> Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:
* Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
* In some email campaigns the targets received links with unique IDs. This was potentially used to enforcea one-time-click policy for each link and allow the exploit kit to only be served once.
* The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
* Additional stages were not served if the previous stage failed.
Is this a normal level of sophistication for a CVE?
We see some of this with just normal spear phishing against companies. The "single click" thing is reasonably common, it makes things a bit harder to catch as often the clickthrough will change to whatever is being spoofed in the first place. A homophone ycornbinator.com would serve the malware first time, then next time it would send a permanent redirect. Unique IDs you'll see in things like spam SMS, both to work around automated blacklisting, but also to work out who clicked through and who might be a potential mark the next time even if they didn't completely fall for the scam.
Most of what we got was recycled RAT malware with various packers though, it didn't trend towards being particularly interesting because you usually don't need to be to catch people, at least that's my impression. Maybe it's bad toupee fallacy.
Hearing Americans regularly complain about SMS and robocall spam still blows my European mind. I haven't received a single spam call or SMS in my life, ever.
Back in the 90s and early 2000s the worst that could happen was, say, texting a commercial number to get a polyphone ringtone, and that actually being a subscription. But obviously that is something you have to initiate first, not something passive.
I live in Germany and I get a lot of spam calls and spam SMS. It's always in waves. Some days I stop answering calls if I don't recognise the number, because its one of these days where Interpol has informwd me already three times that my identity was stolen and I have to give them all my details to fix this ..... They're very patient at Interpol, I keep hanging up on them and they never give up.
When I have a spammer/scammer on the phone (and I actually picked up), I usually just put my phone on mute and stop talking to them. They waste a bit more time that way before they hang up (without more effort from me).
I, in Australia, had never received a spam call or SMS, until two years ago. I now receive several per day. All automatically blocked, but still.
My number was leaked in a particular data breach that actually had nothing to do with me, but a different family member who had all of their contacts vacuumed up before the breach. So from my perspective it was passive.
in india its pretty common for businesses/ orgs to sell number data in bulk which is bought by advetisers.
you can be sure to be bombarded with calls and sms if a students applies for a notify thing or gives their number somewhere outside exam halls or on student help websites.
same for shops asking for mobile numbers.
then there are marketers who randomly call each number, send sms to see what sticks.
the situation is pretty bad i would say because for every careful person who sees through the ruse, there are hundreds who fall for million dollar prizes and kyc scams and all.
people call you and say "we are form bank. main branch. you need to verify your debit card or your account will close". no name of bank, no place of branch, just "from bank. main branch".
If you have your number up on the net somewhere, you will recieve calls. For example that domain registration you did 30 years ago that required a phone number... I got myself a smartphone for the reason I could easily block out of country phonecalls. I haven't had any recent spam calls though, was many years since the last one.
Here in Singapore SMS and phone spam comes and goes.
At the moment it's pretty bad with lots of calls from overseas. (People with hilariously un-local accents trying to tell you they are calling from the Ministry of Health of Ministry of Manpower...)
Those overseas callers are faking caller id to look like local numbers.
I read about it on HN some months ago. I don’t recall if it was in comments or an article. But I read the info and sources and was convinced enough at the time. I’m sorry I didn’t save the original info. I’ll try some googling “geolocation from SMS” and see what I can find.
That’s not what I’m talking about. And since number portability and mobile devices became possible, area codes are mostly irrelevant. For example, I’ve lived 2000 miles from the area code of my phone number for probably 10 years now.
Greek here, mobile phones are non-geographic but used to be service provider specific, but even this practice isn't applicable due to number portability.
Landlines used to be geographic but this isn't relevant any more again new to number portability.
I read about it on HN some months ago. I don’t recall if it was in comments or an article. But I read the info and sources and was convinced enough at the time. I’m sorry I didn’t save the original info. I’ll try some googling “geolocation from SMS” and see what I can find.
Thanks for the input. A nit, sorry, but maybe relevant to readers learning a little about anti-phishing: homophones sound the same ('-phone' refers to sound, like telephone) but differ in meaning, such as 'write' and 'right'. I don't know the term for ycombinator.com / ycornbinator.com, which is a real problem, of course.
