back to article I was targeted by North Korean 0-day hackers using a Visual Studio project, vuln hunter tells El Reg

A zero-day hunter has told The Register of the “holy f**k” moment when he realised he'd been targeted by a North Korean campaign aimed at stealing Western researchers' vulns. Alejandro Caceres said he "thought it was insane" that he had been targeted by state-backed malicious people operating as part of a campaign revealed …

  1. Alexander J. Martin

    Fixing your headline:

    'North Korean Willy tried to get inside my box'

    1. chivo243 Silver badge

      Re: Fixing your headline:

      Nice change!

      Is El Reg is fixing things, anybody else see a lot of white space in the comments since yesterday?

      1. bombastic bob Silver badge
        Devil

        Re: Fixing your headline:

        you might have scripting turned off. Those are ads I think. They'd be more effective if script were not involved and someone with NoScript running could actually see them. [I do not mind ads, I only mind ads with SCRIPT in them]

      2. diodesign (Written by Reg staff) Silver badge

        White space on pages

        If you see the whitespace on the site, it's probably because you're blocking an ad. If you're not running an ad blocker, then it's a bug and so drop a note to webmaster @ therg with the URL, screenshot, and description of the browser and system you're using.

        C.

        1. chivo243 Silver badge

          Re: White space on pages

          I didn't want to shout fire in the crowed theater until someone else smelled the smoke too...

          Thanks, for the heads up!

        2. Anonymous Coward
          Anonymous Coward

          Re: If you see the whitespace on the site, it's probably because you're blocking an ad.

          Hmm. The ad-blocked whitespace looks to me to be *inside* the user comment concerned. I do hope you are not inadvertently implying that that the commenter(s) so affected are endorsing whatever the ad might be showing. That would not really be cricket, now, would it?

          1. chivo243 Silver badge
            Facepalm

            Re: If you see the whitespace on the site, it's probably because you're blocking an ad.

            Just too odd that since yesterday, I see huge swaths of white space "in" the comments... I'm used to the extra clean look of the side columns.

            try turning off your your ad and script blockers! Shocked! you will be, shocked!!

            1. Robert Carnegie Silver badge

              Re: If you see the whitespace on the site, it's probably because you're blocking an ad.

              There's an ad in -your- box, or, there was when I replied to it.

              1. Anonymous Coward Silver badge

                Re: If you see the whitespace on the site, it's probably because you're blocking an ad.

                Ditto.

                This has prompted me to look into the empty spaces - it's a <div class="adun" ... which has min-height: 250px (at current window size)

                Which includes a noscript block. Which includes a linked image from/to doubleclick - which is blocked on so many levels here that I'd have to run it through a VPN to see.

                I shall continue scrolling a bit more. Or add a CSS override: .adun { min-height: 0px !important; display: none !important; }

            2. big_D Silver badge

              Re: If you see the whitespace on the site, it's probably because you're blocking an ad.

              I get it sometimes in Firefox mobile, although I saw it in Brave yesterday on the desktop.

        3. heyrick Silver badge

          Re: White space on pages

          "because you're blocking an ad

          After every nearly single comment? https://forums.theregister.com/forum/all/2021/01/26/apple_ios_zero_days/ has four comments. The first three have large gaps, seemingly within the comment.

          (not reported to @ therg because I am using an ad blocker)

        4. Cynic_999 Silver badge

          Re: White space on pages

          The whitespace is in the comment block. Surely El Reg is not putting adverts under people's comments?

          1. Robert Carnegie Silver badge

            Re: White space on pages

            No, between people's comments. After you finish typing, but I'm a bit worried using multiple sentences that I may suffer a commercial break inserted in the gap. I might have to stop using double spaces. Or single spaces.

          2. Robert Carnegie Silver badge

            Re: White space on pages

            Ah, but today I'm seeing comment, then thick-ish horizontal black line, then an advertisement, then another black line, and more comments. I think that's a new change.

            Comment to comment, no solid lines. Just the grey background and white background alternately.

            Without adverts, how much would we be paying for The Register?

    2. Anonymous Coward
      Anonymous Coward

      Re: Fixing your headline:

      Pfft.. computer security "expert" gets a trojan via Twitter(!) and Visual Studio(!) and doesn't notice for days.

