Hacking news

Nintendo Switch Hacked, Cannot Be Patched By Nintendo

Hackers have a particular liking when it comes to hacking Nintendo Switch. The console has been hacked following a complete dump of the Nintendo Switch’s boot ROM, with two very similar exploits of the console being released that take advantage of a security vulnerability in the Nvidia Tegra X1 processor, which cannot be patched by Nintendo, reports Eurogamer. In other words, the exploit takes advantage of bugs in the Switch’s bootROM and USB recovery mode, which can be abused to run arbitrary code.

The exploits was first uncovered by console hackers ‘fail0verflow’ with the group’s ShofEL2 release, as well as the Fusée Gelée hack from Kate Temik and the team at ReSwitched. Since the vulnerability extends to most Tegra devices, the nature of the exploit was fully disclosed to Google, Nintendo and Nvidia by both the hackers well in advance.

While fail0verflow was set to release its exploit on April 25th, it pre-poned the release once the Switch’s boot ROM dump leaked. The video below shows Linux running on an unmodified Switch due to the exploit.

How to hack Nintendo Switch?

“Choosing whether to release an exploit or not is a difficult choice,” fail0verflow wrote in a blog post accompanying the release of its exploit. “Given our experiences with past consoles, we’ve been wary of releasing vulnerability details or exploits for fear of them being used primarily for piracy rather than homebrew.

“That said, the Tegra bootrom bug is so obvious that multiple people have independently discovered it by now; at best, a release by other homebrew teams is inevitable, while at worst, a certain piracy modchip team might make the first move. 90 days ago, we begun the responsible disclosure process with Google, as Tegra chips are often used in Android devices. The disclosure deadline has now lapsed. The bug will be made public sooner or later, likely sooner, so we might as well release now along with our Linux boot chain and kernel tree, to make it very clear that we do this for fun and homebrew, and nothing else.”

The reason Nintendo cannot patch to stop the hack is because the flaws are reportedly hardware-based that allow homebrew code to run on the hybrid console. So, the only way for Nintendo to patch the hack and remove the ROM exploit would be to alter the Nividia Tegra X1’s architecture — the processor that powers the Switch. Homebrew code is mostly used to emulators of classic video game platforms like the SNES, but it can also be used to pirate or modify software. Basically, every Switch released till date and going forward is vulnerable to the exploit until the Tegra chip is modified.

“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever.” The group goes on to explain the exploit’s process, which basically requires a wire bridge (or a 3D printed tool). “As it turns out, what Tegra calls the Home button is actually connected to Pin 10 (the rearmost pin) on the right hand side Joy-Con connector. You can just use a simple piece of wire to bridge it to e.g. a screw on the rail (easiest), or pins 10 and 7 (or 1) together (10 and 9 won’t work),” writes fail0verflow.

Nintendo has yet to comment on how it plans to address the exploits. When reached for comment a spokesperson at the company said, “We have nothing to announce on this topic.”

Source: Eurogamer

iOS Trustjacking Attack Allows Hackers To Hack iPhone, iPad

Security experts at Symantec have discovered a flaw that if exploited would allow attackers to compromise iOS devices without the owner’s knowledge.

The latest iOS attack dubbed as “Trustjacking” exploits a vulnerability in iTunes Wi-Fi Sync, a feature that allows iOS devices to be synced with iTunes without having to physically connect the iOS device to the computer. This feature can be enabled by physically connecting an iPhone/iPad to a computer once with a cable, specify that the iOS device can trust the computer henceforth, and then enable iTunes Wi-Fi Sync from the PC. Once a trusted Wi-Fi Sync connection is established, the hacker who has access to the user’s computer can secretly spy on the iOS device or record and control any sort of activities remotely, as long as they are both under the same local network.

“This allows the computer to access the photos on the device, perform a backup, install applications and much more, without requiring another confirmation from the user and without any noticeable indication. Furthermore, this allows activating the “iTunes Wi-Fi sync” feature, which makes it possible to continue this kind of communication with the device even after it has been disconnected from the computer, as long as the computer and the iOS device are connected to the same network. It is interesting to note that enabling “iTunes Wi-Fi sync” does not require the victim’s approval and can be conducted purely from the computer side,” Roy Iarchy, Head of Research, Modern OS Security wrote in the report.

