Brief #19: GPUzip Data Leak, Russia's $20M Zero-Day Bug Bounty

Mandos Brief, Week 39 2023: BlackTech's stealthy Cisco router attacks, Google's rapid patch for a critical libvpx zero-day, the alarming GPUzip data leak.

Brief #19: GPUzip Data Leak, Russia's $20M Zero-Day Bug Bounty


Chinese APT BlackTech Targets Cisco Routers with Stealth and Persistence

  • Stealthy Firmware Modification: The Chinese APT group known as BlackTech is actively modifying the firmware on Cisco routers. This tactic allows them to stay under the radar while maintaining a persistent presence in the networks of U.S. and Japanese companies.
  • Branch Router Exploitation: The group specifically targets branch routers located at remote offices. By doing so, they can abuse the trusted relationship these routers have within the larger corporate network, enabling them to move laterally and compromise additional systems.
  • Customized Backdoors: BlackTech employs a unique method of enabling or disabling backdoors in the router firmware. They use specially crafted TCP or UDP packets for this purpose, making it extremely difficult for security solutions to detect their activities.
  • Defense Recommendations: Cisco advises system administrators to monitor for unauthorized downloads of bootloader and firmware images and unusual device reboots that could be part of loading modified firmware on routers.

Google Scrambles to Patch Critical libvpx Zero-Day Exploited by Spyware Vendors

  • Heap Buffer Overflow in libvpx: The core issue is a heap buffer overflow in libvpx, identified as CVE-2023-5217. This library is crucial for VP8 video encoding in Chrome. The flaw could allow attackers to execute arbitrary code, posing a serious risk.
  • Rapid Response by Google's TAG: Google's Threat Analysis Group (TAG) discovered the flaw and released a patch within just two days. This quick action highlights the severity of the vulnerability.
  • Beyond Chrome: The libvpx library is not exclusive to Chrome; it's also used in other browsers like Firefox and Microsoft Edge. This extends the risk to a broader range of software, including secure messaging apps like Signal.
  • Commercial Spyware Exploitation: This zero-day was not just a theoretical risk; it was actively exploited by a commercial spyware vendor. This adds another layer of urgency, as it indicates targeted attacks on high-risk individuals.

GPUzip Attack Exposes Critical Data Across All Major GPU Vendors

  • Data Compression Exploit: Researchers have discovered a new side-channel attack called GPUzip. It exploits data compression in modern GPUs to leak sensitive visual data like usernames and passwords.
  • Vendor Apathy: Despite being informed as early as March 2023, major GPU vendors like AMD, Intel, and Nvidia have not released patches. This raises concerns about vendor responsibility in cybersecurity.
  • Browser-Specific Risk: The attack is most effective on Chrome and Edge browsers. Firefox and Safari are less susceptible, indicating that browser-level mitigation is possible.
  • Time-Consuming but Critical: Although the attack takes time (30 to 215 minutes to extract data), its potential for data leakage makes it a critical issue that developers and vendors should urgently address.

Russian Firm Offers Record $20M for Mobile Zero-Day Exploits

  • High Stakes for Mobile Exploits: Operation Zero, based in Russia, is offering $20 million for zero-day exploits targeting iPhones and Android devices. This is a significant increase from their previous offer of $200,000, signaling the high demand and scarcity of such exploits.
  • Exclusive Clientele: The company explicitly states that their clients are Russian private and government organizations only. They do not sell to NATO countries, adding a geopolitical layer to the zero-day market.
  • Market Dynamics: The CEO of Operation Zero, Sergey Zelenyuk, suggests that the high price is a reflection of the current market conditions and the difficulty in hacking iOS and Android systems. He hints that these prices may be temporary but are unlikely to drop soon.
  • Global Competition: Other companies like Zerodium and Crowdfense also offer high bounties for similar exploits, but Operation Zero's offer stands out for its exclusivity and high price. This creates a competitive and largely unregulated market for zero-days, influenced by politics and national interests.

Bing Chat Now a Hotbed for Malware Distribution

  • Malvertising Tactics: Microsoft's Bing Chat, powered by OpenAI's GPT-4, has been infiltrated by malicious ads. These ads redirect users to malware-distributing sites, exploiting the chatbot's interactive nature to gain user trust.
  • Targeted Software: The malware ads often impersonate legitimate software like Advanced IP Scanner. Hovering over the link in Bing Chat displays the malicious ad before the genuine download link, tricking users into clicking.
  • Technical Details: The malware often involves a Visual Basic script that communicates with an external server. The exact payload is unknown, but similar campaigns have deployed information-stealing malware or remote access trojans.
  • User Trust Exploited: The conversational nature of Bing Chat instills a false sense of security, making users more likely to click on malicious links. The problem is amplified because the ads are labeled as "promoted," which is insufficient to alert users to the risks.