Maybe those backdoors weren’t such a great idea. Several US Telecom networks have been compromised by a foreign actor, likely China’s Salt Typhoon, and it looks like one of the vectors of compromise is the Communications Assistance for Law Enforcement Act (CALEA) systems that allow for automatic wiretapping at government request.

[Jeff Greene], a government official with the Cybersecurity and Infrastructure Security Agency (CISA), has advised that end user encryption is the way to maintain safe communications. This moment should forever be the touchstone we call upon when discussing ideas like mandated encryption backdoors, and even the entire idea of automated wiretapping systems like CALEA. He went on to make a rather startling statement:

I think it would be impossible for us to predict a time frame on when we’ll have full eviction

There are obviously lots of unanswered questions, but with statements like this from CISA, this seems to be an extremely serious compromise. CALEA has been extended to Internet data, and earlier reports suggest that attackers have access to Internet traffic as a result. This leaves the US telecom infrastructure in a precarious position where any given telephone call, text message, or data packet may be intercepted by an overseas attacker. And the FCC isn’t exactly inspiring us with confidence as to its “decisive steps” to fix things.

We are taking decisive steps to address vulnerabilities in telecommunications networks following the Salt Typhoon cyberattack. pic.twitter.com/FLGCe9pS1I

— The FCC (@FCC) December 5, 2024

In a sense, nothing has really changed: We’re each ultimately responsible for our own security, and if anything is truly sensitive, it needs auditable encryption that doesn’t have any backdoors. The Salt Typhoon national breach has just serves as a painful reminder of the fact.

AI Fuzzing

There’s yet another researcher thinking about LLM guided fuzzing. This time, it’s looking for HTTP/S endpoints on a public site. The idea here is that you can crawl a domain, and collect every link to build a URL map of the site — but that list is likely incomplete. There may be an administrative page, or undocumented API endpoints, or even unintended .git files. Finding those endpoints is a useful step to finding vulnerabilities. Brainstorm is a new tool Open Source tool to use AI to find those non-obvious URLs.

There are a couple of interesting metrics to measure how well endpoint discovery is done. The most straightforward is how many endpoints are found for a given site. The other is the ratio of requests to discovered. And while this is just a sample size of one on a test site, brainstorm found 10 hidden endpoints with only 328 requests. Impressive!

Fuzzing Android

And while we’re talking about fuzzing, let’s cover a part of Android that is sometimes forgotten about. Lots of apps are written for Java, but Android has a Native Development Kit, the NDK, that’s very useful for using existing C/C++ code in Android apps. And as the NDK is powerful, complicated, and not as widely used, it’s a prime target for finding issues.

This first article by Conviso doesn’t actually cover any vulnerabilities, though it’s fairly strongly hinted that there were bugs found. Instead, this is a great start on how to set up a fuzzing solution with the afl++ fuzzer, looking for issues in the NDK and native code. We’re looking forward to more posts in this series.

Breaking out of the VRChat Matrix

VRChat is an interesting experience. It’s nominally a game intended for VR interactions in virtual worlds. There’s a large element of the game that’s just wondering around the virtual worlds, many of them being homages to other games or movies. That fact was not lost on the creators behind VRChat, who created the Udon scripting engine to expose lots of functionality, including access to some APIs of Unity, the underlying game engine. And that’s interesting, because little quirks in Unity APIs may not be vulnerabilities in themselves, but exposing those APIs to potentially untrusted code might become a problem.

The problem here is the Unity functions for applying textures to objects. Texture sizes are 64-bit unsigned integers, but internally those values get mapped onto a 32-bit integer for an intermediary step. The value overflows, writing to the texture writes past the end of a buffer, and suddenly we have a read/write primitive. Then a slight detour through the Steam overlay library gets us arbitrary shellcode execution, and we’ve escaped the VR Matrix.

youtube.com/embed/zQepvGpZFJc?…

Nearest WiFi Neighbor

Modern WiFi security is split roughly between PSK and Enterprise, where PSK is a Pre-Shared Key, and Enterprise is a scheme using individual usernames and individual authentication. One form that authentication can take is a simple username/password pair. An advanced threat actor, believed to be APT28 out of Russia, developed and deployed an impressive attack campaign that took advantage of the username/password authentication of WiFi networks in a very unique and creative way.

This was the Nearest Neighbor attack, and to understand it we first have to talk about credential stuffing. It’s reasonably easy to generate a list of email addresses of users at a target business. That list can be combined with a list of potential passwords from breaches, and all the most promising combinations used to attempt to log in to public services. This is the basis of credential stuffing, and it’s been used in multiple breaches of the last few years. One of the sure-fire safeguards against stiffing is multi-factor authentication. Even if a password is correct, it still doesn’t get you into the service, because 2FA.

The kicker is that Enterprise WiFi doesn’t do 2FA. If a single user account is used for both accounts, then verifying the user account gets you a valid WiFi sign-on. Then part two of Nearest Neighbor is how hackers in Russia actually used those credentials against an unnamed US organization.

This is where the name comes from. The approach was to first hack the nearest neighbor, move laterally until you find an Ethernet connected machine that also has a WiFi card, and use the purloined credentials to hop the gap into the target’s network. Check the link for more details. The actual target has not been revealed, and it may be quite some time before we learn who exactly was breached by this new, creative technique.

$150,000+ Gone

Solana runs a blockchain platform, primarily doing web3 and smart contracts. To make those products work, Solana publishes solana-web3.js on npm. This week, that library was compromised, and a pair of malicious versions were uploaded. The exact timing was December 2, from 1520 and 2025 UTC.

The malicious package was a simple key stealer, obviously aimed at compromising wallets of any developers or other use cases where the code has access to those keys. The value of the stolen cryptocurrency currently sits between $150,000 and $200,000.

Bits and Bytes

Don’t trust the Webcam LED. Many webcams have a light to indicate when they are capturing images. This is your periodic reminder: that LED is just connected to a GPIO, and isn’t necessarily trustworthy. The Lights Out attack re-flashes the webcam’s firmware, giving arbitrary control over that LED.

Scareware has long been a problem, and it’s been around on mobile for quite a while now, but this was a new trick to me: a full screen image that mimics a broken screen. Now this one is really leaning into the scare element, and the prompt drawn over the “broken” screen quickly gives the trick away.

VPN appliances are built to keep unauthorized users out, but what happens when a user tries to connect to a malicious VPN? For many clients, the results aren’t pretty. And now, to better explore those potential issies, AmberWolf has released NachVPN. (Love the pun.) The tool is open source, and available on Github.

And finally, if you want to brush up on your OAuth2 understanding, there’s a new project that may be for you: OAuth Labs. This is a series of simulated challenges, where you can exploit vulnerable OAuth implementations. The challenges are self hosted as Docker runners. Let us know if you decide to take on the challenge!

hackaday.com/2024/12/06/this-w…