Fixing your headline:
'North Korean Willy tried to get inside my box'
A zero-day hunter has told The Register of the “holy f**k” moment when he realised he'd been targeted by a North Korean campaign aimed at stealing Western researchers' vulns. Alejandro Caceres said he "thought it was insane" that he had been targeted by state-backed malicious people operating as part of a campaign revealed …
Hmm. The ad-blocked whitespace looks to me to be *inside* the user comment concerned. I do hope you are not inadvertently implying that that the commenter(s) so affected are endorsing whatever the ad might be showing. That would not really be cricket, now, would it?
Just too odd that since yesterday, I see huge swaths of white space "in" the comments... I'm used to the extra clean look of the side columns.
try turning off your your ad and script blockers! Shocked! you will be, shocked!!
Ditto.
This has prompted me to look into the empty spaces - it's a <div class="adun" ... which has min-height: 250px (at current window size)
Which includes a noscript block. Which includes a linked image from/to doubleclick - which is blocked on so many levels here that I'd have to run it through a VPN to see.
I shall continue scrolling a bit more. Or add a CSS override: .adun { min-height: 0px !important; display: none !important; }
"because you're blocking an ad
After every nearly single comment? https://forums.theregister.com/forum/all/2021/01/26/apple_ios_zero_days/ has four comments. The first three have large gaps, seemingly within the comment.
(not reported to @ therg because I am using an ad blocker)
Ah, but today I'm seeing comment, then thick-ish horizontal black line, then an advertisement, then another black line, and more comments. I think that's a new change.
Comment to comment, no solid lines. Just the grey background and white background alternately.
Without adverts, how much would we be paying for The Register?
I admit I sneered about using Venomous Studio too. But if I'm honest, many people would look askance at my choice of tools.
That said, I anecdotally see more bad behavior by developers who use fancy IDEs like VS - such as running them with elevated privileges - than I do with folks who prefer the good ol' command line.
But then that said, anything that comes from someone I don't know personally gets a close look before I do anything with it. And if "security researcher" were my day job, I'd be doing everything in VM sandboxes. Even security issues aside, it would be a lot more convenient.
I think there's some kind of dice or spinner that they use that's marked "Russia, China, Iran, Cuba, North Korea" and so on that news services use to identify the 'nation state' responsible for the hack du jour.
I'm not ruling out nation states, just that there are a lot more criminals out there than there are nation states. There's also good money to be made from vulnerabilities so I'd expect that less than ethical peopel would have moved in to what is a decent business opportunity.
No-one on the Internet knows you're a dog..
That and as a bughunter he opened other people's code on his normal machine rather than a dedicated machine for explicitly looking for bugs? Or was it because it was a VS project that he just assumed it'd be fine to run?
Maybe worth while seeing if VS has someway of preventing any code from running without permissions?
Computers are so expensive these days! He can't be expected have a spare, especially when he's willing to pay someone 80K for blah, blah, blah.
Of course he could just do his research in a machine in the cloud that he destroys and recreates hourly. Nah, that would never work.
A vulnerability broker he had known for a while and trusted
It's probably not a great idea to trust someone who is effectively a black-market international arms dealer. Like so many internet transactions, Mr. Corfield was not paying for this zero-day so he was probably the product.
> Mr. Corfield was not paying for this zero-day so he was probably the product.
Not the product, just the author (of this article, not the exploit… I think. Then again what he gets up to after work is no business of mine).
On a more serious note, I did not catch how the North Koreans got the blame for this one. The gentleman in the comments who suggested a dice roll seems like the most plausible theory so far.
Don't trust and verify
There, I fixed your title for you.
This seems like a well set up phishing attack with a VS vector for malware injection. But like all phishing attacks it requires the victim to click on it which everyone at all times should avoid.
Plus, if you are investigating bugs (and especially potential zero days) you should be using a separate and heavily protected computer that would have noticed the vector.
Ars has a good article on it.
https://arstechnica.com/information-technology/2021/01/north-korea-hackers-use-social-media-to-target-security-researchers/
I quite liked my mortgage broker, he was very upfront with this costs, how much he would be getting in commission from the lender, and that I didn't have to use him even after he'd got the OIP. He was able to get a much better rate than me going direct to the same lender, easily saved me the upfront fee.
does anyone happen to know WHICH version of DevStudio caused this possibility?
