I notice that the getsymbol tool on Github has 214 stars, and no banner to indicate that the tool is malicious. There is a recently filed issue with a link to the Google blog post, but that's it.
If anyone from Github is reading this -- I strongly suggest adding a banner or modal dialogue to warn users about the backdoor in this tool, and any other software with a known backdoor (e.g. forks of the project)
This also serves as a reminder that code hosted on github might be malicious and we shouldn't blindly trust those just because the author seems to have similar interests.. I've done that multiple times :(
That's true, but in this case the code might be fine and the executables they provide on GitHub bogus. It's tricky to keep in mind that GitHub is not a trusted build source.
And the GitHub Actions… oh man… Insert some tool in your build that comes from another random repository, that uploads an artifact to S3 or similar… GitHub’s architecture entirely is the iMessage of source code.
The normal thing is to have integration test PRs and other CI actions (which may require access tokens to APIs, inherently or due to naive design) be defined by the incoming branch, creating a vector for an attacker to get access to privileged resources.
For certain parts of integration and testing jobs that are operating on untrusted code, it'd therefore be desired to not allow incoming PRs to change certain parts of the CI configuration (not only including .github/workflows, which can be protected using branch protection rules, but the testing framework).
It's possible to achieve this by splitting up your workflows and using workflow_run but it's non-obvious and finicky enough that I very rarely see it done.
GitHub could make this easier and propose better patterns than they do in their attempt to address the problem[0], which I think could use a 2023 follow-up.
I don’t know if I 100% follow or agree with the comparison of iMessage and GitHub actions. But iMessage has had a number of interesting security vulnerabilities over the years in image parsing and deserialization. One example:
So perhaps the similarity between iMessage and GutHub actions is there are a lot of things that could go wrong. In iMessage it’s a pile of memory unsafe code that was not originally designed to withstand attack. In GutHub actions there is a lot of trust in their parties that could potentially be exploited.
Where do CVEs tend to show up app-wise in Android? Is it also messaging or some other system service? With iOS its almost always either iMessage, WebKit, and iCloud Calendar
A lot of useful features are missing from actions/checkout@v3, so people have to either program actions manually, or use ones made by other GitHub users. Actions are build steps, such as opening a firewall before building, preparing a directory, or caching Maven artifacts.
It would be very easy to add a backdoor to one of those build steps.
The comparison with iMessage is that it’s unsafe by design, at the architecture level, because you’re relying on live code made by anonymous people. One day, attack vectors will be found every second day.
It strikes me as the classic NPM disease. Do we really need a reusable action for disabling a firewall, uploading files, etc.? I mean if it comes from GitHub that's fine, but for anything else I would rather verify the solution and copy the code. It works like a low-tech lock file, except changes are always visible inline in Git history, so less chance of lazy programmers missing changes.
I almost laughed when GitHub suggested me an Action for Makefile based projects. The entire build process in my case consists of "make package"...
It's become normalized but it isn't fine. Whoever thought it was a good idea to download massive amounts of unaudited code at build time to then run it behind your defensive lines should have thought about that a bit longer. CI/CD is great. GitHub/GitLab are great. But combining the two has substantial risks. More so for languages that have broken package management and namespace issues.
You are of course right. I was thinking more in terms of "how do we save clueless developers (and their users) from themselves". They will probably find more ways to shoot themselves in the foot, but any percentage of prevented vulnerabilities is a positive result. Kind of like people trust Google/Apple with their phones.
I think it's safe to say that you can just about give up on that. The IT landscape is a horrific mess and it doesn't look like there is any change in direction on the horizon that will help to rectify that.
If you trust Google or Apple with your phone then I'm fine with that, it's your phone, your life. But I've found that trusting companies to have their incentives aligned with your own or with what's good for the world in general is a structural mistake that will find you disappointed each and every time given a long enough engagement. You can't trust that which you don't own and can't verify.
As a startup delivering executables to customers, I decently trust most programs running in the company: Gimp, Libreoffice, Docker, IntelliJ… There are only 4 major things that download unchecked stuff and run them:
- IntelliJ plugins,
- Maven,
- NPM,
- GitHub Actions.
Jetbrains says it carefully reviews the source code of all versions of all plugins, and Maven has a somewhat decent dependency tree that you can restrict to major actors (Spring-Apache-Google).
Maybe the key to trust would be to have larger pieces of code (such as Spring) with quite a lot of process to check-in code, rather than a thousand NPM packages. The parcellization of OSS didn’t do good for trust.
Yes. Remember that not only security researchers but also developers in general are extra juicy targets because of e.g. their AWS credentials that sometimes aren't kept as secure as they need to be. Heck, even if you're doing proper SSO with 2FA the tokens can be stolen and data proxied/exfiltrated.
