[HN Gopher] Countering threats from North Korea
___________________________________________________________________
Countering threats from North Korea
Author : arkadiyt
Score : 195 points
Date : 2022-03-27 17:56 UTC (5 hours ago)
(HTM) web link (blog.google)
(TXT) w3m dump (blog.google)
| tester756 wrote:
| Will WebAssembly save us from this kind of CVEs?
|
| assuming it has capabilities to support "modern" web
| wolverine876 wrote:
| How will WebAssembly save us?
| tester756 wrote:
| I'm asking
| lucb1e wrote:
| But why ask? Why not ask why we can't use forests or jquery
| to prevent these attacks? What is the logic here, how do
| you think it might work, even just vaguely if you don't
| have a worked-out solution?
|
| Edit: from another comment in a sibling thread, you
| indicate thinking that WASM has a "security model /
| sandbox". That would have been (part of) the answer to the
| grandparent comment I suppose.
| tester756 wrote:
| My logic was here that WASM was created/designed by
| companies that do maintain browsers - Mozilla Microsoft
| Google Apple and it is marketed as
|
| "WebAssembly describes a memory-safe, sandboxed execution
| environment that may even be implemented inside existing
| JavaScript virtual machines. When embedded in the web,
| WebAssembly will enforce the same-origin and permissions
| security policies of the browser."
|
| Basically I felt like it was designed with security in
| mind and I do wonder whether it'd prevent attacks like
| this
| dchest wrote:
| No, on the contrary, it makes the attack surface larger.
| tester756 wrote:
| How?
| FastEatSlow wrote:
| Web assembly is extra code and complexity in a web browser
| compared to one without, so there are more potential
| vulnerabilities
| tester756 wrote:
| I don't buy it because you can apply same reasoning to
| every new / changed line of code, yet it ain't always
| true
|
| The question is,
|
| is WASM's security model / sandbox "safer" / "easier to
| actually execute" than JS'?
| vbezhenar wrote:
| It does not matter because JS is not going anywhere.
| Whether it's more secure or not, it's still additional
| attack surface.
| tester756 wrote:
| I believe it does
|
| Of course JS ain't gonna go anywhere now, but if popular
| JS frameworks started emitting WebAssembly behind the
| scenes, so devs could still write their JS(and
| C++/C#/etc) code, but it'd use WASM under the hood then
| that'd start process of the deprecation of JS.
|
| Which would mean that after all popular JS frameworks
| managed to migrate and popular sites adopted to this,
| then in ideal world you'd be able to turn off javascript
| and still use those sites/apps via WASM, not by default
| for everyone, but at least users that care would have an
| option to do so while still being able to use the web.
|
| You gotta start somewhere
|
| I'm wrong somewhere? or out of the touch with reality?
| dchest wrote:
| Perhaps, you can start by learning what WASM is:
|
| https://developer.mozilla.org/en-US/docs/WebAssembly
|
| As for vulnerabilities, here are nccgroup's slides about
| WASM explots:
|
| https://i.blackhat.com/us-18/Thu-
| August-9/us-18-Lukasiewicz-...
|
| Here's an example vulnerability in WASM parsing leading
| to RCE:
|
| https://labs.f-secure.com/assets/BlogFiles/apple-safari-
| wasm...
| napmo wrote:
| Google itself is gathering people's personal data and uses
| fingerprinting methods to track them. This is done on billions of
| people, and not even limited to their actual logged in users! It
| would be nice if governments put an end to Google's invasion of
| people's privacy. It is much more important than some failed
| attacks.
| coder-3 wrote:
| Snowden has shown us that governments encourage and benefit
| from this surveillance thus are unlikely to put an end to it
| shdshdshd wrote:
| Couldn't they just hardware mitm the CPU and Ram, not to be
| prisoner of AES. This way they can dump stages as well.
| ajross wrote:
| Sure, but that requires having a fully instrumented host get
| attacked. If all you have is a few reports of compromised
| machines, it's much harder to work backwards to the exploit.
