Countering threats from North Korea(blog.google)
blog.google
Countering threats from North Korea
https://blog.google/threat-analysis-group/countering-threats-north-korea/
170 comments
We see some of this with just normal spear phishing against companies. The "single click" thing is reasonably common, it makes things a bit harder to catch as often the clickthrough will change to whatever is being spoofed in the first place. A homophone ycornbinator.com would serve the malware first time, then next time it would send a permanent redirect. Unique IDs you'll see in things like spam SMS, both to work around automated blacklisting, but also to work out who clicked through and who might be a potential mark the next time even if they didn't completely fall for the scam.
Most of what we got was recycled RAT malware with various packers though, it didn't trend towards being particularly interesting because you usually don't need to be to catch people, at least that's my impression. Maybe it's bad toupee fallacy.
Most of what we got was recycled RAT malware with various packers though, it didn't trend towards being particularly interesting because you usually don't need to be to catch people, at least that's my impression. Maybe it's bad toupee fallacy.
Thanks for the input. A nit, sorry, but maybe relevant to readers learning a little about anti-phishing: homophones sound the same ('-phone' refers to sound, like telephone) but differ in meaning, such as 'write' and 'right'. I don't know the term for ycombinator.com / ycornbinator.com, which is a real problem, of course.
It's a homoglyph
https://en.m.wikipedia.org/wiki/Homoglyph
Typically used via poorly named idn homograph attacks https://en.m.wikipedia.org/wiki/IDN_homograph_attack
Typically used via poorly named idn homograph attacks https://en.m.wikipedia.org/wiki/IDN_homograph_attack
Technically ycornbinator.com is just a lookalike.
Homographs look exactly the same.
(And of course "homograph" ["same writing" or "same picture"] is a better name than "homoglyph" ["same carving"].)
Homographs look exactly the same.
(And of course "homograph" ["same writing" or "same picture"] is a better name than "homoglyph" ["same carving"].)
That's fair I'm not really one for jargon and whatnot (I think it can actually become less useful if the goal is just to communicate something to a person), but the first line in wiki says:
> a homoglyph is one of two or more graphemes, characters, or glyphs with shapes that appear identical or very similar.
"Very similar" and "two or more" being the key words.
As for homograph I found homoglyph by reading the wiki and it saying homoglyph is more appropriate.
(Insert obligatory "wiki it's not always accurate etc etc"). Overall I'd take either one and personally don't care. Just trying to match what you're saying with what I'm reading and make sense of where the truth is.
> a homoglyph is one of two or more graphemes, characters, or glyphs with shapes that appear identical or very similar.
"Very similar" and "two or more" being the key words.
As for homograph I found homoglyph by reading the wiki and it saying homoglyph is more appropriate.
(Insert obligatory "wiki it's not always accurate etc etc"). Overall I'd take either one and personally don't care. Just trying to match what you're saying with what I'm reading and make sense of where the truth is.
> (Insert obligatory "wiki it's not always accurate etc etc"). Overall I'd take either one and personally don't care. Just trying to match what you're saying with what I'm reading and make sense of where the truth is.
Diving in (even if the parent doesn't care :) ):
The last sentence is the real challenge: Meanings depend 100% on writer and reader understandings. If two agree that 'homograph' means 'chicken poop', as long as they're the only ones communicating then 'chicken poop' it is; but if someone else reads it, our language subsystem fails.
Some dictionaries influence meaning by being prescriptive (e.g., American Heritage, IIRC); others report what has been understood by being descriptive (e.g., Oxford). The problem is, Wikipedia is neither: It represents the understandings of a few editors of unknown knowledge; it is neither descriptive nor prescriptive and we quickly get into chicken poop scenarios.
* Homograph, report Merriam-Webster and Oxford, means words with the same spelling but different meanings (or origin or pronunciation), e.g., the bow of a ship and a bow and arrow.
* Homoglyph doesn't appear in Oxford, Merriam-Webster, American Heritage, or any others (per Wordnik and OneLook), except Wiktionary. Wiktionary descriptively traces the word back to 1938 (though maybe with a different meaning in that case) and says it means a glyph with the same or similar appearance but different meaning. That still doesn't define a term for the entire string "ycornbinator.com", only the "rn", but close enough!
Diving in (even if the parent doesn't care :) ):
The last sentence is the real challenge: Meanings depend 100% on writer and reader understandings. If two agree that 'homograph' means 'chicken poop', as long as they're the only ones communicating then 'chicken poop' it is; but if someone else reads it, our language subsystem fails.
Some dictionaries influence meaning by being prescriptive (e.g., American Heritage, IIRC); others report what has been understood by being descriptive (e.g., Oxford). The problem is, Wikipedia is neither: It represents the understandings of a few editors of unknown knowledge; it is neither descriptive nor prescriptive and we quickly get into chicken poop scenarios.
* Homograph, report Merriam-Webster and Oxford, means words with the same spelling but different meanings (or origin or pronunciation), e.g., the bow of a ship and a bow and arrow.