At best they can be used for coin mining (running up a huge bill), at worst for stealing private customer data (and then selling/ransomwaring it).
We have pretty high bars for what we allow in terms of outside dependencies, but that doesn’t mean they do. It’s basically a crap shoot if you choose to do open source at all.
The source code itself looks relatively clean; there's autoupdate functionality but it looks like it's gated behind a confirmatory dialog box.
It's much more likely that the binary releases and/or autoupdate binaries are backdoored. If someone compiles their own version, and then clicks to accept the autoupdate, they could be infected. The binary is 15+MB in size, which is far more than enough to hide a small backdoor.
Found these two forks which are still accessible (and are supposedly up to date with the upstream repo (linked in the comment above) which is not accessible anymore):
Github just erasing a repo and forks from existence is scarier than any potential malware that could have been included there. Not the first time they have done this - usually based on copyright accusations, but the reason does not matter - if you must use ShitHub, at least mirror your projects elsewhere folks.
There were also some binary DLLs in the repo (in the x64 directory) which get loaded/executed on first launch and then deleted. I didn’t reverse-engineer to see if there was anything malicious inside of them, but it seemed pretty fishy to me.
Yeah that’s what I’m referring to. IIRC it requires clicking/confirming a dialog to actually run the “update”, although I didn’t look that carefully before it got taken down.
>I notice that the getsymbol tool on Github has 214 stars ...
Analysis of which accounts starred it prior to publicity is probably a worthwhile endeavor. If there's any commonality with other obscure projects, that may be an indicator those accounts could be puppets.
Unfortunately that opens up a whole new can of worms. There are already sites that guess how fake amazon reviews are, maybe we need something similar for github.
I hope an analysis like you proposed could yield some insights to patterns or maybe even enough data to do some machine learning on.
> Our review of the account named in your report has concluded. We have determined that one or more violations of GitHub’s Terms of Service have occurred and have taken appropriate action in response.
then doesn’t that mean it only runs that code if the user clicks “OK” on the update dialog?
(Edit: I think I understand now. It’s not the code, it’s the update URL that’s the problem, because it’s controlled by NK. So if you run this and blindly click “OK”, then it will download an executable that will infect your PC.)
(Edit 2: Or the issue is not in the source at all, but is in the prebuilt binary.)
The 0-day is in a popular software package. The GitHub repo apparently contains a backdoor ability to execute code from the attacker. If I had to guess, this would be the software update functionality here: https://github.com/dbgsymbol/getsymbol/blob/cb4bdedc1a85c308...
"In addition to targeting researchers with 0-day exploits, the threat actors also developed a standalone Windows tool that has the stated goal of 'download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.'
The attackers used a 0-day but getsymbol is not one.
"But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain."
Sounds like most software nowadays to be honest. The blog author does not really point out why this code would be more malicious than "normal" or how the code author is known to be Korean.
> If anyone from Github is reading this -- I strongly suggest adding a banner or modal dialogue to warn users about the backdoor in this tool, and any other software with a known backdoor (e.g. forks of the project)
I'd also strongly suggest they add a way to flag projects in a way that is appropriate.
I wonder how legit are some of the most popular download sites: e.g ffmpeg windows binaries [1] are hosted from some random person’s site. Sure you can check the checksum etc but that still doesn’t guarantee any relationship with a specific git commit.
I would just assume that non-gh or official hosted downloads (where reproducible/attested builds are available) are just state actors by default. Am I paranoid? How do Linux/Mac package managers solve this?
You don't trust Github to not host any malware, and you don't trust Github to not have malicious users.
You trust Github to have reasonably good security, and to not maliciously meddle with user content, so that if you see a repository under github.com/neovim, and you additionally trust the user called neovim, then you can reasonably trust that any repositories under github.com/neovim don't contain malware.
Even when you trust the repo owner, you can't trust their projects. Bad actor could still sibmit a PR with malicious code and it could be merged just by negligence.
Wait until you find out that useful programs like MPV are not developed by giant corporations but by individuals or small teams. Trust something hosted on mpv.io made by the MPV maintainer but freak out when that maintainer delegates release builds for some platforms to someone else he is comfortable linking to. MPV probably also uses many libraries developed by other individuals. A society build on trust is a GOOD thing.
Wouldn't help if the source code already has the backdoor in there though. Most people would just download and build a tool off GitHub if it has 200 stars and does what they need.
I did, and on the rare occasion that I need to use a downloaded binary today, still open it in a text editor and scroll through it for a cursory look. Packed -> reject. Bigger than expected -> reject. URLs or other strings, especially obfuscated, not related to expected functionality -> reject. Online AV multiscanners offer a reasonable alternative for those who aren't familiar with this sort of quick-glance RE, although they do have false positives too.