| The attacker will switch things around before phishing again,
| etc...
|
| Honeypots are harder than they look, basically.
| [deleted]
| sydthrowaway wrote:
| I am so fucking done with the internet turning into a trash pile
| of scams and exploits.
| ______-_-______ wrote:
| Countries have been doing terrible things to people since long
| before the internet
| wolverine876 wrote:
| > Countries have been doing terrible things to people since
| long before the internet
|
| What do you conclude? We shouldn't care or do anything? The
| Internet, the medium, seems to greatly increase the volume of
| scams and from everyone, not just countries.
| user_7832 wrote:
| True but before the internet it was limited to the locality.
| The internet feels like a public park that gets trashed by
| folks all across the world and not just by the neighbors.
| (Just to be clear, I sympathize with your point as well)
| [deleted]
| [deleted]
| stefan_ wrote:
| Who is even routing with North Korea? Seeing how the normal
| populace there literally doesn't have access to the internet,
| what on earth is there to be gained?
| sydthrowaway wrote:
| You know who.
| Symbiote wrote:
| Hong Kong and Russia:
|
| https://bgpview.io/asn/131279#peers-v4
|
| http://cooks.org.kp/en/ is hosted on that network.
| buzzert wrote:
| What evidence do they have that suggests these threats are coming
| from North Korea?
| trashcan01 wrote:
| A statement from Google.
| martyvis wrote:
| I'm actually surprised Google would say this is from the DPRK
| government without also saying it had has been verified by US
| federal government authorities. Usually they leave it for
| others to deal with statements at that level.
| huntsman wrote:
| I think you'll find TAG regularly gives assessment on
| attribution at least at the country level. Iran, China,
| Russia, Belarus and North Korea at least have been named in
| the last few years.
|
| (Disclaimer: I am head of TAG)
| fit2rule wrote:
| vmception wrote:
| And even when knowing how a country or particular state-
| backing is identified, there is nothing preventing other
| hackers from adding the same markers to their own software
| agilob wrote:
| NK hackers are kwnon for adding false flags
| bberrry wrote:
| > These groups' activity has been publicly tracked as Operation
| Dream Job and Operation AppleJeus.
|
| Following those links yield these two documents, which both
| have "Attribution" sections. Presumably some of these tell-tale
| signs were identified in the ongoing exploitation.
|
| https://www.clearskysec.com/wp-content/uploads/2020/08/Dream...
|
| https://securelist.com/operation-applejeus/87553/#attributio...
| [deleted]
| lizardactivist wrote:
| Been looking in that article to find how they concluded it's from
| North Korea, but I can't find it. Can anyone point it out for me?
| buzzert wrote:
| _crickets_
| eli wrote:
| https://www.clearskysec.com/wp-content/uploads/2020/08/Dream...
| vmception wrote:
| Operation AppleJeus
|
| Ok thats clever, and a nod to Zeus exploit kit, I love hacker
| group names lol
| blondin wrote:
| it is interesting that most of the CVEs are "use after free".
| instead of being stuck in an endless cycle of detection and
| patching, maybe, it's time we consider better ways...
| [deleted]
| olivierduval wrote:
| huntsman wrote:
| In this case we only obtained a Chrome exploit.
|
| Whether that means they didn't have exploits for other
| platforms as part of this attack or that we just didn't succeed
| in determining them is unknown.
|
| TAG has certainly found and reported exploits in other
| platforms many times so it is not a matter of not caring.
|
| Source: I am lead of TAG at Google
| [deleted]
| Thorrez wrote:
| Because of the various safeguards:
|
| > Only serving the iframe at specific times, presumably when
| they knew an intended target would be visiting the site.
|
| > In some email campaigns the targets received links with
| unique IDs. This was potentially used to enforce a one-time-
| click policy for each link and allow the exploit kit to only be
| served once.