* Homoglyph doesn't appear in Oxford, Merriam-Webster, American Heritage, or any others (per Wordnik and OneLook), except Wiktionary. Wiktionary descriptively traces the word back to 1938 (though maybe with a different meaning in that case) and says it means a glyph with the same or similar appearance but different meaning. That still doesn't define a term for the entire string "ycornbinator.com", only the "rn", but close enough!
There is also 'homeograph' - "A word similar — but not identical — in spelling to another." That seems a better fit for your needs.
> Some dictionaries influence meaning by being prescriptive (e.g., American Heritage, IIRC); others report what has been understood by being descriptive (e.g., Oxford). The problem is, Wikipedia is neither: It represents the understandings of a few editors of unknown knowledge; it is neither descriptive nor prescriptive and we quickly get into chicken poop scenarios.
To be clear: reporting what has been understood still influences meaning. Choice of inclusion moderates spread; definitions are inherently lossy and cannot capture the whole range of nuance; the compiler's understanding can be inaccurate. Lexicography is not a neutral art, no matter your choice of biases. And OED no less "represents the understandings of a few editors of unknown knowledge" than Wikipedia does. With different goals, and to different standards, to be sure, but Gell-Mann amnesia goes hard until you get into the weeds.
To be clear: reporting what has been understood still influences meaning. Choice of inclusion moderates spread; definitions are inherently lossy and cannot capture the whole range of nuance; the compiler's understanding can be inaccurate. Lexicography is not a neutral art, no matter your choice of biases. And OED no less "represents the understandings of a few editors of unknown knowledge" than Wikipedia does. With different goals, and to different standards, to be sure, but Gell-Mann amnesia goes hard until you get into the weeds.
> reporting what has been understood still influences meaning. Choice of inclusion moderates spread; definitions are inherently lossy and cannot capture the whole range of nuance; the compiler's understanding can be inaccurate.
I agree and actually had a sentence in the GP that said it, but removed it because it was getting too long. An important point. Also, the Oxford English Dictionary intends to be descriptive and says so, but many readers won't understand that and take it as prescriptive.
> OED no less "represents the understandings of a few editors of unknown knowledge" than Wikipedia does.
The knowledge of OED editors is not unknown but well known and exceptional - the world's leading lexicographers, with the best training and decades of experience. The resources are exceptional: top-notch professional lexicographers, domain experts, databases, teams of volunteers reading and contributing, etc. The definitions are not based on the contemporary understanding of a few people but on over a century of accumulated research, back to the beginning of English, and the understandings of those people, plus it depends on the input of domain experts, editors, etc.
I'm not knocking Wikipedia, which has its value, and the OED is, like every human institution, limited. But beyond that general statement, the quoted sentence doesn't describe the OED at all.
I agree and actually had a sentence in the GP that said it, but removed it because it was getting too long. An important point. Also, the Oxford English Dictionary intends to be descriptive and says so, but many readers won't understand that and take it as prescriptive.
> OED no less "represents the understandings of a few editors of unknown knowledge" than Wikipedia does.
The knowledge of OED editors is not unknown but well known and exceptional - the world's leading lexicographers, with the best training and decades of experience. The resources are exceptional: top-notch professional lexicographers, domain experts, databases, teams of volunteers reading and contributing, etc. The definitions are not based on the contemporary understanding of a few people but on over a century of accumulated research, back to the beginning of English, and the understandings of those people, plus it depends on the input of domain experts, editors, etc.
I'm not knocking Wikipedia, which has its value, and the OED is, like every human institution, limited. But beyond that general statement, the quoted sentence doesn't describe the OED at all.
Awesome response. Thanks for taking the time to write it.
I am receiving increased SMS spam past week. Is connected to this exploit? Msgs are all different domains with unique ID appended.
Hearing Americans regularly complain about SMS and robocall spam still blows my European mind. I haven't received a single spam call or SMS in my life, ever.
Back in the 90s and early 2000s the worst that could happen was, say, texting a commercial number to get a polyphone ringtone, and that actually being a subscription. But obviously that is something you have to initiate first, not something passive.
Back in the 90s and early 2000s the worst that could happen was, say, texting a commercial number to get a polyphone ringtone, and that actually being a subscription. But obviously that is something you have to initiate first, not something passive.
I live in Germany and I get a lot of spam calls and spam SMS. It's always in waves. Some days I stop answering calls if I don't recognise the number, because its one of these days where Interpol has informwd me already three times that my identity was stolen and I have to give them all my details to fix this ..... They're very patient at Interpol, I keep hanging up on them and they never give up.
When I have a spammer/scammer on the phone (and I actually picked up), I usually just put my phone on mute and stop talking to them. They waste a bit more time that way before they hang up (without more effort from me).
If you have your number up on the net somewhere, you will recieve calls. For example that domain registration you did 30 years ago that required a phone number... I got myself a smartphone for the reason I could easily block out of country phonecalls. I haven't had any recent spam calls though, was many years since the last one.