      1. Michael Wojcik Silver badge

        Re: Fixing your headline:

        I admit I sneered about using Venomous Studio too. But if I'm honest, many people would look askance at my choice of tools.

        That said, I anecdotally see more bad behavior by developers who use fancy IDEs like VS - such as running them with elevated privileges - than I do with folks who prefer the good ol' command line.

        But then that said, anything that comes from someone I don't know personally gets a close look before I do anything with it. And if "security researcher" were my day job, I'd be doing everything in VM sandboxes. Even security issues aside, it would be a lot more convenient.

    3. nematoad Silver badge
      Happy

      Re: Fixing your headline:

      "James Willy"

      A right dick.

      1. Fruit and Nutcase Silver badge
        Coat

        Re: Fixing your headline:

        He really should have known better than to willy-nilly go about investigating malware outside of a secure sandbox, especially from a source named.... James Willy.

        As for "a right dick" - could that equally apply to the security researcher?

  2. Yet Another Anonymous coward Silver badge

    Incredible

    The poorest, most sanctioned, most backwards country on the planet is a cyber security threat.

    Surely we must respond to this by increased defense spending - order another aircraft carrier immediately

    1. ClockworkOwl
      Mushroom

      Re: Incredible

      Nuke them from orbit! etc...

    2. martinusher Silver badge

      Re: Incredible

      I think there's some kind of dice or spinner that they use that's marked "Russia, China, Iran, Cuba, North Korea" and so on that news services use to identify the 'nation state' responsible for the hack du jour.

      I'm not ruling out nation states, just that there are a lot more criminals out there than there are nation states. There's also good money to be made from vulnerabilities so I'd expect that less than ethical peopel would have moved in to what is a decent business opportunity.

      1. trindflo

        Re: Incredible

        Just a little more sophisticated than Eurasia, Eastasia?

        1. sev.monster Bronze badge

          Re: Incredible

          aluminium, aluminum...

    3. Fruit and Nutcase Silver badge

      Re: Incredible

      order another aircraft carrier immediately

      More willy waving

  3. Sgt_Oddball Silver badge

    Remember kids...

    No-one on the Internet knows you're a dog..

    That and as a bughunter he opened other people's code on his normal machine rather than a dedicated machine for explicitly looking for bugs? Or was it because it was a VS project that he just assumed it'd be fine to run?

    Maybe worth while seeing if VS has someway of preventing any code from running without permissions?

    1. Anonymous Coward
      Anonymous Coward

      Re: Remember kids...

      You running your script == permission!

      You running their script == permission!

      You want VS to protect you from your own clicks?

    2. NetBlackOps Bronze badge

      Re: Remember kids...

      You have to restrict the build process to not incorporate DLL's that are part of the build process. As if that's going to happen.

    3. JohnSheeran

      Re: Remember kids...

      Computers are so expensive these days! He can't be expected have a spare, especially when he's willing to pay someone 80K for blah, blah, blah.

      Of course he could just do his research in a machine in the cloud that he destroys and recreates hourly. Nah, that would never work.

  4. fidodogbreath Silver badge

    Trust but verify

    A vulnerability broker he had known for a while and trusted

    It's probably not a great idea to trust someone who is effectively a black-market international arms dealer. Like so many internet transactions, Mr. Corfield was not paying for this zero-day so he was probably the product.

    1. Anonymous Coward
      Anonymous Coward

      Re: Trust but verify

      > Mr. Corfield was not paying for this zero-day so he was probably the product.

      Not the product, just the author (of this article, not the exploit… I think. Then again what he gets up to after work is no business of mine).

      On a more serious note, I did not catch how the North Koreans got the blame for this one. The gentleman in the comments who suggested a dice roll seems like the most plausible theory so far.

    2. HildyJ Silver badge
      WTF?

      Re: Trust but verify

      Don't trust and verify

      There, I fixed your title for you.

      This seems like a well set up phishing attack with a VS vector for malware injection. But like all phishing attacks it requires the victim to click on it which everyone at all times should avoid.

      Plus, if you are investigating bugs (and especially potential zero days) you should be using a separate and heavily protected computer that would have noticed the vector.

