been used in the wild. And just to briefly, quote, Apple’s statement released I believe was yesterday: “We have concluded these issues do not pose an immediate risk to our users. The researchers identified three issues in mail, but alone, they are insufficient to bypass iPhone or iPad protections. And we have found no evidence they were used against customers.” So we have the classic he said, she said, and we’ll see how this plays out. But it’s high drama, once again with zero days, zero day claims and zero day denials.
Lindsey: Yeah, it definitely seems like it is turning into kind of a he said-she said type of report. And it’s interesting too, you know, just looking at ZecOp’s report, they did kind of go into deep detail about the flaws being exploited in the wild. And I think they had mentioned that there were a number of different targets, including individuals from a Fortune 500 org in North America, and executives from a Japanese based carrier. So it is just kind of interesting that Apple is pushing about back against those specific claims that the bugs have been exploited for years. And I’m curious to see kind of where this goes and whether the researchers respond back to Apple at all, and, you know, further kind of corroborate what they had written in the report.
Tom: Yeah, well, you know, Apple has gotten some support from the research community. I believe that Google’s Project Zero researchers have chimed in expressing some doubt on the ZecOps research. Meanwhile if anybody’s worried there is the beta version of the iOS that you can download right now and I’m sure we’re going to be hearing more from Apple about them pushing out an update, a final update, for the iOS as well. But you know, I mean, I mean here again, you have Apple which is tight lipped won’t comment and I mean, they have to put out a statement days after the the researchers come out with their their findings. From a reporter standpoint, it would be so nice if Apple would open up a bigger dialogue, not only with journalists, but especially with researchers in terms of maybe helping them better understand what they found, the original research really, casted no doubt on their own research. I mean, why would they, but at least, you know, they could have tempered some of their research with some feedback from Apple. I’m not too sure if they purposely left it out. But you know, historically speaking, it’s tough for researchers to get to vendors to give a full throated response to their research, but we shall be following this story. I’m sure we might even see some interesting things happen over the weekend and Monday morning. We’ll be watching carefully.
Tara: I have a question Tom. Have there been any third party researchers that have taken a look at this and weighed in at all with an opinion?
Tom: Well, Google Project Zero did. And they cast some doubt on the research itself. I’m not aware of anybody else, I’ve heard a lot of researchers comment on the zero days, but they were commenting in reaction to the actual research being released, they weren’t commenting on, their own reverse engineering, the proof of concepts and dissecting the research itself. So, you know, there could be a lot more noise going out there. And again, this is a fast moving story, and it’s evolving quickly. And we will be keeping a close eye on the Twittersphere of reliable researchers and reaching out to a lot of people on the phone and hopefully, we’ll have a good solid update either over the weekend or ASAP to better assess the real threat here with these “zero days.”
Lindsey: Right. Well, that was definitely one of the bigger stories of this week. And actually another big story, I guess two similar stories kind of revolved around the gaming community. And one of those stories was Nintendo today, coming out and confirming that 160,000 accounts have been hacked.
Tom: Yeah Lindsey, which Nintendo’s accounts? Do we know? I mean, I’m just thinking about my my son’s different accounts with Nintendo. Do we know what platform or services may have been impacted?