That's fair I'm not really one for jargon and whatnot (I think it can actually become less useful if the goal is just to communicate something to a person), but the first line in wiki says:
> a homoglyph is one of two or more graphemes, characters, or glyphs with shapes that appear identical or very similar.
"Very similar" and "two or more" being the key words.
As for homograph I found homoglyph by reading the wiki and it saying homoglyph is more appropriate.
(Insert obligatory "wiki it's not always accurate etc etc"). Overall I'd take either one and personally don't care. Just trying to match what you're saying with what I'm reading and make sense of where the truth is.
> (Insert obligatory "wiki it's not always accurate etc etc"). Overall I'd take either one and personally don't care. Just trying to match what you're saying with what I'm reading and make sense of where the truth is.
Diving in (even if the parent doesn't care :) ):
The last sentence is the real challenge: Meanings depend 100% on writer and reader understandings. If two agree that 'homograph' means 'chicken poop', as long as they're the only ones communicating then 'chicken poop' it is; but if someone else reads it, our language subsystem fails.
Some dictionaries influence meaning by being prescriptive (e.g., American Heritage, IIRC); others report what has been understood by being descriptive (e.g., Oxford). The problem is, Wikipedia is neither: It represents the understandings of a few editors of unknown knowledge; it is neither descriptive nor prescriptive and we quickly get into chicken poop scenarios.
* Homograph, report Merriam-Webster and Oxford, means words with the same spelling but different meanings (or origin or pronunciation), e.g., the bow of a ship and a bow and arrow.
* Homoglyph doesn't appear in Oxford, Merriam-Webster, American Heritage, or any others (per Wordnik and OneLook), except Wiktionary. Wiktionary descriptively traces the word back to 1938 (though maybe with a different meaning in that case) and says it means a glyph with the same or similar appearance but different meaning. That still doesn't define a term for the entire string "ycornbinator.com", only the "rn", but close enough!
> Some dictionaries influence meaning by being prescriptive (e.g., American Heritage, IIRC); others report what has been understood by being descriptive (e.g., Oxford). The problem is, Wikipedia is neither: It represents the understandings of a few editors of unknown knowledge; it is neither descriptive nor prescriptive and we quickly get into chicken poop scenarios.
To be clear: reporting what has been understood still influences meaning. Choice of inclusion moderates spread; definitions are inherently lossy and cannot capture the whole range of nuance; the compiler's understanding can be inaccurate. Lexicography is not a neutral art, no matter your choice of biases. And OED no less "represents the understandings of a few editors of unknown knowledge" than Wikipedia does. With different goals, and to different standards, to be sure, but Gell-Mann amnesia goes hard until you get into the weeds.
> reporting what has been understood still influences meaning. Choice of inclusion moderates spread; definitions are inherently lossy and cannot capture the whole range of nuance; the compiler's understanding can be inaccurate.
I agree and actually had a sentence in the GP that said it, but removed it because it was getting too long. An important point. Also, the Oxford English Dictionary intends to be descriptive and says so, but many readers won't understand that and take it as prescriptive.
> OED no less "represents the understandings of a few editors of unknown knowledge" than Wikipedia does.
The knowledge of OED editors is not unknown but well known and exceptional - the world's leading lexicographers, with the best training and decades of experience. The resources are exceptional: top-notch professional lexicographers, domain experts, databases, teams of volunteers reading and contributing, etc. The definitions are not based on the contemporary understanding of a few people but on over a century of accumulated research, back to the beginning of English, and the understandings of those people, plus it depends on the input of domain experts, editors, etc.
I'm not knocking Wikipedia, which has its value, and the OED is, like every human institution, limited. But beyond that general statement, the quoted sentence doesn't describe the OED at all.
I think it’s currently unusual but makes sense as a pretty obvious SOP for an attacker with a specific target set who is sitting on top of a pretty valuable vulnerability (RCE on a fully up to date Chrome in this instance).
They are hard to come buy and building tooling is a long and expensive process on top of everything else.