I, in Australia, had never received a spam call or SMS, until two years ago. I now receive several per day. All automatically blocked, but still.
My number was leaked in a particular data breach that actually had nothing to do with me, but a different family member who had all of their contacts vacuumed up before the breach. So from my perspective it was passive.
My number was leaked in a particular data breach that actually had nothing to do with me, but a different family member who had all of their contacts vacuumed up before the breach. So from my perspective it was passive.
in india its pretty common for businesses/ orgs to sell number data in bulk which is bought by advetisers.
you can be sure to be bombarded with calls and sms if a students applies for a notify thing or gives their number somewhere outside exam halls or on student help websites.
same for shops asking for mobile numbers.
then there are marketers who randomly call each number, send sms to see what sticks.
the situation is pretty bad i would say because for every careful person who sees through the ruse, there are hundreds who fall for million dollar prizes and kyc scams and all.
people call you and say "we are form bank. main branch. you need to verify your debit card or your account will close". no name of bank, no place of branch, just "from bank. main branch".
you can be sure to be bombarded with calls and sms if a students applies for a notify thing or gives their number somewhere outside exam halls or on student help websites.
same for shops asking for mobile numbers.
then there are marketers who randomly call each number, send sms to see what sticks.
the situation is pretty bad i would say because for every careful person who sees through the ruse, there are hundreds who fall for million dollar prizes and kyc scams and all.
people call you and say "we are form bank. main branch. you need to verify your debit card or your account will close". no name of bank, no place of branch, just "from bank. main branch".
Here in Singapore SMS and phone spam comes and goes.
At the moment it's pretty bad with lots of calls from overseas. (People with hilariously un-local accents trying to tell you they are calling from the Ministry of Health of Ministry of Manpower...)
Those overseas callers are faking caller id to look like local numbers.
At the moment it's pretty bad with lots of calls from overseas. (People with hilariously un-local accents trying to tell you they are calling from the Ministry of Health of Ministry of Manpower...)
Those overseas callers are faking caller id to look like local numbers.
Probably not. No signs that this is linked to any mass activity.
Tax time
Me too, receiving spam job offers with bit.ly links.
I too saw one of these. Very odd since I was expecting a note about a job.
Don’t reply to those SMS. Your geolocation can be derived from your reply, even a STOP or UNSUBSCRIBE reply.
Can you explain how this works if you don't click any links?
I read about it on HN some months ago. I don’t recall if it was in comments or an article. But I read the info and sources and was convinced enough at the time. I’m sorry I didn’t save the original info. I’ll try some googling “geolocation from SMS” and see what I can find.
Presumably if they have the number to text to, they already roughly know the geolocation for most people, through the area code.
Only in the US (or whole NANP?)
Mobile numbers are non-geographic everywhere else that I know of.
Mobile numbers are non-geographic everywhere else that I know of.
Well, depends. For example, Singapore's numbers are 'non-geographic' in that sense. But Singapore itself is small enough.
Greek here, mobile phones are non-geographic but used to be service provider specific, but even this practice isn't applicable due to number portability.
Landlines used to be geographic but this isn't relevant any more again new to number portability.
Landlines used to be geographic but this isn't relevant any more again new to number portability.
I mean non-geographic within the country. As far as I know, the US practice of assigning mobile numbers to 'area codes' is unique.
That’s not what I’m talking about. And since number portability and mobile devices became possible, area codes are mostly irrelevant. For example, I’ve lived 2000 miles from the area code of my phone number for probably 10 years now.
They're not mostly irrelevant. 72% of Americans live in or close to the city that they grew up in. Area code is remarkably accurate.
[deleted]
Here’s the best I could find:
https://stackoverflow.com/questions/18523417/can-i-retrieve-...
(Twilio is awesome by the way)
https://stackoverflow.com/questions/18523417/can-i-retrieve-...
(Twilio is awesome by the way)
That information is completely derived from the phone number.
Can you provide a pointer showing how this is supposed to work?
Yes, would like to learn more as well.
I read about it on HN some months ago. I don’t recall if it was in comments or an article. But I read the info and sources and was convinced enough at the time. I’m sorry I didn’t save the original info. I’ll try some googling “geolocation from SMS” and see what I can find.
Here’s the best I could find:
https://stackoverflow.com/questions/18523417/can-i-retrieve-...
(Twilio is awesome by the way)
https://stackoverflow.com/questions/18523417/can-i-retrieve-...
(Twilio is awesome by the way)
I think it’s currently unusual but makes sense as a pretty obvious SOP for an attacker with a specific target set who is sitting on top of a pretty valuable vulnerability (RCE on a fully up to date Chrome in this instance).
They are hard to come buy and building tooling is a long and expensive process on top of everything else.
They are hard to come buy and building tooling is a long and expensive process on top of everything else.
For CVEs? No. CVEs are awarded for things as (relatively) little as static keys being packaged with APKs.
What is unusual is that NK used a sophisticated attack chain to successfully pwn a hardened industry (notably, fintech).
At this point I think it’s safe to say that NK is a significant competitor to FVEY in terms of cyber warfare capabilities.