Trustjacking is “extremely impactful,” said Adi Sahabani, SVP of modern OS security at Symantec, who disclosed the findings at RSAC 2018 last Wednesday alongside his colleague Iarchy.

The report stated that once the malicious computer is authorized, there is no other means that prevents the continued access to the device. Further, the users do not receive any prompts or notifications that by authorizing the computer they allow access to their device even after disconnecting the USB cable. Many users assume that their device is no longer exposed once they disconnect the USB cable.

“Even if the device is only connected for a very short period of time, it is enough for an attacker to execute the necessary steps to maintain visibility of all actions performed on the device after it is disconnected,” Iarchy wrote.

Researchers disclosed the vulnerability to Apple, who have attempted to address the issue by adding an extra layer of protection in iOS 11. The new protection layer requires the user of iOS to enter his or her passcode when trusting a computer. However, the researchers believe that such measures are inadequate.

“The user is still being told that this authorization is only relevant while the device is connected to the computer, making him believe that disconnecting his device guarantees that no one can access his private data,” Iarchy writes in the blog post. “While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work,” Iarchy added.

Researchers also suggest users to enable encrypted backups in iTunes and select a strong password to protect their devices.

Users can also go to Settings > General > Reset > Reset Location & Privacy, and re-authorize all previously connected computers next time when connecting their iOS device to each device, said Symantec.

‘Despacito’ music video deleted from YouTube; Adele, Taylor Swift, Drake and Shakira’s accounts taken over

In what seems to be a hacker attack, the music video of the hit song ‘Despacito’, which had more than five billion views on YouTube has been removed.

The original clips had been posted by Vevo, a music video hosting service that is a collaboration between the “big three” record companies, Universal Music Group (UMG), Sony Music Entertainment (SME) and Warner Music Group (WMG). Other Vevo channels of artists like Shakira, Selena Gomez, Adele Chris Brown, Maroon 5, Drake and Taylor Swift, were also inaccessible.

For those unaware, the Spanish-language hit “Despacito” released in January 2017, and went on to break several records in music streaming, including one for the single with the most weeks at No.1 in the U.S., with 16 consecutive weeks. It also became the most-streamed song in the world after reaching 4.6bn plays.

Meanwhile, the Despacito video has been removed, but its cover image shows pictures of five animated and masked people pointing guns at the camera. The hackers, who call themselves Prosox and Kuroi’sh, used the online moniker of Kuroi’SH and had written “Free Palestine” below the videos.

The BBC reports that a Twitter account probably belonging to one of the hackers posted: “It’s just for fun, I just use [the] script ‘youtube-change-title-video’ and I write ‘hacked’.”

“Don’t judge me I love YouTube,” it added.

Both YouTube and Vevo have been contacted to comment on the issue.

Source: BBC

Adrian Lamo, who hacked Microsoft and Yahoo, passes away at the age of 37

Adrian Lamo, a Colombian-American threat analyst and former hacker, has died at the age of 37. He was best known for passing on information that led to the arrest of Chelsea Manning.

Lamo, who was also occasionally known as the “homeless hacker” for his nomadic life, died in Sedgwick County, Kansas on Friday. Although the exact reason behind Lamo’s death is unknown, the coroner for Sedgwick County, Kansas, confirmed his death without giving more details, according to ZDNet.

Lamo’s death was also confirmed by his father, Mario Lamo who in the Facebook group “2600 | The Hacker Quarterly,” posted a tribute to his son on Friday.

“With great sadness and a broken heart I have to let know all of Adrian’s friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son,” wrote Mario Lamo in a Facebook post.

Lamo first gained media attention in the early 2000s for breaking into several high-profile computer networks, including those of The New York Times, Yahoo, and Microsoft, culminating in his 2003 arrest when he eventually turned himself in. He was sentenced to six months of home detention, along with 2 years of probation and a $60,000 fine.