I would say this isn’t necessarily unusual for NK. As far as I know, they’re the only nation state actor known to hack for profit and they’ve committed several of the largest cyber bank robberies ever. Nation state actors have an _incredible_ amount of time, resources, and motivation.
Indeed. The amount of skill they've demonstrated as Lazarus (Lazarus Leaks (Vault 7), the Bangladesh Bank Heist, and Dark Seoul) is certainly notable and this seems to fit well within their MO.
Much of it seems like normal ad-tech practice to identify individuals and discourage click-farming. Unique keys sent in an email campaign? Oh my scaaary stuff.
For targeted ones I think it is. The details that emerged around SolarWinds were quite sophisticated in terms of execution, timing, hiding, and cleanup.
it is interesting that most of the CVEs are "use after free". instead of being stuck in an endless cycle of detection and patching, maybe, it's time we consider better ways...
Ah, yes, I’m sure the Chrome team is entirely unfamiliar with ways to improve memory safety. Snark aside, every browser vendor is working on this, it’s just that migrating is nontrivial.
What approaches are being considered here out of interest? I’m only familiar with Firefox’s use of Rust, but haven’t heard anything about other browsers trying to use that particular approach.
The biggest coming change is raw_ptr wrapper to replace raw pointers stored in structs and classes. Presently in Chromium it is no-op, but soon will be replaced by a non-trivial implementation that will instantly crash on use-after-free.
> These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.
Following those links yield these two documents, which both have "Attribution" sections. Presumably some of these tell-tale signs were identified in the ongoing exploitation.
I'm very curious how we can attribute a threat to a particular nation state, given pretty much anything in code/IP/modus operandi/etc. can be faked by one party to look like another. I went through both links and all I found was a lot of hand-wavings like
> One of the top identifiers of Lazarus is their dual attack mission – money theft and espionage. This modus operandi is unique to North Korea, as other state actors usually focus on espionage only. North Korean money theft operations are carried out in service of the government, as a way of funding the nuclear program
Like, seriously? "You not only do espionage but also steal money, therefore you're NK"?
Its hilarious that neckbeards think that NK hackers are top class. Yeah maybe they can hack here and there but anything complex is developed by TAO/the Equation Group/ Israelis
> I'm very curious how we can attribute a threat to a particular nation state, given pretty much anything in code/IP/modus operandi/etc. can be faked by one party to look like another. I went through both links and all I found was a lot of hand-wavings like
In the real world you can't possibly fake every single code comment left in Russian as long as these comments make sense and there's enough of them. It takes a lot of effort to actually truly fake something, at certain point it becomes the same as completely doing the job itself in order to properly fake it.
I'm actually surprised Google would say this is from the DPRK government without also saying it had has been verified by US federal government authorities. Usually they leave it for others to deal with statements at that level.
I think you’ll find TAG regularly gives assessment on attribution at least at the country level. Iran, China, Russia, Belarus and North Korea at least have been named in the last few years.
How do you know what country is actually behind any of this? I’d imagine that would be very difficult given nation states can host content anywhere in the world and will want to make it look like it’s coming from elsewhere.
Staring hard at a all the details and figuring it out?
The thing with trying to hide yourself is you have to do everything right to guarantee some false flag operation will work but if you make enough mistakes in this process there will be reasonably high-confidence links between some action and some person.
An example that I _have_ seen in some write up: some snippet of malware code showing up in a stack overflow question (with the shape and user variables being the same).
At one point it's like... probably that person. Of course maybe there are other indicators to the contrary but that's data for you. Gotta use your noggin a bit.
I don’t work in this field, but my impression has been that groups tend to share techniques and code patterns that can help tie them back to where they came from.
By connecting multiple details such as ip addresses, connection/flow logs, known CnC servers, etc. You seem to be expecting some magic simple answer but the reality is the same as other investigative work: doing the work in the details as a professional. Just because this work is difficult and inherently has some ambiguity doesn't mean you can just dismiss every attribution from your armchair.
Here’s a question I expect you’ll never answer: is it within the capabilities of any groups within the West (state-sponsored or otherwise) to fabricate the information you’re using to make those assessments? And if so, how have you decisively eliminated this possibility?