      Ars has a good article on it.

      https://arstechnica.com/information-technology/2021/01/north-korea-hackers-use-social-media-to-target-security-researchers/

    3. TeeCee Gold badge

      Re: Trust but verify

      Hmm, vuln broker, ad broker, marriage broker, arms broker, financial broker....

      Can anyone think of a job title that has "broker" in it that doesn't require the person doing it to be an amoral, chiselling piece of shit?

      1. Tom 38 Silver badge

        Re: Trust but verify

        I quite liked my mortgage broker, he was very upfront with this costs, how much he would be getting in commission from the lender, and that I didn't have to use him even after he'd got the OIP. He was able to get a much better rate than me going direct to the same lender, easily saved me the upfront fee.

        1. sev.monster Bronze badge

          Re: Trust but verify

          And then, your woife, 'ey broke 'er too?

          1. AndrueC Silver badge
            Joke

            Re: Trust but verify

            ..no, just a bit bruised.

  5. Doctor Syntax Silver badge

    WTF

    "Opening some Visual Studio projects can cause code to execute"

    1. Craig 2

      Re: WTF

      This was my first thought too. Also: Security researcher gets pwned clicking link from untrusted source. Satisfying to know even the best can fall for the same ruse as Doris from HR.

    2. AndrueC Silver badge
      Flame

      Re: WTF

      Opening a Visual Studio project can have many adverse effects. I've found it usually leads to profanity and exasperation. I like to alternate between swearing at Microsoft and swearing at JetBrains that way I'm covering all my bases.

  6. bombastic bob Silver badge
    Unhappy

    Opening some Visual Studio projects can cause code to execute

    does anyone happen to know WHICH version of DevStudio caused this possibility?

    I've been using 2010 for a long time, mostly because I *STILL* target Windows 7 [and earlier] and I *REFUSE* to use an IDE with a 2D FLATSO interface. I do _NOT_ write "UWP" crap, either.

    But now it may seem that I have even MORE reasons to _NOT_ use a newer DevStudio, if project files that it opens can SPREAD MALWARE like opening a spreadsheet, or a Word document, or using Virus Outbreak (MS Outlook) for e-mail... [assuming more zero-days exist for it, as past performance would indicate]

    Micros~1 you need to get your act together on security.

    (captain obvious now goes back to working)

    1. Michael B.

      Re: Opening some Visual Studio projects can cause code to execute

      I'd be interested in how it was done as I knew about build events, but I had no idea about executing code on launching the .sln. It's actually something I'd like to do as I'd love my project to check that depedencies are all up and running.

    2. Filippo Silver badge

      Re: Opening some Visual Studio projects can cause code to execute

      Visual Studio's project file format includes events, and that includes an event on project open. It's used to do things like update dependencies or whatnot, stuff that you may want to be done before build so that e.g. IntelliSense can work properly. With web development being the unholy mess that it is, people do all kinds of things with it.

      I don't know when it was introduced, but it was probably there since they introduced XML project files. Which would be in, I dunno, 2005 or something like that?, definitely before 2010.

      Anyway, I get being angry that you can get pwned by a spreadsheet or a fancy text file - but a vsproj? I mean, anyone who opens such a file is by definition a techie. They (should) know it contains scripts.

  7. Tessier-Ashpool

    Nuget

    Christ only knows how many nuget packages are sprinkled with malware. Most of the Visual Studio projects I see tend to have dozens and dozens of nuget packages installed.

  8. Robert Carnegie Silver badge

    How confident are we that "The Register" comments can't be used to hack us on these subjects? People who think they know about risks... and really we don't know James Willy.

  9. gerdesj Silver badge
    Gimp

    Threesome

    "We hopped in a group chat, the three of us, and he sent me a Visual Studio project to take a look at a driver bug that caused a blue screen of death."

    Replace "chat" with tussle and "VS project" with err squidgy goings on and imagine a situation that ends in a "driver bug" (fnarr.) Anyone see what went wrong? Sophisticated state actor or a lot of Willy - you decide.

    "told me he got wind of the guy trying to backdoor someone else's machine with a Visual Studio phishing trick." Sure enough, Caceres found the smoking gun buried in the VS project sent to him by "James"

    ... YMCA ...

    1. sev.monster Bronze badge

      Re: Threesome

      I once had my driver bugged. Then we got into an accident.