I've been using 2010 for a long time, mostly because I *STILL* target Windows 7 [and earlier] and I *REFUSE* to use an IDE with a 2D FLATSO interface. I do _NOT_ write "UWP" crap, either.
But now it may seem that I have even MORE reasons to _NOT_ use a newer DevStudio, if project files that it opens can SPREAD MALWARE like opening a spreadsheet, or a Word document, or using Virus Outbreak (MS Outlook) for e-mail... [assuming more zero-days exist for it, as past performance would indicate]
Micros~1 you need to get your act together on security.
(captain obvious now goes back to working)
I'd be interested in how it was done as I knew about build events, but I had no idea about executing code on launching the .sln. It's actually something I'd like to do as I'd love my project to check that depedencies are all up and running.
Visual Studio's project file format includes events, and that includes an event on project open. It's used to do things like update dependencies or whatnot, stuff that you may want to be done before build so that e.g. IntelliSense can work properly. With web development being the unholy mess that it is, people do all kinds of things with it.
I don't know when it was introduced, but it was probably there since they introduced XML project files. Which would be in, I dunno, 2005 or something like that?, definitely before 2010.
Anyway, I get being angry that you can get pwned by a spreadsheet or a fancy text file - but a vsproj? I mean, anyone who opens such a file is by definition a techie. They (should) know it contains scripts.
"We hopped in a group chat, the three of us, and he sent me a Visual Studio project to take a look at a driver bug that caused a blue screen of death."
Replace "chat" with tussle and "VS project" with err squidgy goings on and imagine a situation that ends in a "driver bug" (fnarr.) Anyone see what went wrong? Sophisticated state actor or a lot of Willy - you decide.
"told me he got wind of the guy trying to backdoor someone else's machine with a Visual Studio phishing trick." Sure enough, Caceres found the smoking gun buried in the VS project sent to him by "James"
... YMCA ...
"Normally they're most interested in so-called zero-days: previously unknown vulnerabilities that have existed since "day zero" of a program’s lifespan, as Reg readers know."
I prefer the Kaspersky definition of Zero Day - A zero day exploit is a cyber attack that occurs on the same day a weakness is discovered in software. At that point, it's exploited before a fix becomes available from its creator. https://www.kaspersky.co.uk/resource-center/definitions/zero-day-exploit
There's more than one ( standard ) definition:
Wikipedia: Zero-day (computing)
I'm sure someone will be along to revise it.
Yes, I can see that the guy received malicious code in what was essentially a social-engineering attack. But what evidence is there that this had anything to do with a government? It seems that just about every virus and trojan, as well as selected social media posts these days are being attributed to some government or other. Have the 'normal' criminals disappeared? In addition, the people who discover the malware always seem to assume that the country of origin is exactly what it appears to be (either from the IP address, 'clues' in the code or just because the person sending the code says they are from that country).
I'm pretty sure that anyone capable of putting malicious payload into a VS project, and talking sensibly about the technical details of vulnerabilities would be capable of communicating via a foreign relay or otherwise disguising where they are located. Or is it assumed that all these cunning state actors who have devised sophisticated ways to attack our Western democracies are stupid enough to do so from an IP address allocated to their own government, or that the person who wrote the malware helpfully embedded their name and address in the code?
You couldn't get a virus from opening email? Or a text document? Or a software project in your IDE?
Code being run when a document is opened is an Earth-shattering kaboom just waiting to happen.
These wonderful "features" are nothing more and nothing less than back doors allowing anyone to do anything will surprisingly little effort.
The script fragment appears to run a few checks on the system before looking for the presence of a particular 'engine' in the SSL of the machine its running on, returning the reference for use by another program. Either way, some kind of explanation of what's being exploited and how its being used is owed us before people go shouting from the rooftops about NK or whatever. Regardless of what the script is actually able to do and why it exists it shouldn't be executing anything outside the environment of the test machine or exporting any information from that machine. Bugs apart I can't see how this script can own anything (unless SSL is really buggy.....).
Anyone got any ideas?