> Online AV multiscanners offer a reasonable alternative
You're right, (not just) online AV multiscanners are also FUD machines that will happily accept malicious programs but reject anything well crafted and optimized because it doesn't like exactly like the shit MSVC craps out with default settings.
>> By building their binaries from source and hosting them on their servers
> Wouldn't help if the source code already has the backdoor in there though
I'm not sure if you're aware but random tools don't just spawn in official package repositories overnight.
There's a vetting process, for both new packages and new maintainers. Also in established distros, packages don't get accepted to official repositories unless it's a critical and highly demanded one.
So yeah, any software can have vulnerabilities, regardless of OS.
But stray tools and dubious actors, are pretty much a solved problem in linux distros. The situation on Windows is laughable in comparsion. No need to spread FUD.
This is a good thing to consider when picking Linux distros. Who are the maintainers, is maintenance done in the open, do they enforce reproducible builds, how is review process done, what are requirements for mainters/packages/releases?
You also have the option of building from source yourself. Some package managers and distros (Gentoo, NixOS, Guix) do this for you.
This is BTW the main reason I wouldn't use derivate distros for anything serious.
Debian's generally trusted in the community - their slow pace come from risk-aversiveness.
> The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?
Pretty much, packaging is not a brainless process. One of the effort that specifically target this is the Reproducible builds project [0], along with many other security measures set by each distro.
There are also usually multiple testing and updates rolling stages.
The best evidence of how effective these measures is its actual reputation and record on the ground.
If I don't see a github action I'll usually pass on downloading. But what do you mean by "random person's site"? It's ffmpeg.org - is that not a reliable source?
> But what do you mean by "random person's site"? It's ffmpeg.org - is that not a reliable source?
The concern is that FFmpeg does not provide Windows binaries for themselves, they link to someone else who does.
You could argue that those providers are fine since they're implicitly being endorsed by FFmpeg, but it's not super clear whether they're trustworthy people involved in FFmpeg or randos that opened a GitHub issue saying "Hey I'm providing Windows binaries for people if they want them!"
Not really shocking or new but kind of interesting. Why would they use 0days on security researchers. My guess is it's a test with upside. On the one hand if it works on a security researcher, you can go "live" because you got a good one and on the other hand you estimate that in the long run you'll get 1+x 0days out of the deal from said researcher.
As a security researcher it also presents an interesting situation. If you're careful enough and can pretend to be dumb enough, you might be able to harvest fresh attack vectors/0day etc. "for free" but the downside is if you overestimate yourself you'll get pwned.
Also being a security researcher doesn't necessarily mean you're any good at securing your own systems. If you can breakout of the quarantine area of the things the researchers know not to trust, you'll commonly find their own systems are insecure as hell.
But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain.
Also known as "automatic updates". Thank you, Big Tech, for indoctrinating the mainstream population into accepting this subservience (or forcing this non-choice on them) --- and now that that subservient and trusting attitude includes security researchers too, it's ironic to see it coming back to bite you.
Some of us knew all along what that attitude was going to lead to, and probably not all of us are security researchers either --- we've just seen all the other negative effects of letting you push stuff to our machines and run it, and put two and two together.
Complete conjecture, but new macOS security update just went up, which includes this tidbit:
> Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
What I wonder is this: these North Koreans clearly have unrestricted internet access (sort of have to to find 0-days) and they also clearly at least understand English.
How have they not accidentally stumbled across media that shows them all the things their state media doesn't?
"All of our secret agents are loyal patriots, while all of theirs are brainwashed hostages!"
The reality is that like every other country's intelligence services, they would obviously recruit for patriotism. This question is like asking why US intelligence agents who have access to information about the DPRK beyond the propaganda don't defect to the DPRK's superior healthcare coverage, zero school shootings, and better litter management. They don't value those aspects of DPRK society which seem better, and probably don't necessarily trust that they actually are better in X specific circumstance (pretty valid!). I don't see why it would be any different for DPRK intelligence.
It's not that it's a great place, it's that an individual who is deep into the indoctrination (from a lifetime of exposure) might not be as aware of the realities of their world vs the outside world, even with Internet access.
You think the North Korean intelligence community is not aware of the content of Western media?
They probably are aware. There are other means of keeping them in line, both carrot (privileges within DPRK) and stick (consequences for them and their loved ones if they step out of line.)
I think it's mostly the control from the first 2 points you mention. They are often working from China, where the authorities will not help them. "Well compensated" in North Korea terms means not starving and your family has not yet been sent to a forced labor camp. Escaping means your family suffers terribly.
They probably see the crazy shit the western propaganda machine pumps out about them and are reassured. That is not to say NK is absolved of wrongdoing, however.