I ask because it’s broadly accepted that there are extremely powerful and wealthy entities in the West who benefit from an aggressive US foreign policy and heightened geopolitical tensions.
There are several sections of the Vault 7 leaks that showed the CIA had tools that could be used to fake the attribution of attacks. Some argue there's other uses for those tools besides faking the source of an exploit, but knowing they have the capability makes it impossible to eliminate as a possibility.
Probably, but even more simply they have the capabilities to just direct intelligence agencies, politicians, and news corporations, and big internet and social media companies to put the blame wherever they like. There is no need for a perfect technological solution.
Hack something shoddy together, go to war/regime change/etc, and worst case if it does come to light that the "intel" was wrong, a well-placed "whoopsie-daisy" is enough to wash hands of all responsibility or scrutiny.
Rather than attacking him, you are free to discuss on how it would be hard to attribute or reach to a source.
Just because you might not know what techniques the researchers here used to reach to that conclusion, doesn't mean they would have used dubious methods.
The United States reserves the right to react to cyber attacks with force [0]. Instead of asking people to be nice on the internet you should hold those accountable that are in a position to manufacture a narrative. The linked report in the sibling comment here has no valid proof of North Korean involvement but the headline is chosen in a way to paint a picture of an impoverished nation as an aggressor. If you just accept that Google can make up facts to pave the way for physical warfare you are complicit in the eventual deaths of thousands of innocent people.
To be precise. After the CIA made up reports of WMDs in Irak people should ask for receipts earlier.
> Instead of asking people to be nice on the internet you should hold those accountable that are in a position to manufacture a narrative.
Nope, Hacker News is the place where you be nice to each other on the internet rather than assuming they’re trying to manufacture consent. This is quite literally spelled out in the site guidelines.
I'd note that things like shared encryption keys and shared TLS passive tables are very indicative of shared resources.
The use of North Korean IP addresses is indicative, but never enough on its own. However, the use of domains controlled by North Korean IP addresses is interesting as well.
Combine that with passwords largely shared with another North Korean attack, devices signed into from NK IP addresses under multiple accounts setup from N Korean IP addresses you start seeing a pattern of behaviour.
And then you find that the person who controlled accounts used by these attacks was a North Korean national (pg 134) who worked for a well known North Korean front company (paragraph 269, pg 136) and the evidence becomes pretty good.
APT38/Lazarus has been around for years and has been investigated by many professional groups across the world (Kaspersky, McAfee, Mandiant, etc), many not connected to the US government. Are you alleging that they're all wrong and this is all some vast conspiracy to frame an innocent North Korea and protect... who, exactly?
Think of all the big, serious and sensible news organisations that independently reported WMD in Iraq while not being connected to the US government. Are you alleging they're all wrong and this is some vast conspiracy to frame an innocent Iraq and protect.. who, exactly?
Evidence is evidence. After WMD (which totally took me in, btw, you too?) Claims that evidence is "just over there" and "here are multiple different people reporting they've spoken to someone who saw it." Count for zero. Maybe they always should have but there's not doubt this stuff happens anymore. We watched it. (Hopefully) in horror as it unfolded without us objecting.
I thought the WMD "evidence" was BS, and actually there was only one piece that was presented publicly (the UN presentation by Colin Powell), and that was based on CIA secret intelligence. And the UN Weapon Inspectors were saying the opposite.
OTOH, the evidence linking APT38 to North Korea is pretty compelling. For example, there is a bunch of evidence collected independently identifying individuals associated with APT38, and these people worked for the North Korean company Chosun Expo.
There's a huge difference between news organizations reporting on US govt claims, and investigators on the ground actually digging into the evidence on their own. Your assertion is basically the same as claiming that Iraq did have WMDs, but UNMOVIC etc were covering up and hiding the evidence.
For what it's worth, quite a few people were skeptical about the WMD "evidence" at the time, and even more cynics like myself figured that true or false, it was mostly an excuse for George W to Do Something(tm) after 9/11 and at the same time finish off the war his dad started.
And even when knowing how a country or particular state-backing is identified, there is nothing preventing other hackers from adding the same markers to their own software
Why does Google even need to mention North Korea in the title?