  10. Chairman of the Bored Silver badge

    NK Missed a trick

    Personally I'd prefer my cover name to be Hugh G. Willy.

    But to each their own, I guess.

    1. Fruit and Nutcase Silver badge

      Re: NK Missed a trick

      James Willy...

      Dick

      Dick Turpin

      (Information Super) Highway Robber

      1. EnviableOne Silver badge

        Re: NK Missed a trick

        Richard Head works best

  11. trist

    I thought that it was more of a...

    More of a motherfucker than a holy fuck moment. But that's just me.

  12. Quotes

    Zero Day

    "Normally they're most interested in so-called zero-days: previously unknown vulnerabilities that have existed since "day zero" of a program’s lifespan, as Reg readers know."

    I prefer the Kaspersky definition of Zero Day - A zero day exploit is a cyber attack that occurs on the same day a weakness is discovered in software. At that point, it's exploited before a fix becomes available from its creator. https://www.kaspersky.co.uk/resource-center/definitions/zero-day-exploit

    1. Anonymous Coward Silver badge
      Thumb Up

      Re: Zero Day

      That's how I've always understood 0day too. Zero days between discovery (or announcement) and exploitation. Equally, zero days for the author to resolve the issue.

    2. Norman Nescio

      Re: Zero Day

      There's more than one ( standard ) definition:

      Wikipedia: Zero-day (computing)

      I'm sure someone will be along to revise it.

      https://xkcd.com/927/

  13. _LC_ Silver badge
    Stop

    I was wondering when North Korea was gonna show up again

    After Trump opened his mouth and said things he was not supposed to say, this spring had run a little dry with miracle water coming from Russia and maybe China mostly.

  14. Cynic_999 Silver badge

    State backed?

    Yes, I can see that the guy received malicious code in what was essentially a social-engineering attack. But what evidence is there that this had anything to do with a government? It seems that just about every virus and trojan, as well as selected social media posts these days are being attributed to some government or other. Have the 'normal' criminals disappeared? In addition, the people who discover the malware always seem to assume that the country of origin is exactly what it appears to be (either from the IP address, 'clues' in the code or just because the person sending the code says they are from that country).

    I'm pretty sure that anyone capable of putting malicious payload into a VS project, and talking sensibly about the technical details of vulnerabilities would be capable of communicating via a foreign relay or otherwise disguising where they are located. Or is it assumed that all these cunning state actors who have devised sophisticated ways to attack our Western democracies are stupid enough to do so from an IP address allocated to their own government, or that the person who wrote the malware helpfully embedded their name and address in the code?

  15. xyz Silver badge

    Shocked!

    North Korea bought a copy of visual studio! They have a computer!! The world's gone mad!!! :)

    BTW why is there are big white space at the top of the comments page? :))

  16. Claptrap314 Silver badge

    Remember when

    You couldn't get a virus from opening email? Or a text document? Or a software project in your IDE?

    Code being run when a document is opened is an Earth-shattering kaboom just waiting to happen.

    These wonderful "features" are nothing more and nothing less than back doors allowing anyone to do anything will surprisingly little effort.

    1. _LC_ Silver badge

      Re: Remember when

      An IDE running Makefilez. What could possibly go wrong...

    2. martinusher Silver badge

      Re: Remember when

      The script fragment appears to run a few checks on the system before looking for the presence of a particular 'engine' in the SSL of the machine its running on, returning the reference for use by another program. Either way, some kind of explanation of what's being exploited and how its being used is owed us before people go shouting from the rooftops about NK or whatever. Regardless of what the script is actually able to do and why it exists it shouldn't be executing anything outside the environment of the test machine or exporting any information from that machine. Bugs apart I can't see how this script can own anything (unless SSL is really buggy.....).

      Anyone got any ideas?

  17. TheGriz
    Mushroom

    He Got What He Deserved

    Sorry, but if you are professional bug hunter, then you KNOW you should not RUN code on your PC that comes from "a guy that knows a guy". Geeze really?

    Why didn't they pose as his own MOTHER needing help with her PC, he probably would have fallen for that to. LOL

    1. EnviableOne Silver badge

      Re: He Got What He Deserved

      I got a mate whos got millions stashed in an unknown african country willing to give him a cut if he helps him get it out

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021