Honestly true. They are probably patriotic, far from the larger problems, have cognitive dissonance (“im not living in a dystopian shithole because that would be hopeless “, etc. All it takes is one glaring mischaracterization by western media and their beliefs that they are misunderstood by the West are confirmed. They probably even know of many of the bad things that happen but are able to rationalize it.
Maybe we went a tad too far with Ukraine propaganda. Five Eyes, if you hear me, maybe turn that down a notch for a while, you’re getting as credible as Colin Powell’s words at the UN Security Council, and kids will remember.
North Americans and Western Europeans are incredibly naive about how authoritarian states work.
All authoritarian states will end up having a caste sysem hierarchy. The upper caste have it just as good a people in the West and in modern times they will have unfiltered access to the Internet. They have zero reason to revolt because they have everything then need.
Yep, even a lot of Western political demagoguery is telling people they have it good compared to some unfortunate others, so that the politicians can avoid having to actually make things better.
They do. But what would they do with that information?
People in the late USSR were in a similar situation. Even without necessarily knowing all the details, the average person, and certainly the intelligentsia and people working in the intelligence services, had a growing awareness of the absurdity of it all, how different the rest of the non-Communist world was, and so on. Something similar is true in China, today. A person in China who wishes to inform themselves about China's history or recent offences against human rights, can at this point, do so, and fairly easily.
But... then what? Can't talk about it. With whom would it be safe? Can't tell others what you've learned. Can't discuss your perspective.
In my view it was not the truth that destroyed e.g. the USSR. It was allowing people to organize independently of state control. That, plus truth, was fatal. Both the Chinese and North Korean ruling parties have learned that lesson. It doesn't actually matter if a significant proportion of the public knows the truth. They can know the truth, alone, in isolation, unable to act on it.
You have people living in the free world believing everything around them is a lie. Finding yourself an interpretational perspective as an observer that would spare you from reconsidering core values comes relatively easy.
The state tightly controls who gets internet access. The agents would be thoroughly vetted, and/or given a life they could not otherwise have and an implicit threat to their family's well being if they were to misbehave. They probably do have some idea of what life is like outside their country, but are either conditioned to look down on it or terrified of trying to escape.
I wonder what the chances are that a security researcher would execute a Windows binary they receive over chat from a rando. This isn't even security 101, just common sense at this point.
If anything, I'm sure it gave researchers a chance to play around with the binary in a secure environment. They wouldn't even need to reverse engineer it, since the source code was made public by the attackers. Good guy black hats!
Speaking of, can someone find the exploit in the linked repository? I'm curious what it does, but can't bother with going through all files. TFA could've linked to it, as well as mention how they determined this project is linked to NK hackers...
Young infosec practitioners are encouraged to get certifications, OSCP, eJPT, etc. A lot of these cert mills require that you pwn known boxes. This gives rise to discord servers where you can "help eachother". Some of this help is in the form of binaries or obfuscated source code.
They run it on their pentest job laptop, you know, the one with the SSH keys to their report writing box. They get pwnd, and now DPRK has access to a bunch of US civilian corporate data and weaknesses.
> how they determined this project is linked to NK hackers
If they have enough confidence to attribute and not disclose how/why, one can fairly guess they don't want to burn sources or indicators which might still be useful moving forward but likely won't be if disclosed...
Security 101 is that everyone will fuck up at some point. _Everyone_.
If the security researcher's environment isn't well designed (which absolutely happens, whether it's via budget or inattentiveness,) then the attacker can get to a delicious creamy filling very fast.
I’m not a security researcher but I would definitely do it if they seemed like a decent person who I had totalling to for a while and were running an open source project
I worry about how nonchalantly researchers attribute these campaigns. They never tell you their methodology for their attribution, but it's always the attribution that non-technical people pay the most attention to.
Look at this article for example. The first two words are the attributed actor. Yet there is absolutely no way to prove it. Attribution on the Internet is really, really, really difficult. We don't know how difficult it is because we have no independent method to determine when we're right or wrong. And we would be foolish to think that attribution is never politically motivated.
Citlab partners with various private data brokers to obtain commercial security intelligence, you'll see them referenced within their reports at times.
Based on this, I generally assume that their attribution is accurate. However, if you take a step back and view it objectively, it appears quite hypocritical, given the privacy-invasive origins of this intelligence.
I’m surprised that NK can have such weak computing education at the population level and still find enough high level hackers and cybersecurity people to do these things.
From what I've read from NK experts: they intentionally and intensively create hackers. If you are a child in NK who shows skills in mathematics then you will be monitored and if you are good enough you will be sent to a special mathematics school, where you learn pretty much nothing else. After that you are sent to the one technical university to study computer programming intensively for years. If you pass muster then you will be shipped to China, from where you'll use the better internet access to do anything from steal MMORPG gold, phishing attacks or find zero days. It sounds like a bleak life of 12 hours, constant pressure to deliver and living in cramped dorms. So, a bit like Silicon Valley ;)
Wealthy/connected North Koreans are educated at many top Western and Chinese schools. Heck, the dictator at the top went to middle/high school in Switzerland.