Lindsey: Yeah, so, basically over the past few weeks, gamers who are using the Nintendo Switch were reporting suspicious activities on their accounts. And they were basically going on Twitter and there were different posts on Reddit saying that unauthorized actors had been logging into their accounts using their PayPal or their payment card methods that were connected to the accounts and buying digital currency for like, online in-game systems. So like Fortnite V-Bucks, etc, etc. This was reported over the past few weeks by various outlets, but Nintendo had stayed kind of silent about whether this was actually happening or what was behind this. And finally, in a statement today, it said that it first of all confirmed the attacks, it said that specifically 160,000 accounts were hacked, and it said the reason that this hack was occurring was because attackers were abusing the Nintendo Network ID legacy login system, which I don’t know if you guys remember but that was from the Nintendo 3DS and Wii U console. That was what was primarily used to login and to buy digital currency for those accounts. So anyways, Nintendo was saying that this login ID was being linked to various Nintendo accounts for the switch. And somehow attackers were able to access the accounts tied to this legacy login system and were then able to access the linked Nintendo accounts for the Switch. And from there, they’d have access to the different payment methods, and were able to make the in-game purchases. So Nintendo didn’t provide any further details about how these accounts were specifically being accessed. But they did say that they were being obtained by some means other than their own service. So I know there had been theories about like credential stuffing or otherwise but that doesn’t seem like it was the case here. So it’s now disabled the NNID login service so that you can’t use that anymore.
Tom: Well, I’ll hear from my son with if he’s had trouble connecting, and I’ll know what’s going on.
Lindsey: Yeah, yeah, I would check in and make sure.
Tom: I wrote a story about at Linksys, they had to reset their passwords. And I’m a Linksys customer. And they assured me that every single Linksys customer had been notified. And then I was like, “Well, hold on a minute. I’m a Linksys customer, I haven’t been notified.” And they backtracked and said, “well, we’re doing it in waves.” So I take it with a grain of salt, when a lot of these companies say they’ve implemented a fix – whether or not that fix is immediate or whether phases in over time. So I’ll be interested to hear whether my son’s actually having issues or not, or whether they’ve reset passwords or whatnot.
Lindsey: Yeah, well, it seems like a lot of companies can post the statement onto their Twitter accounts or on their website and think that’s enough. But you’d be surprised that the number of people who actually need the email notification to be notified of these hacks. So, but it did advise players to set up two factor authentication, of course, to add that extra layer of security to accounts. And it is also resetting the passwords for affected accounts. So hopefully, this problem will go away. I know it had been a widespread kind of issue for people who had been reporting about it online. So we’ll see.
That was one of the news related to kind of gaming. The other one was the discovery of leaked source code this week for two popular games that were published by Valve. Those were Counter Strike: Global Offensive and Team Fortress 2. And basically, that was a whole issue because the source code, if accessed, could lead to security issues or cheating, which probably isn’t as serious, but you know, it’s still a problem. And Valve, the developer and publisher of the two games, came out and basically said that the source code in question dates back to 2017, and was already part of an existing leak from 2018. But anyways, I think that goes to show that these security issues do continue to pop up in the gaming space. And there’s such like a massive install base for gamers that this is just a really lucrative area for cybercriminals to be looking at.
Tara: Yeah, I definitely think that’s the point I was going to make is that, I think, Nintendo has 20 million active users or something like that. And these massive multiplayer games have millions of users to in some cases, and so, you know, I’m surprised we don’t care more about gamer hacking stuff to be honest.
Lindsey: Yeah, definitely. I definitely agree, Tara. And so, and then Tara, you also had a very timely news story about the NFL Draft, which is virtual this year and kind of the security concerns that researchers and also teams were having with the event as it starts this week. What was kind of the top concerns there?
Tara: Yeah, so the NFL Draft, obviously is a massive, massive event for the league every single year. This is for the sliver of the population that doesn’t know about it, it’s basically where you have pro teams that are looking at the people that are coming out of college and, you know, the Canadian league and some other places that you know, have not been signed to the pros yet, and they evaluate their stats and everything and then this is their opportunity to find new people to the roster. And so in the past this has been done in sort of public space and everybody kind of gets together and teams will congregate at their stadiums and war rooms and things like that. That’s not possible. And so everybody is basically trying to do this with one to one links, you know, from their houses. So you have a head coach in his house or her house, and then you have, you know, the GM in their house and then obviously, all the players trying to tune in, the prospective players that is and so if you look at it, the communications footprint here, the distributed communications footprint is pretty massive. And so in order to bring everybody together to make this happen, there’s a couple of different platforms to do that, one was Microsoft Teams, and then there’s Zoom, you know, infamous Zoom, which clubs are using to communicate amongst themselves.