What is unusual is that NK used a sophisticated attack chain to successfully pwn a hardened industry (notably, fintech).
At this point I think it’s safe to say that NK is a significant competitor to FVEY in terms of cyber warfare capabilities.
I would say this isn’t necessarily unusual for NK. As far as I know, they’re the only nation state actor known to hack for profit and they’ve committed several of the largest cyber bank robberies ever. Nation state actors have an _incredible_ amount of time, resources, and motivation.
Indeed. The amount of skill they've demonstrated as Lazarus (Lazarus Leaks (Vault 7), the Bangladesh Bank Heist, and Dark Seoul) is certainly notable and this seems to fit well within their MO.
Much of it seems like normal ad-tech practice to identify individuals and discourage click-farming. Unique keys sent in an email campaign? Oh my scaaary stuff.
[deleted]
For targeted ones I think it is. The details that emerged around SolarWinds were quite sophisticated in terms of execution, timing, hiding, and cleanup.
it is interesting that most of the CVEs are "use after free". instead of being stuck in an endless cycle of detection and patching, maybe, it's time we consider better ways...
[deleted]
Ah, yes, I’m sure the Chrome team is entirely unfamiliar with ways to improve memory safety. Snark aside, every browser vendor is working on this, it’s just that migrating is nontrivial.
What approaches are being considered here out of interest? I’m only familiar with Firefox’s use of Rust, but haven’t heard anything about other browsers trying to use that particular approach.
The edge team have talked about it a bit in the following blog posts:
https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec...
https://microsoftedge.github.io/edgevr/posts/Introducing-Enh...
https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec...
https://microsoftedge.github.io/edgevr/posts/Introducing-Enh...
That's... wow. This is incredible.
What they've found is that JIT can be disabled in most sites with no user-visible impact.
This, combined with WebAssembly, is a game-changer in waiting for browser security.
What they've found is that JIT can be disabled in most sites with no user-visible impact.
This, combined with WebAssembly, is a game-changer in waiting for browser security.
The biggest coming change is raw_ptr wrapper to replace raw pointers stored in structs and classes. Presently in Chromium it is no-op, but soon will be replaced by a non-trivial implementation that will instantly crash on use-after-free.
The raw_ptr/BackupRefPtr/MiraclePtr [1] mitigation will change the security industry. It is quite a feat what Chromium is doing.
[1] https://chromium.googlesource.com/chromium/src/+/ddc017f9569...
[1] https://chromium.googlesource.com/chromium/src/+/ddc017f9569...
What evidence do they have that suggests these threats are coming from North Korea?
A statement from Google.
I'm actually surprised Google would say this is from the DPRK government without also saying it had has been verified by US federal government authorities. Usually they leave it for others to deal with statements at that level.
I think you’ll find TAG regularly gives assessment on attribution at least at the country level. Iran, China, Russia, Belarus and North Korea at least have been named in the last few years.
(Disclaimer: I am head of TAG)
(Disclaimer: I am head of TAG)
How do you know what country is actually behind any of this? I’d imagine that would be very difficult given nation states can host content anywhere in the world and will want to make it look like it’s coming from elsewhere.
Staring hard at a all the details and figuring it out?
The thing with trying to hide yourself is you have to do everything right to guarantee some false flag operation will work but if you make enough mistakes in this process there will be reasonably high-confidence links between some action and some person.
An example that I _have_ seen in some write up: some snippet of malware code showing up in a stack overflow question (with the shape and user variables being the same).
At one point it's like... probably that person. Of course maybe there are other indicators to the contrary but that's data for you. Gotta use your noggin a bit.
The thing with trying to hide yourself is you have to do everything right to guarantee some false flag operation will work but if you make enough mistakes in this process there will be reasonably high-confidence links between some action and some person.
An example that I _have_ seen in some write up: some snippet of malware code showing up in a stack overflow question (with the shape and user variables being the same).
At one point it's like... probably that person. Of course maybe there are other indicators to the contrary but that's data for you. Gotta use your noggin a bit.
I don’t work in this field, but my impression has been that groups tend to share techniques and code patterns that can help tie them back to where they came from.
But how do you know the origin?
By connecting multiple details such as ip addresses, connection/flow logs, known CnC servers, etc. You seem to be expecting some magic simple answer but the reality is the same as other investigative work: doing the work in the details as a professional. Just because this work is difficult and inherently has some ambiguity doesn't mean you can just dismiss every attribution from your armchair.
Here’s a question I expect you’ll never answer: is it within the capabilities of any groups within the West (state-sponsored or otherwise) to fabricate the information you’re using to make those assessments? And if so, how have you decisively eliminated this possibility?
I ask because it’s broadly accepted that there are extremely powerful and wealthy entities in the West who benefit from an aggressive US foreign policy and heightened geopolitical tensions.
I ask because it’s broadly accepted that there are extremely powerful and wealthy entities in the West who benefit from an aggressive US foreign policy and heightened geopolitical tensions.