Got it. Missed that part. Thank you. Looks like a pure assumption. According to CyberProof [1] and CloudFlare [2], the majority of attacks originate from China and the United States. North Korea is not even making it to Top 10. That's why I asked.
> People shouldn’t underestimate their technical capacities or ability to recruit smart hard working people.
People hear about third-world living conditions and deprivation and say "aww, cute" as though it's sticks and rocks they're launching into the sea of Japan. They have money...it's all poured into the military.
I don't understand why the media downplays them so heavily.
I know that the phrase has gained an orthogonal meaning since the cold war, but if we use the original one it's funny to call what's arguably the only remaining second-world country "third-world".
I mean if we're going by the original definitions, I think Laos, Vietnam, and Cuba are also still second-world though none of them are bizarrely neo-Stalinist the way North Korea is.
North Korea was generally more aligned with the USSR than the PRC. Kim Il Sung and Mao were on the way up at the same time, and were both students of Lenin and Stalin.
>I don't understand why the media downplays them so heavily.
Because in the same way as morale can be a force multiplier, an extreme lack of it can be a force divider. Combine that with their (very likely) inability to sustain even a regional war for more than a few weeks, their antiquated equipment, and their largely unsuccessful domestic military developments, and it's not hard to write them off as largely a non-threat, whether or not this is truly the case.
The major downside is that even if they only manage to sustain for a few weeks, that's plenty of time to level Seoul and inflict damage on cities further south should they decide to make a push against the ROK, and this is what shouldn't be downplayed.
I’d bet they’re prepared to do a ton of damage to South Korea via cyberarms more than traditional weaponry too. Eg cut power to the country for days on end. They’ve clearly got 0days and aren’t afraid to use them.
Since 2014, nations with a strong vested interest in Ukraine not falling threw a lot of resources at strengthening the country's infosec.
Also, during a kinetic conflict where you're invading, it's often more strategically valuable to lie dormant in their networks than it is to scorch them, a la America sitting inside of Iraq's phone networks and just listening.
There's a lot of work being done now to change it [1], but I've heard from multiple cybersecurity grunts in critical infrastructure that they just assume foreign APTs are in their networks. Strategically, why in the world wouldn't they be? There's basically no downside other than burning TTPs. We should damn well expect the NSA to have their fingers in every foreign pot they can reach.
[1] To be fair, there was a lot of work before too. But now people are more scared.
That's a strange assumption when many countries were able to independently verify nuclear tests between 2009 and 2017. The largest of which had a bast yield 4 to 12 times the nuke dropped on Nagasaki.
These tests happened. Most experts suspect that their success rates were far below claimed outcomes. But the important question is can you put the bomb on a weapon, launch it, and detonate it at the target. I think probably not very successfully. I also suspect they’re not stockpiling these things as claimed.
I also don’t think it matters because they would be pretty dumb to use them. I’m of the mindset that they will most likely simply collapse at some point and the nukes will become unmaintained and useless.
> I don't understand why the media downplays them so heavily.
There are a few reasons that interlock.
- The DPRK government is a mob family with sovereign status and nukes. Most folks in western countries don't have a strong sense of what that means - looking through the lens of mostly free nations, it is hard to imagine the realities on the ground, and they fill in the blanks with what they know about bureaucratic states.
- Lots of western folks, but USians in particular, are extremely ignorant and incurious about Asia and asian cultures. This amplifies the above problems and tends to lead to ridiculous ideas being believable.
- DPRK's propaganda encourages some of this. Their interests are served when people in the west are thinking about their nukes and ignoring the hacking that pays for them. A side order of "we're so mean and crazy we starve our people" helps stoke the mad-man authoritarian archetype.
Perhaps you meant the media for some specific country, but news media in Japan do seem to take North Korea quite seriously, and missile launches frequently ends up being the first headline on NHK world news.
And much more of it after crypto gained popularity. Darknet Diaries went through investigating some of their hacks. Amounts from one can be more than entire GDP of a small country. Some crypto is washed through Macanese etc banks but most is just used to pay for weapons and stuff directly.
Not weird when you consider what is, and what is not a proportionate mitigation of a threat.
When someone gets mugged on your street, you can consider taking precautions. If your response is to roll out half a mile of barbed wire, electric fencing, and landmines all through the perimeter of your property, I would say that is absolutely 'upplaying' the actual level of threat.
Most Americans' understanding of the actual threat posed to the US by NK is ludicrously upplayed. NK is a credible offensive threat to SK, but that's a very limited problem for anyone living in Nashville, Tennessee.