A vulnerability is a vulnerability. Why bring politics in, right in the title? It would feel much more OK if simply said in the text, that a NK hacker group is currently known for exploiting it.
Imagine it was a vulnerability being exploited by a TLA of the US of A. What would Google say? Or would they have received a gag order to not talk about it at all? But then what happens if some third-party researcher discovers the vulnerability independently and reports it? What would Google say?
Because they believe it is a state sponsored attack. It isn't politics, it is called attribution which is a threat intelligence product. Identifying and tracking specific threat actors is esentially the entire point of the post which is a threat intel post, means little without the threat part (threat actors not tools).
Because more people will click on it and read it. Call it "Countering CVE-0284-b" and 50 people will read it. Go with a political catalyst title and you get thousands if hits, even if they then close the tab immediately.
It means more random user-agent/referrer data for them and I'm guessing more domain authority or whatever that crap is.
It's marketing. The article concludes with how the Google Chrome safe browsing list was updated bla bla bla.
It's all just marketing. That's how Google operates. Everything is a shop window. Everything you say, do and make. Google is the market research company.
Except they've repeatedly created products that no one wanted and killed them.
But that's a form of market research when you have a lot of money.
I feel like Google collects so much information it probably doesn't get much sense out of it. Who knows
On the financial attacks URL list, what is teenbeanjs trying to emulate? It doesn't seem to fit with the rest that all sound vaguely technical or financial, except that it contains "js."
They're unlikely to tell you, at least not the level of satisfaction a nerd message board demands, for some of the same reasons we don't know about all the anti-abuse mechanisms on HN; because attribution and obfuscation (like abuse/anti-abuse on HN) is an arms race/cat-and-mouse game.
> Analysis of the files shows, that they cannot run on computers that have the
Korean, Japanese, or Chinese language preferences
Interesting seeing Japanese here but might just be a language thing.
> LinkedIn profile Protection – we believe that LinkedIn has yet to develop sufficient security mechanisms and protect its users against impostor accounts. We find it alarming that a fictitious profile, copycat an existing account, can be open and use without alerting to source profile from which the information was stolen, as well as profiles contacted by the new imposter profile.
Sure, but that requires having a fully instrumented host get attacked. If all you have is a few reports of compromised machines, it's much harder to work backwards to the exploit. The attacker will switch things around before phishing again, etc...
Most of the attacks target Windows and Mac, so one is already protected by using Linux.
As regarding effectiveness of firejail, then it relies on Linux container protection which is quite good given that many providers use that to run untrusted code.
However, the problem with firejail or similar tools is that that try to integrate with GUI and that makes the attack surface vastly bigger. To protect against highly sophisticated attacks something like Qubes OS should be used with explicit whitelisting of domains to connect.
True but before the internet it was limited to the locality. The internet feels like a public park that gets trashed by folks all across the world and not just by the neighbors. (Just to be clear, I sympathize with your point as well)
> Countries have been doing terrible things to people since long before the internet
What do you conclude? We shouldn't care or do anything? The Internet, the medium, seems to greatly increase the volume of scams and from everyone, not just countries.
Who is even routing with North Korea? Seeing how the normal populace there literally doesn't have access to the internet, what on earth is there to be gained?
yeah well its to be expected. since they can't compete against the West conventionally, they focus on asymmetric warfare, which means giving zero crap about anything we value here in the West.
they are truly on survival mode, and given Russia's recent performance in Ukraine, its really eye opening to see just how much of a paper tiger their military is, relying again on asymmetric weapons of indiscriminate destruction of all things human.
But why ask? Why not ask why we can't use forests or jquery to prevent these attacks? What is the logic here, how do you think it might work, even just vaguely if you don't have a worked-out solution?
Edit: from another comment in a sibling thread, you indicate thinking that WASM has a "security model / sandbox". That would have been (part of) the answer to the grandparent comment I suppose.
My logic was here that WASM was created/designed by companies that do maintain browsers - Mozilla Microsoft Google Apple and it is marketed as
"WebAssembly describes a memory-safe, sandboxed execution environment that may even be implemented inside existing JavaScript virtual machines. When embedded in the web, WebAssembly will enforce the same-origin and permissions security policies of the browser."