There are several sections of the Vault 7 leaks that showed the CIA had tools that could be used to fake the attribution of attacks. Some argue there's other uses for those tools besides faking the source of an exploit, but knowing they have the capability makes it impossible to eliminate as a possibility.
Probably, but even more simply they have the capabilities to just direct intelligence agencies, politicians, and news corporations, and big internet and social media companies to put the blame wherever they like. There is no need for a perfect technological solution.
Hack something shoddy together, go to war/regime change/etc, and worst case if it does come to light that the "intel" was wrong, a well-placed "whoopsie-daisy" is enough to wash hands of all responsibility or scrutiny.
Hack something shoddy together, go to war/regime change/etc, and worst case if it does come to light that the "intel" was wrong, a well-placed "whoopsie-daisy" is enough to wash hands of all responsibility or scrutiny.
Uh oh that’s starting to sound like Russian disinformation
Why do you have to prefix your question with, "Here’s a question I expect you’ll never answer"?
I don’t have to, it just makes me look good when he never answers.
[deleted]
> These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.
Following those links yield these two documents, which both have "Attribution" sections. Presumably some of these tell-tale signs were identified in the ongoing exploitation.
https://www.clearskysec.com/wp-content/uploads/2020/08/Dream...
https://securelist.com/operation-applejeus/87553/#attributio...
Following those links yield these two documents, which both have "Attribution" sections. Presumably some of these tell-tale signs were identified in the ongoing exploitation.
https://www.clearskysec.com/wp-content/uploads/2020/08/Dream...
https://securelist.com/operation-applejeus/87553/#attributio...
I'm very curious how we can attribute a threat to a particular nation state, given pretty much anything in code/IP/modus operandi/etc. can be faked by one party to look like another. I went through both links and all I found was a lot of hand-wavings like
> One of the top identifiers of Lazarus is their dual attack mission – money theft and espionage. This modus operandi is unique to North Korea, as other state actors usually focus on espionage only. North Korean money theft operations are carried out in service of the government, as a way of funding the nuclear program
Like, seriously? "You not only do espionage but also steal money, therefore you're NK"?
> One of the top identifiers of Lazarus is their dual attack mission – money theft and espionage. This modus operandi is unique to North Korea, as other state actors usually focus on espionage only. North Korean money theft operations are carried out in service of the government, as a way of funding the nuclear program
Like, seriously? "You not only do espionage but also steal money, therefore you're NK"?
I've posted this elsewhere, but https://www.justice.gov/opa/press-release/file/1092091/downl...
This is about WannaCry, but it shows how multi-source attribution is done.
This is about WannaCry, but it shows how multi-source attribution is done.
Thanks, this seems much more detailed. I'll give this a good read.
Its hilarious that neckbeards think that NK hackers are top class. Yeah maybe they can hack here and there but anything complex is developed by TAO/the Equation Group/ Israelis
Lol
Lol
> I'm very curious how we can attribute a threat to a particular nation state, given pretty much anything in code/IP/modus operandi/etc. can be faked by one party to look like another. I went through both links and all I found was a lot of hand-wavings like
In the real world you can't possibly fake every single code comment left in Russian as long as these comments make sense and there's enough of them. It takes a lot of effort to actually truly fake something, at certain point it becomes the same as completely doing the job itself in order to properly fake it.
In the real world you can't possibly fake every single code comment left in Russian as long as these comments make sense and there's enough of them. It takes a lot of effort to actually truly fake something, at certain point it becomes the same as completely doing the job itself in order to properly fake it.
Why does Google even need to mention North Korea in the title?
A vulnerability is a vulnerability. Why bring politics in, right in the title? It would feel much more OK if simply said in the text, that a NK hacker group is currently known for exploiting it.
Imagine it was a vulnerability being exploited by a TLA of the US of A. What would Google say? Or would they have received a gag order to not talk about it at all? But then what happens if some third-party researcher discovers the vulnerability independently and reports it? What would Google say?
A vulnerability is a vulnerability. Why bring politics in, right in the title? It would feel much more OK if simply said in the text, that a NK hacker group is currently known for exploiting it.
Imagine it was a vulnerability being exploited by a TLA of the US of A. What would Google say? Or would they have received a gag order to not talk about it at all? But then what happens if some third-party researcher discovers the vulnerability independently and reports it? What would Google say?
Because they believe it is a state sponsored attack. It isn't politics, it is called attribution which is a threat intelligence product. Identifying and tracking specific threat actors is esentially the entire point of the post which is a threat intel post, means little without the threat part (threat actors not tools).
Because more people will click on it and read it. Call it "Countering CVE-0284-b" and 50 people will read it. Go with a political catalyst title and you get thousands if hits, even if they then close the tab immediately.
It means more random user-agent/referrer data for them and I'm guessing more domain authority or whatever that crap is.
It's marketing. The article concludes with how the Google Chrome safe browsing list was updated bla bla bla.
It's all just marketing. That's how Google operates. Everything is a shop window. Everything you say, do and make. Google is the market research company.