I mean, the response here was a blog post, which doesn't feel particularly upplayed. I also virtually never hear about NK from anyone or fear of NK from anyone day to day, nor do I hear about it particularly often from policy makers. No one is campaigning on fear of NK that I have seen.
Perhaps TN is just a radically different world, I'd frankly believe it, but I haven't seen anything too significant at all. The last time people were really concerned about NK for like... 3 days, I think it was ~2012 or so.
> I mean, the response here was a blog post, which doesn't feel particularly upplayed.
I wasn't criticizing the blog post, I was responding to a comment in this thread that claimed that for some strange reason the danger of NK is systemically underplayed by the media.
I argue that no, the media more typically overplays it, much like it overplays the threat from other non-peer nations. I'm assuming you don't feel like the news is telling you that Iran is a threat either... Which would put you in an informed minority.
Of course. There are a lot more capable fish in the pond than the ones with the connections to a Western company, plus the capable fish in a Western pond but nobody talking to them because the onus is on the fish. You probably know people who are better programmers than people you work with who don't earn as much as people more socially savvy or placed, and who might want to also pay off a mortgage after 30 years.
Put a gun to someone's head, and they suddenly become less capable. A small amount of stress is good for productivity, but excessive stress destroys cognitive abilities.
Probably more carrot than stick. NK hackers who can bring in millions to the state from crypto hacking, ransom etc likely live more comfortably than manual laborers.
> technical capacities or ability to recruit smart hard working people
Of course, there are different senses of "recruitment". The best
recruits don't know they even have been..
The take-away here is that it's 99% social engineering and 1% a
script-kiddy payload drop. Their SE play is based on our innate
ability to be recruited, because we want to be. Because we spend our
school and college days being conditioned to want to be valued, to
feel needed, to look for validation and reward, to make beneficial
connections and sell ourselves. Self commodification/reification is
the beating heart of capitalism.
They're smart to use that against us, by reaching out to security
researchers, who (from personal experience) often feel isolated and/or
undervalued.
After all it's just "international collaboration" , right?
Without due diligence in checking out new contacts (especially if
they contact you to discuss things that they know interest you and
then stroke the ego of your specialism) recruitment is easy.
In the end you can't easily know whether that charismatic voice on the
phone is really from your government, from Google, from a fellow
researcher who wants to "share and collaborate"... and you probably
wouldn't know what would constitute a credible proof of identity.
Intelligence agencies could do well to spend a little money on
benevolently watching out for commercial, civic, academic or hobbyist
researchers who are valuable targets and sending a polite heads-up
when the packets start arriving from N Korea.
I can't speak for the general public but my own impression of the country is that its nuclear weapons and isolation make it incredibly dangerous, and the problem is only getting worse as their arsenal increases.
Plus they have pulled off a number of hacks that became mainstream news so I would expect plenty of people to think that North Korea has competent software developers.
What really makes me nervous about the DPRK is just how successful they have been at getting the rest of the world to prop them up. Successful models get imitated.
Intuitively, we'd expect Kim to envy Putin, but at some point it occurred to me that the opposite notion seems to be better at explaining the behavior we've seen lately from Russia. If Putin's agenda were to turn Russia into a nuclear-armed failed state that the rest of the world has no choice but to prop up with aid in perpetuity, it's hard to see what he would be doing differently.
So what IS the threat from North Korea to Americans or anyone not sharing a border with them exactly? They won't launch nukes at anything outside their own borders unless Kim wants his country turned into a smoldering crater. The only real threat anyone should worry about is cyber attacks, which could be an issue if targeted at infrastructure, but not something i stay awake at night worrying about.
I find it interesting that 2 years ago people like you would be moaning about how COVID-19 is being used to "scare" people, and we should ignore US "propaganda" about death rates in the US and worldwide. But now apparently North Korea IS a threat and we should all be scared of Kim starting a nuclear war.
The last couple of years drove a lot of people to conspiracy theory channels, and it's affects are starting to show.
those things aren't mutually exclusive. North Korea is a malnourished country, evidenced by the pretty stark fact that South Koreans are now so much taller that South Korean women are approaching the height of North Korean men.
It's just that if you pump a quarter of your entire GDP into nukes and hackers you can still be decent at it even if your people are starving.
"Ending the war" requires handing South Korea over to DPRK based on their conditions and they still claim their government has rightful jurisdiction over it.
I mean the war is effectively over. It's been a cold war since the "cease fire" has been adhered to. It's not like they're going to stop trying if we agreed to take down the DMZ. Their entire culture is based around reunification and defeating the evil Americans.
You could equally say ending the war means handing NK over to SK because that's what South Korea's constitution says.
Less flippantly, "ending the war" means reaching a mutual agreement that preserves the two Korea's current territories: nobody sane is using the term to mean anything else.
