“Operation Cookie Monster” ranks as one of the best code names in recent memory. And it’s apropo, given what exactly went down. Genesis Market was one of those marketplaces where criminals could buy and sell stolen credentials. This one was a bit extra special.

Websites and services are getting better about detecting logins from unexpected computers. Your Google account suddenly logs in from a new computer, and a two-factor authentication challenge launches. Why? Your browser is missing a cookie indicating you’ve logged in before. But there’s more. Providers have started rolling out smart analytics that check for IP address changes and browser fingerprints. Your mix of time zone, user string, installed fonts, and selected language make a pretty unique identifier. So sites like Genesis offer Impersonation-as-a-Service (IMPaaS), which is session hijacking for the modern age.

A victim computer gets owned, and credentials are collected. But so are cookies and a browser fingerprint. Then a criminal buyer logs in, and runs a virtual browser with all that collected data. Run through a proxy to get a IP that is geolocated close enough to the victim, and Mr. Bad Guy has a cloned machine with all accounts intact.

And now back to Operation Cookie Monster, a multi-organization takedown of Genesis. It’s apparently a partial takedown, as the latest word is that the site is still online on the Tor network. But the conventional domains are down, and something like eight million credentials have been captured and added to the Have I Been Pwned database.

Another researcher team, Sector 7, has been working the case with Dutch authorities, and has some interesting details. The vector they cover was a fake activation crack for an antivirus product. Ironic. There are several extensions that get installed on the victim computer, and one of the most pernicious is disguised as Google Drive. This extension looks for a Command and Control server, using Bitcoin as DNS. A hardcoded Bitcoin address is polled for its latest transaction, and the receiving address is actually an encoded domain name, you-rabbit[.]com as of the latest check.

This extension will look for and rewrite emails that might be warning the victim about compromise. Get an email warning about a cryptocurrency withdrawal? It modifies it in the browser to be a sign-in warning. It also allows Genesis customers to proxy connections through the victim’s browser, bypassing IP address security measures.

Ghost in the VPN

There are a few reasons you might want to use a VPN. Like accessing things inside your network from afar, without opening ports to the wider internet. Or because you’re using public WiFi, and you’re concerned someone may be trying for an ARP poisoning attack. Or maybe even to get an IP that geo-locates to another country. It’s legally dubious, but a VPN with a British endpoint gets you BBC shows, and Netflix is delighted to stream way more anime content with a Japanese IP address.

All that to say, there are some reasons why even Linux users might use a VPN service like CyberGhost. It even has Wireguard support. And unfortunately had some really severe security issues in the Linux client. The connection flow contains several HTTPS requests to a CyberGhost API, and one of those connections is done without proper certificate checking. This is fairly common during development, to test the code before the domains and certificates are in place. But that’s no bueno for deployed code, as it gives that hypothetical ARP-poisoning attacker a foothold.

The vulnerable API call just happens to be the one that fetches the Wireguard server details, including address, port, and public key. And it gets way worse, as the wireguard configuration file is populated by a bash command, built by concatenating those details on a template. Without proper sanitization. So that VPN you might use to stay safe on public wifi, had a vulnerability that allowed an attacker on the same untrusted network to execute bash code on your machine during the connection process. Yikes!

The good news is that [mmmd] privately reported the flaws, and CyberGhost took the report seriously, releasing a fixed client in just a handful of weeks. The very bad news is that the client does not have an auto-update feature. So Linux users of CyberGhost desperately need to go check that their client is at least version 1.4.1, and update it if it’s an earlier version.

Pseudo Corporate Email

[Evan Connelly] had some fun and profit at Tesla’s expense/benefit. Tesla runs two separate Single Sign On providers, sso.tesla.com for insiders, and auth.tesla.com for the rest of us. That pair of providers is interesting, and just maybe there’s some weirdness to be found where they overlap. Like registering an old @tesla.com email address with the public SSO provider. Since it didn’t actually require email verification, it was possible to claim the account of a former Tesla employee. With that once-again valid account in hand, all that was left was to discover whether it would actually enable anything interesting. And turns out, the Tesla Retail Tool doesn’t check which SSO provider is being used, and has some hard-coded account names with privileges. Score!

Dead Angles

We’ve covered Acropalypse a couple times, but Trail of Bits has an interesting take on the problem and tool to find similar issues. Acropolypse is what happens when an image gets cropped, but the file itself isn’t truncated. What ToB observes is that this problem could be generalized, as input bytes that are ignored by a parser, and included in the output. The Polytracker tool successfully tracks the data that ends up in the output file, but outside the PNG image.

The term used for this is “blind spot”, loosely translated from the French “angles morts”, but I much prefer the more literal translation, “dead angles”. It’s a bit of a novel way to look at things, as those dead angles imply some sort of parsing flaw, as well as a way to sneak data through processing. And, in retrospect, the PolyTracker tool does indeed catch the Acropalypse flaw. So it could be interesting to go look for other processing dead angles in other programs.

NEXX

If you happen to be one of the backers of the NEXX alarm system, or a user of the NEXX smart garage controller, you may have a problem. It turns out, there’s a single universe password shared among all the devices — not to mention that all MQTT messages were being sent to every device and customer. So yes, every NEXX device can be controlled from anywhere in the world, by anyone. So, if you do happen to a NEXX device, it might be time to unplug it for a while.

Though, it looks like SimpalTEK NEXX has pulled the plug on the cloud server that runs the devices. The backstory here is that SimpalTEK is a very small company, and is showing signs of being dormant. [Sam Sabetan] discovered and attempted to report the problems back in January, and received nothing but silence in response. 90 days have passed, so here we are, talking about the issue publicly without any fixes. Additionally, CISA has issued an advisory, due to the severity of the problem, and the non-response from the manufacturer. And now that the story has gone public, the NEXX site has removed pages about the vulnerable devices, and hosted the above notice. Time will tell if a fix ever lands, or if NEXX is yet another startup that fizzled.

3CX Surprise

The 3CX supply chain attack has some surprising wrinkles, and one of the weirdest is the fact that one of the malicious sideload DLLs is legitimately signed by Microsoft.

Two malicious DLL files (ffmpeg.dll and d3dcompiler_47.dll) in the compromised desktop app.

One is ffmpeg.dll, which isn't signed

However, d3dcompiler_47.dll is signed by Microsoft when looking at in Windows, which is pretty concerning, even though its been modified. pic.twitter.com/toKKhyu18y

— Lawrence Abrams (@LawrenceAbrams) March 30, 2023

Turns out, this exploits CVE-2013-3900, a decade old Windows vulnerability in signature validation. Arbitrary data can be added to the Authenticode signature, without invalidating that signature. Microsoft issued a fix in late 2013, but made it optional, since several vendors actually use this as a feature, to embed information into a binary after signature time. It’s also worth noting that this data doesn’t modify execution unless the application is explicitly programmed to look to this section of the file for data. But in this case, it was a convenient place to stuff data for the attack, protected by the valid signature.

And finally, the April Android update has a trio of important fixes, two of which are arbitrary code execution by System upon opening a file. These two seem to have been found by researchers and fixed before being used maliciously. On the other hand, CVE-2022-38181 is a vulnerability in the Mali GPU kernel driver being actively exploited in real-world attacks. There haven’t been many details released about these bugs yet, but it looks like this month’s update is an important one.