Except they've repeatedly created products that no one wanted and killed them.
But that's a form of market research when you have a lot of money.
I feel like Google collects so much information it probably doesn't get much sense out of it. Who knows
It means more random user-agent/referrer data for them and I'm guessing more domain authority or whatever that crap is.
It's marketing. The article concludes with how the Google Chrome safe browsing list was updated bla bla bla.
It's all just marketing. That's how Google operates. Everything is a shop window. Everything you say, do and make. Google is the market research company.
Except they've repeatedly created products that no one wanted and killed them.
But that's a form of market research when you have a lot of money.
I feel like Google collects so much information it probably doesn't get much sense out of it. Who knows
Because of the close ties of US tech giants and the US "intelligence" community.
On the financial attacks URL list, what is teenbeanjs trying to emulate? It doesn't seem to fit with the rest that all sound vaguely technical or financial, except that it contains "js."
Been looking in that article to find how they concluded it's from North Korea, but I can't find it. Can anyone point it out for me?
They're unlikely to tell you, at least not the level of satisfaction a nerd message board demands, for some of the same reasons we don't know about all the anti-abuse mechanisms on HN; because attribution and obfuscation (like abuse/anti-abuse on HN) is an arms race/cat-and-mouse game.
crickets
> Analysis of the files shows, that they cannot run on computers that have the
Korean, Japanese, or Chinese language preferences
Interesting seeing Japanese here but might just be a language thing.
> LinkedIn profile Protection – we believe that LinkedIn has yet to develop sufficient security mechanisms and protect its users against impostor accounts. We find it alarming that a fictitious profile, copycat an existing account, can be open and use without alerting to source profile from which the information was stolen, as well as profiles contacted by the new imposter profile.
Sounds like some low hanging fruit
Interesting seeing Japanese here but might just be a language thing.
> LinkedIn profile Protection – we believe that LinkedIn has yet to develop sufficient security mechanisms and protect its users against impostor accounts. We find it alarming that a fictitious profile, copycat an existing account, can be open and use without alerting to source profile from which the information was stolen, as well as profiles contacted by the new imposter profile.
Sounds like some low hanging fruit
That's a report from 2020, how would it show this exploit found in 2022 was from North Korea?
Couldn't they just hardware mitm the CPU and Ram, not to be prisoner of AES. This way they can dump stages as well.
[deleted]
Sure, but that requires having a fully instrumented host get attacked. If all you have is a few reports of compromised machines, it's much harder to work backwards to the exploit. The attacker will switch things around before phishing again, etc...
Honeypots are harder than they look, basically.
Honeypots are harder than they look, basically.
Does firejail or any of those similar tools offer protection from this sort of thing?
Most of the attacks target Windows and Mac, so one is already protected by using Linux.
As regarding effectiveness of firejail, then it relies on Linux container protection which is quite good given that many providers use that to run untrusted code.
However, the problem with firejail or similar tools is that that try to integrate with GUI and that makes the attack surface vastly bigger. To protect against highly sophisticated attacks something like Qubes OS should be used with explicit whitelisting of domains to connect.
As regarding effectiveness of firejail, then it relies on Linux container protection which is quite good given that many providers use that to run untrusted code.
However, the problem with firejail or similar tools is that that try to integrate with GUI and that makes the attack surface vastly bigger. To protect against highly sophisticated attacks something like Qubes OS should be used with explicit whitelisting of domains to connect.
I am so fucking done with the internet turning into a trash pile of scams and exploits.
Countries have been doing terrible things to people since long before the internet
> Countries have been doing terrible things to people since long before the internet
What do you conclude? We shouldn't care or do anything? The Internet, the medium, seems to greatly increase the volume of scams and from everyone, not just countries.
What do you conclude? We shouldn't care or do anything? The Internet, the medium, seems to greatly increase the volume of scams and from everyone, not just countries.
True but before the internet it was limited to the locality. The internet feels like a public park that gets trashed by folks all across the world and not just by the neighbors. (Just to be clear, I sympathize with your point as well)
[deleted]
[deleted]
Who is even routing with North Korea? Seeing how the normal populace there literally doesn't have access to the internet, what on earth is there to be gained?
Hong Kong and Russia:
https://bgpview.io/asn/131279#peers-v4
http://cooks.org.kp/en/ is hosted on that network.
https://bgpview.io/asn/131279#peers-v4
http://cooks.org.kp/en/ is hosted on that network.
yeah well its to be expected. since they can't compete against the West conventionally, they focus on asymmetric warfare, which means giving zero crap about anything we value here in the West.
they are truly on survival mode, and given Russia's recent performance in Ukraine, its really eye opening to see just how much of a paper tiger their military is, relying again on asymmetric weapons of indiscriminate destruction of all things human.
they are truly on survival mode, and given Russia's recent performance in Ukraine, its really eye opening to see just how much of a paper tiger their military is, relying again on asymmetric weapons of indiscriminate destruction of all things human.
You know who.