However, Lamo gained worldwide notoriety in 2010 for disclosing to the FBI that the transgender U.S. soldier, Chelsea Manning – then Bradley Manning and an intelligence analyst for a U.S. Army unit in Iraq – had leaked confidential information to WikiLeaks. Manning had reached out to Lamo via a messaging app and told him that she had gained access to hundreds of thousands of classified documents and had leaked to Wikileaks a video of a U.S. military forces in a helicopter machine indiscriminately gunning down journalists and Iraqi civilians. But, Lamo chose to report him and informed the U.S. military of the breach.

Held responsible for the biggest breach of classified data in U.S. history, Manning was convicted by court martial of 20 offences including espionage after sharing over 700,000 confidential files with WikiLeaks. Manning was sentenced to 35 years in prison, but was granted clemency by former President Barack Obama, who said her jail term was “disproportionate.”

Looking back on his decision to give up Manning, Lamo told US News and World Report in 2017 that it was “not [his] most honorable moment”.

However, he added that he had learned a lot from the experience, including that “you can’t really know a person or their motives unless you’ve sat where they sat and seen the situation through their eyes, no matter how much you believe you do”.

“So many people think they know why I did what I did or what I was thinking or why I made my choice,” he added. “And almost without exception they’re wrong.”

Source: ZDNet

Cryptocurrency-mining hackers attack government websites including UK and US

Scott Helme, a UK-based security researcher, discovered that more than 4,200 websites, including several government ones, were infected on Sunday with a virus that helps criminals mine cryptocurrencies.

Apparently, hackers managed to inject Coinhive cryptocurrency-mining code in the U.S. and U.K. government websites that forces web browsers to secretly mine cryptocurrency. As a result, innocent visitors who visited these compromised websites would have their computers and phones commandeered in order to mine cyrptocurrencies for the criminals.

According to reports, websites that were infected with virus include those belonging to the Information Commissioner’s Office (ICO), Student Loans Company and Scottish NHS helpline among others. The list of 4,200-plus affected websites can be found here.

In fact, ICO, the website of UK’s data protection watchdog, was taken offline after they were warned that hackers were taking control of visitors’ computers to mine cryptocurrency. The ICO said: “We are aware of the issue and are working to resolve it.”

Helme said he was informed by a friend who had received a malware warning when he visited UK government site, ico.org.uk. He found that the website was using the Coinhive in-browser mining (cryptojacking) script that caused the visitors machines to use their CPU to mine the digital currency called Monero.

On investigating further, Helme found that several other government websites from various countries such as uscourts.gov, gmc-uk.gov, nhsinform.scot, manchester.gov.uk, and many more too had started injecting a Coinhive miner.

The affected code injected in the above websites was a malicious version of a widely used text-to-speech accessibility script known as Browsealoud, which is used to help blind and partially sighted people access the web, the report says.

British tech company Texthelp, the company which makes the plug-in, confirmed that the Browsealoud script was compromised but no other Texthelp services were affected.

In a statement, Martin McKay, Texthelp’s Chief Technology Officer (CTO), in a statement said the compromise was a criminal act and an investigation is underway.

“Users who visit the hacked sites will immediately have their computers’ processing power hijacked to mine cryptocurrency – potentially netting thousands for those responsible. Government websites continue to operate securely.

“The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers’ CPUs to attempt to generate cryptocurrency,” it said.

“The Browsealoud service has been temporarily taken offline and the security breach has already been addressed, however Browsealoud will remain offline until Tuesday 12.00 GMT.

“At this stage there is nothing to suggest that members of the public are at risk.”

Talking about the attack, Helme said, “This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

A spokesperson for the National Cyber Security Centre (NCSC) said: “NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency.

“The affected services has been taken offline, largely mitigating the issue. Government websites will continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk.”