Basically I felt like it was designed with security in mind and I do wonder whether it'd prevent attacks like this
If it helps, think of the sandbox as being at the border between "outside" and "inside", and the choice between JS and WASM being on the "inside". Changing the language/runtime within the sandbox doesn't change much if your sandbox is compromised. On the contrary, that extra code to parse WASM etc is just additional risk.
I'm not sure WASM buys you anything you couldn't already get by just running your whole entire app in a VM. And if walling an app off in a VM makes it not useful (i.e. it's not useful if all it has access to is network & sandboxed storage) then using WASM in a browser would have similar issues. Or if a VM adds too much performance penalty then WASM probably does too.
Of course JS ain't gonna go anywhere now, but if popular JS frameworks started emitting WebAssembly behind the scenes, so devs could still write their JS(and C++/C#/etc) code, but it'd use WASM under the hood then that'd start process of the deprecation of JS.
Which would mean that after all popular JS frameworks managed to migrate and popular sites adopted to this,
then in ideal world you'd be able to turn off javascript and still use those sites/apps via WASM, not by default for everyone,
but at least users that care would have an option to do so while still being able to use the web.
You gotta start somewhere
I'm wrong somewhere? or out of the touch with reality?
If we're talking about 20 years from now, nobody cares about popular frameworks. Huge majority of websites use old code and they must not break. Backwards compatibility of web is a huge deal. So deprecation of JS just will not happen in that period of time.
What could happen is that browsers will support wasm natively and they'll translate JS into wasm. I'm not qualified enough to judge whether it would be possible to achieve current levels of JS performance with that approach, but theoretically it could be possible. In this case only wasm security will matter.
But I did not hear about any kinds of those plans, those are just my wild speculations. So deprecating of JS is not going to happen anytime soon. Wasm will accompany JS and that's about it for the foreseeable future.
WASM _IS_ JS. Some browsers do things to make it run faster. JS runs in its own security sandbox and is already suppose to be safe. Browsers get exploited in all kinds of ways, and IIRC, there have been WASM-specific exploits as well in the past.
Your question is non-sensical as is. I think you need to expand it to have people be less confused as to what you’re asking.
Probably doing similar things to what's been done with Russia, more sanctions, more sanctions against supporting nations etc.
They're soon to test a nuclear weapon and already play fun games testing missiles and having them land just off the coast of Japan. Not going to be fun once those things are nuclear missiles and en route to Tokyo.
Their economy is already almost completely dependent on China. It's hard to sanction them more.
Sanctions against Russia aren't uniquely effective in a way that sanctions against NK aren't. It's just that the threat of having your economy look like North Korea's is pretty dire.
I don't think that you can reasonably treat Yeonmi Park as a reliable witness.
North Korea's train network is 4700km long, though it is not perfect... If you want to travel from Pyongyang to Chongjin for example, you're better off flying there
Google itself is gathering people's personal data and uses fingerprinting methods to track them. This is done on billions of people, and not even limited to their actual logged in users!
It would be nice if governments put an end to Google's invasion of people's privacy. It is much more important than some failed attacks.
> Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
> In some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
> The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
> Additional stages were not served if the previous stage failed.
it was hard to collect the exploits. They only managed to collect the Chrome one.
Compare this to Pegasus, malware that attacks both iOS and Android. So far researchers have only been able to collect iOS versions.
I think it's a little funny that you're complaining that a Google security group (TAG in this case) is publicly reporting vulnerabilities in a Google product, but not others. With Project Zero (a different Google security group), people usually complain in the opposite way, and say that it's bad for Google to publicly report a lot of vulnerabilities in competitor products, because it makes competitors look bad and is just done for publicity reasons.
Disclosure, I work at Google, but not on anything related to this.
There's nothing to coordinate with on this cve. There's almost assuredly coordination happening between the various security orgs, but this cve is about a chrome bug, and the Google teams weren't able to isolate ff or safari zero days to report.
"We expect this group has zero days that they're exploiting in your software but we don't know what specifically they are" isn't a cve.