Operation AppleJeus
Ok thats clever, and a nod to Zeus exploit kit, I love hacker group names lol
Ok thats clever, and a nod to Zeus exploit kit, I love hacker group names lol
Will WebAssembly save us from this kind of CVEs?
assuming it has capabilities to support "modern" web
assuming it has capabilities to support "modern" web
So far WebAssembly implementations look fairly secure, thanks to a small attack surface. AFAICT WebAssembly CVEs are mostly DoS.
And WebAssembly has been used by Mozilla for sandboxing: https://hacks.mozilla.org/2021/12/webassembly-and-back-again...
So it may help. But wasm is never going to be eg a substitute for JS, so it's not going to "save us" the way you imply.
And WebAssembly has been used by Mozilla for sandboxing: https://hacks.mozilla.org/2021/12/webassembly-and-back-again...
So it may help. But wasm is never going to be eg a substitute for JS, so it's not going to "save us" the way you imply.
How will WebAssembly save us?
I'm asking
But why ask? Why not ask why we can't use forests or jquery to prevent these attacks? What is the logic here, how do you think it might work, even just vaguely if you don't have a worked-out solution?
Edit: from another comment in a sibling thread, you indicate thinking that WASM has a "security model / sandbox". That would have been (part of) the answer to the grandparent comment I suppose.
Edit: from another comment in a sibling thread, you indicate thinking that WASM has a "security model / sandbox". That would have been (part of) the answer to the grandparent comment I suppose.
My logic was here that WASM was created/designed by companies that do maintain browsers - Mozilla Microsoft Google Apple and it is marketed as
"WebAssembly describes a memory-safe, sandboxed execution environment that may even be implemented inside existing JavaScript virtual machines. When embedded in the web, WebAssembly will enforce the same-origin and permissions security policies of the browser."
Basically I felt like it was designed with security in mind and I do wonder whether it'd prevent attacks like this
"WebAssembly describes a memory-safe, sandboxed execution environment that may even be implemented inside existing JavaScript virtual machines. When embedded in the web, WebAssembly will enforce the same-origin and permissions security policies of the browser."
Basically I felt like it was designed with security in mind and I do wonder whether it'd prevent attacks like this
If it helps, think of the sandbox as being at the border between "outside" and "inside", and the choice between JS and WASM being on the "inside". Changing the language/runtime within the sandbox doesn't change much if your sandbox is compromised. On the contrary, that extra code to parse WASM etc is just additional risk.
I'm not sure WASM buys you anything you couldn't already get by just running your whole entire app in a VM. And if walling an app off in a VM makes it not useful (i.e. it's not useful if all it has access to is network & sandboxed storage) then using WASM in a browser would have similar issues. Or if a VM adds too much performance penalty then WASM probably does too.
No, on the contrary, it makes the attack surface larger.
How?
Web assembly is extra code and complexity in a web browser compared to one without, so there are more potential vulnerabilities
I don't buy it because you can apply same reasoning to every new / changed line of code, yet it ain't always true
The question is,
is WASM's security model / sandbox "safer" / "easier to actually execute" than JS'?
The question is,
is WASM's security model / sandbox "safer" / "easier to actually execute" than JS'?
It does not matter because JS is not going anywhere. Whether it’s more secure or not, it’s still additional attack surface.
I believe it does
Of course JS ain't gonna go anywhere now, but if popular JS frameworks started emitting WebAssembly behind the scenes, so devs could still write their JS(and C++/C#/etc) code, but it'd use WASM under the hood then that'd start process of the deprecation of JS.
Which would mean that after all popular JS frameworks managed to migrate and popular sites adopted to this, then in ideal world you'd be able to turn off javascript and still use those sites/apps via WASM, not by default for everyone, but at least users that care would have an option to do so while still being able to use the web.
You gotta start somewhere
I'm wrong somewhere? or out of the touch with reality?
Of course JS ain't gonna go anywhere now, but if popular JS frameworks started emitting WebAssembly behind the scenes, so devs could still write their JS(and C++/C#/etc) code, but it'd use WASM under the hood then that'd start process of the deprecation of JS.
Which would mean that after all popular JS frameworks managed to migrate and popular sites adopted to this, then in ideal world you'd be able to turn off javascript and still use those sites/apps via WASM, not by default for everyone, but at least users that care would have an option to do so while still being able to use the web.
You gotta start somewhere
I'm wrong somewhere? or out of the touch with reality?
If we're talking about 20 years from now, nobody cares about popular frameworks. Huge majority of websites use old code and they must not break. Backwards compatibility of web is a huge deal. So deprecation of JS just will not happen in that period of time.
What could happen is that browsers will support wasm natively and they'll translate JS into wasm. I'm not qualified enough to judge whether it would be possible to achieve current levels of JS performance with that approach, but theoretically it could be possible. In this case only wasm security will matter.
But I did not hear about any kinds of those plans, those are just my wild speculations. So deprecating of JS is not going to happen anytime soon. Wasm will accompany JS and that's about it for the foreseeable future.