Hackers run Linux on Nintendo Switch, claim exploit cannot be patched

Hackers have a particular liking when it comes to hacking Nintendo consoles, be it the Wii, DS, or 3DS. Not making it easier for Nintendo, now a hacker group named ‘fail0verflow’ has successfully managed to run Debian Linux on Switch by exploiting its boot code. fail0verflow is the same hacking group who hacked the Nintendo Wii and Sony PlayStation 4.

fail0verflow announced their discovery in a post on Twitter with an image that displayed the Nintendo console running the Debian Linux distro and user login, along with a serial adapter that was connected to one of the Joy-Con terminal on the right side.

???? #switch pic.twitter.com/4iTjTk9D59

— fail0verflow (@fail0verflow) February 6, 2018

According to fail0verflow group, the exploit triggers a flaw in the boot ROM process of the Nvidia Tegra X1 chip that powers the console. The boot ROM is stored on the chip when Nvidia manufactures it and no changes can be made to it after that. Since, the console loads the boot ROM immediately after pressing the power button, the exploit cannot be patched via future software or firmware updates as it won’t affect the ROM, the hacker group claimed.

In case it wasn't obvious, our Switch coldboot exploit:
* Is a bootrom bug
* Can't be patched (in currently released Switches)
* Doesn't require a modchip to pull offhttps://t.co/LLadlEmm44

— fail0verflow (@fail0verflow) January 16, 2018

However, Nintendo could work with Nvidia and manufacture new Nvidia Tegra X1 chips so that new consoles don’t have this vulnerability.

While several sources are of the opinion that the Switch exploit is possibly a fake hack, most industry experts believe it to be true given fail0verflow’s hacking track records. Whatever be the case, Nintendo will definitely be looking to quickly fix the potential weaknesses in its code and hardware to avoid opening up any possibilities for installation of home brew apps and pirated games on the Nintendo Switch.

Source: TechCrunch

North Korea Possibly Behind Coincheck Hack, Says South Korea’s Intelligence Agency

Recently, Coincheck, one of Japan’s and Asia’s largest cryptocurrency exchange, was hit by the biggest hack in the history of cryptocurrency in which 58 billion Yen ($534 million) worth of the virtual currency “NEM (Nemu)” was stolen from its digital wallets.

While no one has taken responsibility for the hack, South Korea’s National Intelligence Service (NIS) claims that North Korea is likely behind the Coincheck cryptocurrency heist. Although the NIS didn’t have evidence to support this claim, the people who had knowledge of parliament’s intelligence committee proceedings told Reuters, “It’s a possibility that North Korea could be behind the theft.”

Kim Byung-kee, a member of South Korea’s Parliament’s intelligence committee, recalled similar past incidents in which North Korea attacked exchanges in the country.

Last year, tens of billions of won in cryptocurrency were stolen from South Korea cryptocurrency exchanges through North Korean cyberattacks, which partly involved the sending of hacking emails to members of the exchanges, according to parliamentary sources.

“North Korea sent emails that could hack into cryptocurrency exchanges and their customers’ private information and stole [cryptocurrency] worth billions of won,” Kim said.

Following the Coincheck hack on January 26, the Japanese exchange temporarily halted its operations. It later announced a compensation policy designed to return more than 260,000 users who were affected by the breach.

Meanwhile, the NIS has informed the National Assembly that it is investigating whether North Korea was behind the Coincheck hack that took place last month.

This is not the first time that North Korea is being held responsible for a huge cyberattack. The United States has publicly accused the world’s most isolated country for carrying out the WannaCry ransomware cyberattack that affected companies, banks, hospitals, and other services in 2017.

Tara O, an adjunct fellow at the Pacific Forum CSIS based in Washington, said North Korea’s attempts to hack digital currencies, including Bitcoin, are happening on a large scale.

“North Korea continuously seeks ways to bring in hard currency, and one way is to steal or demand payment in Bitcoin or other cryptocurrency, which can later be changed into dollars or yen or renminbi,” O told The Korea Times.

One good example, she said, is “Lazarus Group’s WannaCry malware, a malicious ransomware,” that targeted businesses and governments in 150 countries, with over 200,000 victims, in May 2017.