(BTW, South Korea did push for officially ending the war multiple times, IIRC. It's just that North Korea remains uninterested. Same for the US - probably because they don't see the deal happening realistically.)
Right, which is why I said its effectively what we have now (a situation that preserves their current territories), AFAIK, the situation barely effect SK life. It's just neither side believes the minute they stop pointing weapons at each other's borders the other side won't take advantage, and as far as I know, prior attempts to sit down and end the war officially require the other side basically give a full surrender. There's also a Chinese interest in keeping DPRK (it was Chinese MiGs American fighter pilots engaged in the actual war and I assume currently supplies DPRK with arms in a similar role to the US and SK) as a buffer zone, and a source of cheap labor and source for human trafficking in some cases. So both countries have a larger country/acting ally disrupting the politics.
Video evidence snuck out of the country frequently shows obviously malnourished people, even military soldiers, who are supposed to get special privileges and access to food look pale and show obvious signs of malnourishment. That said, they're a model for carbon footprint reduction.
A few years ago during the 2016 Democratic primaries, Bernie Sanders was roundly mocked by mainstream media for saying NK was a top threat due to their disengagement from the international processes.
You won’t really find anything interesting from this repo aside the update functionality that was likely used for downloading the payload. The topic of interest is the payload that TAG obviously can’t disclose because vendors are fixing whatever bug was behind this 0day
A lot of this is talking about attempts during 2022 which was known about a year ago in the security community when it first came out. It's just more of the same as best I can tell, just because they were caught, doesn't mean they stopped trying.
As shown in the Snowden leaks, The United States was in development of exactly this capacity and its essentially impossible to attribute attacks to nations like this. Anyone who claims to be able to is either ignorant or lying.
This is clearly comment bait. If you've done any type of opsec before you know the legal hurdles.
This is coming from someone (me) who personally saw North Korean IP blocks visit malware research articles via combing the server IP logs and verifying the block.
Attributing cybercrime is never a slam dunk unless you have physical evidence: devices, people, etc. /var/log/*/access.conf is not that.
Virtually everything on the wire can be spoofed. Someone in Kansas could own an elaborate network that includes DPRK IPs. And that would be a desirable red herring for any independent criminal.
WikiLeaks taught us that the CIA has tools for spoofing their payloads as Russian, Chinese, Iranian, etc.
It very well could be a DPRK actor, but let's please not kill perfectly valid discussion around attribution.
> It very well could be a DPRK actor, but let's please not kill perfectly valid discussion around attribution.
I'm starting to believe that "killing perfectly valid discussion around attribution" is part of the game itself, after all we have at least two persons in this HN comments thread (the OP, and some other guy above who explicitly said that he worked for intelligence) who have worked directly for or adjacent to (I guess that's how the OP got to see those NK-related IP blocks) Western government agencies that handle this sort of stuff.
> somebody asking for valid attribution could be a way attackers try to: 1) Derail the conversation 2) Find out ways to further cloak their footprint
Really? What does it take to sprinkle North Korea over my code? Is having the North Korean equivalent of JIS in strings enough? I mean, how could there possibly there be any footprint of anything. Does gcc leak info into the binary that my Debian system does not have in the first place? You need to get these guys when they are bragging to their friends. You can't look on the trails they leave behind ...
A lot of cyber security smells like bullet forensics.
If it matters I didn't mean to direct my comment at you personally (obviously, as I don't know you), but instead it was meant to target the generic security person who says that he/she has gotten in the "vicinity" of such state-sponsored attacks.
Back to the subject at hand, and taking a more general view, trusting a big Pentagon-contractor [1] (and not only) such as Alphabet on the subject of other countries' cyber-attacks against the US (and its Western allies) is just futile.
Are you really that naive? Google don't even reveal how their search engine scores the web pages they index, and you want them to tell you the evidences of NK being behind this or how they figured that out? You are free not to trust them if you choose.
It's particularly ironic because in this case social media was used to gain access to the researcher's computer:
In one case, they carried on a months-long conversation [on X], attempting to collaborate with a security researcher on topics of mutual interest
HN is another perfect place for that to happen. How do we know that pphysch (or me jryle70) isn't a NK's agent trying to get more information about the technique employed in this case?
help me think like a blackhat. what is the end game for this? attempting to see what knowledge researchers have to be able to detect, circumvent, etc what the "bad guys" are up to? attempting to dox, smear the research(er)?
1. Spy on researchers, harvest 0-days before they're published, monetize them (selling 0-days, spreading ransomware, etc),
2. Sell info/research to publish academic research before the victim does,
3. geopolitical leverage,
4. blackmail researchers to get more of the above,
5. use 0-days found by others for global dragnet surveillance, which translates to money and political power,
6. plant (dormant) code in critical infrastructure internationally for geopolitical leverage / future war.