What could happen is that browsers will support wasm natively and they'll translate JS into wasm. I'm not qualified enough to judge whether it would be possible to achieve current levels of JS performance with that approach, but theoretically it could be possible. In this case only wasm security will matter.
But I did not hear about any kinds of those plans, those are just my wild speculations. So deprecating of JS is not going to happen anytime soon. Wasm will accompany JS and that's about it for the foreseeable future.
Perhaps, you can start by learning what WASM is:
https://developer.mozilla.org/en-US/docs/WebAssembly
As for vulnerabilities, here are nccgroup's slides about WASM explots:
https://i.blackhat.com/us-18/Thu-August-9/us-18-Lukasiewicz-...
Here's an example vulnerability in WASM parsing leading to RCE:
https://labs.f-secure.com/assets/BlogFiles/apple-safari-wasm...
https://developer.mozilla.org/en-US/docs/WebAssembly
As for vulnerabilities, here are nccgroup's slides about WASM explots:
https://i.blackhat.com/us-18/Thu-August-9/us-18-Lukasiewicz-...
Here's an example vulnerability in WASM parsing leading to RCE:
https://labs.f-secure.com/assets/BlogFiles/apple-safari-wasm...
WASM _IS_ JS. Some browsers do things to make it run faster. JS runs in its own security sandbox and is already suppose to be safe. Browsers get exploited in all kinds of ways, and IIRC, there have been WASM-specific exploits as well in the past.
Your question is non-sensical as is. I think you need to expand it to have people be less confused as to what you’re asking.
Your question is non-sensical as is. I think you need to expand it to have people be less confused as to what you’re asking.
Before you had JS. Now you have JS + Web Assembly.
The second one is bigger.
The second one is bigger.
North Korea is a problem that would be easier to care of now, rather than later it seems.
This was the government line in the 1950s. There's no draft now, so we'll need folks like you to enlist.
Conflict with NK almost certainly means conflict with China.
Take care of how?
Probably doing similar things to what's been done with Russia, more sanctions, more sanctions against supporting nations etc.
They're soon to test a nuclear weapon and already play fun games testing missiles and having them land just off the coast of Japan. Not going to be fun once those things are nuclear missiles and en route to Tokyo.
They're soon to test a nuclear weapon and already play fun games testing missiles and having them land just off the coast of Japan. Not going to be fun once those things are nuclear missiles and en route to Tokyo.
Their economy is already almost completely dependent on China. It's hard to sanction them more.
Sanctions against Russia aren't uniquely effective in a way that sanctions against NK aren't. It's just that the threat of having your economy look like North Korea's is pretty dire.
Sanctions against Russia aren't uniquely effective in a way that sanctions against NK aren't. It's just that the threat of having your economy look like North Korea's is pretty dire.
Don't we have these exact types of sanctions already in place i. NK for exactly the reasons you mention?
Sure, they're not working well enough by the look of it...
The people are severely repressed, it's hard to imagine how much North Koreans suffer, look up Yeonmi Park's story.
What we seem to do is ignore these maniacs, until it's too late or it's absolutely critical, then they hold us hostage, like Putin.
The people are severely repressed, it's hard to imagine how much North Koreans suffer, look up Yeonmi Park's story.
What we seem to do is ignore these maniacs, until it's too late or it's absolutely critical, then they hold us hostage, like Putin.
Yeonmi Park claimed that it takes months to go from one place to another, and that they'd have to push trains (!!)
https://youtu.be/KK6psAnynUA
(edit: another old article that points out inconsistencies in Yeonmi Park statements: https://thediplomat.com/2014/12/the-strange-tale-of-yeonmi-p... ... The JRE interview wasn't a fluke)
I don't think that you can reasonably treat Yeonmi Park as a reliable witness.
North Korea's train network is 4700km long, though it is not perfect... If you want to travel from Pyongyang to Chongjin for example, you're better off flying there
https://youtu.be/GpxOsJYobeA
https://youtu.be/KK6psAnynUA
(edit: another old article that points out inconsistencies in Yeonmi Park statements: https://thediplomat.com/2014/12/the-strange-tale-of-yeonmi-p... ... The JRE interview wasn't a fluke)
I don't think that you can reasonably treat Yeonmi Park as a reliable witness.
North Korea's train network is 4700km long, though it is not perfect... If you want to travel from Pyongyang to Chongjin for example, you're better off flying there
https://youtu.be/GpxOsJYobeA
How well are those aeroplanes maintained though? Not sure I'd risk it.
This argument makes no sense. You want to do more of something that isn't working, and your solution to suffering is to make the people poorer.
Gotta say, TAG/Project zero make their work look very cool!
Google itself is gathering people's personal data and uses fingerprinting methods to track them. This is done on billions of people, and not even limited to their actual logged in users!
It would be nice if governments put an end to Google's invasion of people's privacy. It is much more important than some failed attacks.
Snowden has shown us that governments encourage and benefit from this surveillance thus are unlikely to put an end to it
olivierduval(4)
Is this a normal level of sophistication for a CVE?