“Lazarus Group, also known as Hidden Cobra and Guardians of Peace, used WannaCry to exploit a flaw in Windows operating systems to lock files on computers and demand a ransom, payable in Bitcoin,” she said.

Crackas With Attitude’ Hacker Gained Access To CIA Chief’s Accounts

A British teenager who gained access to intel-operations in Afghanistan and Iran by posing as the CIA chief has pleaded guilty in a London court on Friday.

The accused, Kane Gamble, now 18, who was then aged 15 and 16 at the time of the offences targeted figures such as the then CIA chief John Brennan, Director of National Intelligence James Clapper and Secretary of Homeland Security Jeh Johnson, as well as senior FBI figures such as Mark Giuliano between June 2015 and February 2016, when he was arrested.

Gamble carried out his hacking operations from his bedroom in Coalville, central England, by mimicking his targets to gain access to highly classified documents concerning US operations in Afghanistan and Iraq Afghanistan including personal information, contacts lists, security details, and passwords.

“Kane Gamble gained access to the communications accounts of some very high-ranking US intelligence officials and government employees. He also gained access to US law enforcement and intelligence agency network. He accessed some extremely sensitive accounts referring to, among other things, military operations and intelligence operations in Afghanistan and Iran,” prosecutor Lloyd-Jones QC prosecutor John Lloyd-Jones told England’s Old Bailey central criminal court on Friday.

He then used the personal information to abuse his victims’ online, release personal information, and bombard them with calls and messages, and even download pornography onto their computers while taking control of their iPads and TV screens.

Gamble is the founder of the Crackas With Attitude (CWA) group, who had reportedly claimed responsibility for the attacks. The CWA group always expressed its support to Palestine and the hacks were carried out as part of a campaign of harassment against top US officials due to its support to the Israeli politics.

Gamble was arrested in February 2016, and in October 2017, he pleaded guilty to ten charges related to the attempted intrusions that took place between late 2015 and early 2016.

Other two members of the CWA group, Andrew Otto Boggs and Justin Gray Liverman were arrested by FBI in September 2016 and have already been sentenced to five years in federal prison.

Gamble, of Linford Crescent, Coalville pleaded guilty at Leicester Crown Court to eight charges of “performing a function with intent to secure unauthorised access” to computers and two charges of “unauthorised modification of computer material”.

“It all started by me getting more and more annoyed at how corrupt and cold-blooded the US Government is so I decided to do something about it.” Gamble told a journalist.

“The court heard Gamble “felt particularly strongly” about US-backed Israeli violence against Palestinians, the shooting of black people by US police, racist violence by the KKK and the bombing of civilians in Iraq and Syria.” reported The Sun.

Gamble’s defense, William Harbage QC, argued that he was “on the autistic spectrum” and had committed the offences when aged 15 and 16.

“Medical experts for the defence argue that he is on the autism spectrum and at the time of his offending had the mental development of a 12 or 13-year-old,” reported The Telegraph.

“He has no friends to speak off and is closest to his mother Ann, a cleaner who reportedly won a £1.6million lottery jackpot in 1997 but “lost all the money on doomed property deals.”

After his arrest, William Harbage QC told doctors “it was kind of easy” and that he had little consequences of his actions “in his bedroom on the internet thousands of miles away.”

The teenager, who is on conditional bail, will be sentenced by Mr Justice Haddon-Cave at the Old Bailey. The date of the sentence is yet to be fixed.

OnePlus confirms investigation of credit card fraud reports

Chinese smartphone manufacturer OnePlus’s official online store is assumed to be reportedly hacked after a number of customers are reporting of credit card misuse after their purchase on the OnePlus website recently.

The incident came to light when on the OnePlus support forum on January 11 from a customer who said two of his credit cards used on the phone maker’s official website showed signs of fraud. “The only place that both of those credit cards had been used in the last 6 months was on the OnePlus website,” he wrote. Once this claim was made, several complaints were later posted to Twitter and Reddit that reported the same misuse of credit card.