7. inject any code into any repo that the researchers have access to or that the researchers are known to make use of (tools),
8. economic espionage / accesss to high-tech international IP
Just kind of what the NSA does really with the exception of monetizing on ransomware?
Given the crazy shit the CIA has been documented to get up to, and the fact that the NSA has similar lack of oversight of agents in the field, why do you think that there isn't any monetizing on ransomware going on?
I'm thinking they are hoping to find exploits that the security researcher(s) are working on, and may not be known to others (use a 0-day to steal other 0-days).
I'd presume that a decent security researcher's laptop would have much more valuable things on it, compared to Bob the Waiter's laptop.
I don't know - I think primary research on these things might be easier than sifting through all the "exhaust" on someone else's laptop to figure out what they've discovered.
> North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.
In the past, actors would release something, watch it spread, and see what reports back. Sometimes detonation would be limited to certain IP ranges or institution types, but broad deployment would quickly put itself on the radar of security researchers and someone would sound the alarm.
I'm thinking this targeted approach works like doctor-shopping: you find the most paranoid people you can and see if you're able to exploit them. If you pull one over on them, then the unsuspecting won't stand a chance. If they do catch on, you run away, iterate on your approach, and try it against another researcher who doesn't know you're making the rounds doing this.
Super common spear phishing in modern times, back a few decades-ish chinese plants would attend military convferences, or would monitor those from the US who went to said conferences, then would "follow-up" with an email talking about how they met and talked about "some program or weapon that person was in the know of" on a superficial level and stroke their ego a bit... then phish them with malware based on that supposed meeting and ego stroking...
I’m pretty sure that ransomware and other tactics that largely end with a significant crypto transfer is their end game. Evidently, they are really good at it - $1.7 billion in 2022.
So anything to slow down the researchers are my guess. Keep the drain open, so to say. Just my two cents.
It states clearly in the article the goal was to acquire debug symbols for Ms, Citrix, and others with the goal of reverse engineering. If you have been following Citrix, their Netscaler product has been the subject of multiple high severity vulnerabilities, and they sit in mission critical networks. From here the most likely move is their most common, ransomware, the proceeds from which they use to fund parts of their military.
That was the stated legitimate purpose of the GetSymbol software by its creators. As far as I understand, this data is freely available and the GetSymbol software makes it easier to download rather than having to go to multiple different websites.
The ultimate purpose of the malware embedded within the GetSymbol software is what is not known.
I don't know about that. I work in security, as a service to customers, but we have a running gag about "the real security people" who give you a phone call if you accidentally step off the path on your work machine.
I don't work in security anymore, but when I did, access tended to be... loose. Outside of security, there hasn't been a single job (of quite a few) where I didn't have root access.
At one of the hosting companies I worked at -- for example -- I was able to download the root password of every linux host and the domain password for every windows host as a proof of concept for a project. Nobody told me to stop but as a courtesy I did end up telling the manager of the internal SOC that it was possible. He was pretty floored. Apparently they setup monitoring for single queries of passwords, but since my queries returned more than one result, it wasn't "caught".
Because we assume our fellow users here are not morons and aren't going to download a file from virustotal.com that says "2 security vendors flagged this file as malicious" and run it and get infected.
You'll note that the github.com link was also published upthread, and is even more malicious.
In linking to the binary, I can download it and run it through radare2/ghidra/idapro and do some static analysis on it for myself.
This is doubly concerning: Not only for researchers, but also for the public.
I always imagined the North Koreans to be at a technical level where they would be the ones consuming published exploits more so than imagining their own. This article means that they are advanced enough to focus on suppressing knowledge rather than consuming what is publicly available.
In the world of (cyber)espionage I can't ever tell what's true and what's exaggeration, but I'm under the impression North Korean hackers have been deemed a serious threat for many years now. In other words, this is not news...
Gave a lot of insight and background into North Korean hackers, how they operate, how they live and so on. I was familiar with their operations from before, like the SWIFT hack from being in the infosec field. But I still learned a lot.
DPRK’s top 1% live what amounts to an upper middle class life, and tend to educate their children abroad.
My understanding is that they even have access to an unfiltered Internet supplied by China. The threat of extermination of their families if they step out of line politically seems to keep those people in check.
I would think they are kept in check the same way the upper middle class is kept in check pretty much everywhere in the world. They live a very comfortable life style and have no interest in doing anything that would jeopardize that.
That's a latent function present to varying degrees in every society (who wants to rock the boat if you're having a good ride?), whereas the threat to one's family is more of a manifest function, sociologically speaking.
If anyone from Github is reading this -- I strongly suggest adding a banner or modal dialogue to warn users about the backdoor in this tool, and any other software with a known backdoor (e.g. forks of the project)