Lindsey: The security issues here are really something that’s good to be looking at right now, with something as big as this, and it’s something that we’ll also have to probably continue looking at for for the foreseeable future. But I also think kind of the technical logistics in the background are important too. And I saw on Twitter yesterday, there was like this picture of Belichick looking at the draft from his house in Nantucket and a bunch of people were, laughing about the fact that, questioning how he was able to get Wi-Fi on on Nantucket, and whether it was able to hold up and all these things. So I think, it’s just so new that there’s a lot of like questions and technical concerns there too.
Tara: Yeah, it’s kind of interesting because there are 100+ video feeds when you take into account you know, all the general managers, all the prospects which there are 58 different prospects and the coaches themselves and then plus that’s not even including, you know, the individual underlings that are involved in the process. But yeah, the Belichick thing was really funny. And then also the head coach of the Arizona Cardinals was all over Twitter, it went totally viral yesterday, he has this sort of Bond villain layer in the Phoenix mountains vibe. It was all like gleaming white and like he’s wearing, you know, Italian loafers. And he just looks at like an Armani ad or something. I mean, there’s a lot of cultural fun stuff that goes along with this. But there’s also a lot of, you know, legitimate cyber security concerns. And so, with the draft picks, you know, you wouldn’t think of that as being sort of critical information, but it really is. And you consider that if a team’s job strategy is leaked to another team, then that’s obviously competitive and that can destroy a team season in theory. You also have, if these things are able to be intercepted, then it can be very useful for people in the online gambling world, for example, there’s a lot of fraud that can be carried out with that. And so there are a few different things that can be done if job information falls into the wrong hands. And so that’s really what they were concerned about. I did reach out to the NFL to find out what their take was on cyber security, and they wouldn’t reveal what exactly they’ve done. But they did say that they they are aware of the potential dangers, and I mean, the draft is going to continue through tomorrow. So, you know, remains to be seen if they successfully warded off any attacks or not.
Lindsey: Right, I was about to ask if there have been any incidents so far, but I’m sure that remains to be seen at this point. But yeah, I think that you know, obviously the the data itself in terms of team strategy and personnel plans is a big issue. And also I feel like denial of service could be an issue here too. And you know, launching a denial of service attack or even kicking people off.
Tara: Yeah, I’m so glad that you said that actually. Because that is that is one thing that one of the security researchers that I talked to had mentioned was that the denial of service aspect of this, obviously. So anybody who plays Fantasy Football is familiar with this, but you get a very short window of time to make your job spec and it’s kind of a snooze, you lose if you don’t do it in that time period, then you get passed over and you don’t get to go back and redo it. So, you know, conceivably, an attacker could DDoS someone you know, a club and prevent them from making their draft pick and there would be no way for them to go back and remediate that really. So again, these are things that can make a pretty radical difference when it comes to the team’s future. And of course, this is assuming that we’re going to have an NFL season this year.
Lindsey: We’ll see. Fingers crossed. I really like that story. It’s a fun and applicable story. And you know, I put it on Facebook and someone posted, “you know [the NFL has] been hacked when the first person picked is Terry Bradshaw.” All right. Well, on that note, it’s been a very busy week in the infosec world, and there’s much more that needs to be covered. So let’s wrap up the podcast here, Tom and Tara, thanks for coming on today.
Tom: Yeah, thank you.
Tara: Thanks, Lindsey. You guys have a good weekend.
Lindsey: You too. And to all our listeners. Thank you for joining us today. If you like what you’ve heard here, be sure to share this episode on social media. And if you have any comments or thoughts regarding Apple zero days, or any of the new stories that we’ve talked about today, please reach out to us on Twitter at @Threatpost and let’s keep the conversation going. If not catch us next week on the Threatpost podcast.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.