Meanwhile, security experts over at a company called Fidus Information Security have published their own blog post explaining the alleged issues with the OnePlus website’s payment system.

According to the firm, OnePlus is currently using the Magento e-Commerce platform, which is a common platform for credit card hacking and is known to contain cybersecurity flaws for at least two years.

“The payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus says.

Adding further, Fidus said, “Card payments are handled by CyberSource, the processing form is still hosted on the OnePlus infrastructure. If an attacker had write access to this page, JavaScript could have been inserted to compromise data entered into CyberSource’s payment form on the client-side.”

While it is not clear whether the company is to blame, OnePlus published a forum post on Monday explaining how its payment system works and confirming an investigation into the matter. It revealed that each of the reports included customers who made card payments at oneplus.net.

OnePlus, further stressed that the credit card processing doesn’t take place on its website. “Your card info is never processed or saved on our website – it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers. Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit,” a spokesperson wrote on OnePlus’s official forums.

“If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges. They will help you initiate a chargeback and prevent any financial loss,” the statement continued.

Lizard Squad’s founding member pleads guilty for running hacking-for-hire service

A Maryland man has pleaded guilty in a federal court in Chicago for operating a hacker-for-hire service that shut down company websites and targeted victims for as little as $20 for online harassment.

Zachary Buchta, a 20-year-old admitted in his plea agreement with prosecutors confessed to launching cyberattacks and harassment campaigns as a founding member of the hacker-for-hire groups Lizard Squad and PoodleCorp, according to the Chicago Tribune.

Butcha pleaded guilty to one count of conspiracy to commit damage to protected computers — a charge that can carry a sentence of up to 10 years in prison. However, Butcha has agreed to a plea agreement that will see him co-operate in the investigation, thereby reducing his jail term to two and a half years.

Lizard Squad rose to international prominence over Christmas 2014 when it launched massive DDoS attacks on Sony’s PlayStation Network (PSN) and Microsoft’s Xbox Live crippling their platforms, as well as “initiating so-called phone-bombing schemes that inundated victims with harassing phone calls” as well as general threats made to the FBI. In January 2015, they claimed to have taken over the social media accounts of pop singer, Taylor Swift.

On the other hand, PoodleCorp also hit gaming giants’ servers including Blizzard, EA, Rockstar Games and Niantic among others.

Buchta, who went by several screen names and handles “pein”, “@fbiarelosers”, “lizard” and “xotehpoodle” has also agreed to pay $350,000 in restitution to two online gaming companies that he helped to target.

Buchta and another defendant and fellow Lizard Squad and PoodleCorp core member Bradley Jan Willem Van Rooy, of the Netherlands, were both 19 when they were arrested in October of 2016 in connection with paid attacks on all kinds of victims, ranging from individuals to online-gaming companies. Van Roy is awaiting trial on similar charges in the Europe, following an investigation that began in 2015 and resulted in inter-agency cooperation between U.S. and Netherlands cyber-authorities. These charges are among the first brought in the U.S. against the alleged members of Lizard Squad.

The 61-page complaint alleged Buchta and the Dutch co-defendant operated websites that enabled paying customers to select victims to receive repeated harassing phone calls from spoofed numbers via the site phonebomber.net.

The DOJ released an example of his calls in 2016 which were heavily censored: “Better look over your [expletive] back because I don’t flying [expletive] if we have to burn your [expletive] house down, if we have to [expletive] track your [expletive] family down, we will [expletive] your [expletive] up [expletive]”.

In October 2015, a resident of Northern Illinois, described in court documents as Victim A,” was the “first victim” of the group’s personal harassment attacks. The victim started receiving non-stop phone calls every hour for 30 days with the same recorded message, which went as follows:

“When you walk the f**king streets, motherf**ker, you better look over your f**king back because I don’t flying [expletive] if we have to burn your f**king house down, if we have to f**king track your [expletive] family down, we will [expletive] your [expletive] up [expletive].”

In 2015, a 17-year-old affiliate of the group was convicted and sentenced to two years in prison for a slew of computer crimes in Finland.