Leading out the news this week is a report of “BlackTech”, an Advanced Persistent Threat (APT) group that appears to be based out of China, that has been installing malicious firmware on routers around the world. This firmware has been found primarily on Cisco devices, and Cisco has released a statement clarifying their complete innocence and lack of liability in the matter.

It seems that this attack only works on older Cisco routers, and the pattern is to log in with stolen or guessed credentials, revert the firmware to a yet older version, and then replace it with a malicious boot image. But the real fun here is the “magic packets”, a TCP or UDP packet filled with random data that triggers an action, like enabling that SSH backdoor service. That idea sounds remarkable similar to Fwknop, a project I worked on many years ago. It would be sort of surreal to find some of my code show up in an APT.

Don’t Look Now, But Is Your GPU Leaking Pixels

There’s a bit debate on who’s fault this one is, as well as how practical of an attack it is, but the idea is certainly interesting. Compression has some interesting system side effects, and it’s possible for a program with access to some system analytics to work out the state of that compression. The first quirk being leveraged here is that GPU accelerated applications like a web browser use compression to stream the screen view from the CPU to the GPU. But normally, that’s way too many pixels and colors to try to sort out just by watching the CPU and ram power usage.

And that brings us to the second quirk, that in Chrome, one web page can load a second in an iframe, and then render CSS filters on top of the iframe. This filter ability is then used to convert the page to black and white tiles, and then transform the white tiles into a hard-to-compress pattern, while leaving the black ones alone. With that in place, it’s possible for the outer web page to slowly recreate the graphical view of the iframe, leaking information that is displayed on the page.

And this explains why this isn’t the most practical of attacks, as it not only requires opening a malicious page to host the attack, it also makes some very obvious graphical changes to the screen. Not to mention taking at least 30 minutes of data leaking to recreate a username displayed on the Wikipedia page. What it lacks in practicality, this approach makes up for in cleverness and creativity, though. The attack goes by the GPU.zip moniker, and the full PDF is available.

libwebp is Everywhere

We warned you last week that the WebP vulnerability was going to have a long tail. Google has caught up to that reality, it seems, issuing CVE-2023-5129 as a CVSS 10.0 vulnerability in libwebp, which is hiding in nearly everything. Interestingly, that CVE has been pulled, and it’s all being tracked in CVE-2023-4863. Stay tuned!

Enter Sandman

There’s something brewing in the Middle East and Europe: a group being tracked as Sandman that really likes compromising telecommunication companies. The malware framework being used is known as LuaDream, and is running in LuaJIT of all things.

The tradecraft of this malware group is also notable. The targets seem to be carefully selected, the post-compromise actions are minimal, and the goal seems to be getting a foothold on the right systems. And while the malware has been discovered, it’s still pretty much unknown who exactly is behind the campaign. Definitely spooky.

Beware the Fake CVE

This isn’t the first time that malware has been disguised as legitimate malware research. This one seems even less targeted, being a fake Proof of Concept (PoC) just uploaded to a Github repository. It claims to be a WinRAR PoC, but it’s just a relatively boring malware dropper script. The idea is that a researcher, cybercriminal, or anyone else would grab the script hoping to re-use the vulnerability, and run it without properly vetting the code.

The timestamps on the files seems to indicate that the malware and infrastructure was set up in advance, and the author just waited for a sufficiently tempting PoC to come along. When the WinRAR problem caught some attention, the malware was prepped to look appropriate, and the released to the world. Clever.

RCEs and CIs

Researchers at Sonar have found a vulnerability in JetBrains’ TeamCity Continuous Integration (CI) Server. For those that haven’t had the pleasure/pain of working with CI, that’s a system where every change made to a software project results in a new compilation of the project, ideally with tests automatically getting run, and merging blocked if the tests fail too spectacularly. The scary thing is that some of those CI services are publicly available. Having vulnerabilities in those is definitely not good.

The vulnerability in TeamCity is the on-premises version only, but it boils down to a wildcard matching too much of a URL. Any API request ending with /RPC2 is effectively unauthenticated. Ouch.

And then there’s Jira Confluence and Bitbucket. Confluence, the Java-based corporate wiki has a high severity Denial of Service. Bitbucket has an unauthenticated RCE, also considered high severity. Both flaws were privately disclosed, and seemingly haven’t been exploited anywhere yet. Updates are available for all the above problems.

Chrome, JIT, and RCE.

If you’ve ever wondered how Javascript Type confusion leads to an RCE vulnerability, this Github blog post has you covered. In this case, it’s all about how JS code gets turned into a dependency graph for optimization. This compilation process can actually change JS objects in very subtle ways. Because Javascript execution and compilation is done multi-threaded in modern interpreters, this results in a potential case where the compilation change hapens without properly updating the mapping of the target object. That de-sync means out-of-bounds access, and just enough of a lever to get to arbitrary code execution. The details are too involved to fully delve here, so follow the link if you’re inclined.

Bits and Bytes

Drupal Core has a cache poisoning issue, where the JSON:API module can be manipulated into spitting out an error backtrace. The problem is that those backtraces aren’t properly sanitized, can be cached, and in some cases unauthenticated users can access those caches. Updates are available, and mitigation is as easy as uninstalling the JSON:API.

Yet another 0-day chain has been yanked by CitizenLab. This exploit chain is part of Cytrox Predator spyware, and it was discovered on the device of a Egyption presidential hopeful, [Ahmed Eltantawy]. It seems like the initial infection was via network injection, performed by the official ISP. Visit just one HTTP web page, and the mobile device is redirected to the exploit. This particular set of vulnerabilities have been squashed.