|
| > The exploit kit would AES encrypt each stage, including the
| clients' responses with a session-specific key.
|
| > Additional stages were not served if the previous stage
| failed.
|
| it was hard to collect the exploits. They only managed to
| collect the Chrome one.
|
| Compare this to Pegasus, malware that attacks both iOS and
| Android. So far researchers have only been able to collect iOS
| versions.
|
| I think it's a little funny that you're complaining that a
| Google security group (TAG in this case) is publicly reporting
| vulnerabilities in a Google product, but not others. With
| Project Zero (a different Google security group), people
| usually complain in the opposite way, and say that it's bad for
| Google to publicly report a lot of vulnerabilities in
| competitor products, because it makes competitors look bad and
| is just done for publicity reasons.
|
| Disclosure, I work at Google, but not on anything related to
| this.
| yunohn wrote:
| I think you misunderstood - they're saying the links served
| nothing, presumably because it's a Chrome-specific exploit.
| SheinhardtWigCo wrote:
| "We did not recover" is ambiguous.
| joshuamorton wrote:
| Or potentially there were exploits but they weren't able to
| encounter them due to the various protection measures the
| attackers used.
| yunohn wrote:
| Either way, I find it very hard to believe that they
| haven't coordinated with Apple and Mozilla on this CVE.
| daenz wrote:
| > Careful to protect their exploits, the attackers deployed
| multiple safeguards to make it difficult for security teams to
| recover any of the stages. These safeguards included:
| * Only serving the iframe at specific times, presumably when they
| knew an intended target would be visiting the site. * In
| some email campaigns the targets received links with unique IDs.
| This was potentially used to enforcea one-time-click policy for
| each link and allow the exploit kit to only be served once.
| * The exploit kit would AES encrypt each stage, including the
| clients' responses with a session-specific key. *
| Additional stages were not served if the previous stage failed.
|
| Is this a normal level of sophistication for a CVE?
| mhoad wrote:
| I think it's currently unusual but makes sense as a pretty
| obvious SOP for an attacker with a specific target set who is
| sitting on top of a pretty valuable vulnerability (RCE on a
| fully up to date Chrome in this instance).
|
| They are hard to come buy and building tooling is a long and
| expensive process on top of everything else.
| [deleted]
| RL_Quine wrote:
| We see some of this with just normal spear phishing against
| companies. The "single click" thing is reasonably common, it
| makes things a bit harder to catch as often the clickthrough
| will change to whatever is being spoofed in the first place. A
| homophone ycornbinator.com would serve the malware first time,
| then next time it would send a permanent redirect. Unique IDs
| you'll see in things like spam SMS, both to work around
| automated blacklisting, but also to work out who clicked
| through and who might be a potential mark the next time even if
| they didn't completely fall for the scam.
|
| Most of what we got was recycled RAT malware with various
| packers though, it didn't trend towards being particularly
| interesting because you usually don't need to be to catch
| people, at least that's my impression. Maybe it's bad toupee
| fallacy.
| wolverine876 wrote:
| Thanks for the input. A nit, sorry, but maybe relevant to
| readers learning a little about anti-phishing: homophones
| sound the same ('-phone' refers to sound, like telephone) but
| differ in meaning, such as 'write' and 'right'. I don't know
| the term for ycombinator.com / ycornbinator.com, which is a
| real problem, of course.
| chrismarlow9 wrote:
| It's a homoglyph https://en.m.wikipedia.org/wiki/Homoglyph
|
| Typically used via poorly named idn homograph attacks
| https://en.m.wikipedia.org/wiki/IDN_homograph_attack
| thaumasiotes wrote:
| Technically ycornbinator.com is just a lookalike.
|
| Homographs look exactly the same.
|
| (And of course "homograph" ["same writing" or "same
| picture"] is a better name than "homoglyph" ["same
| carving"].)
| chrismarlow9 wrote:
| That's fair I'm not really one for jargon and whatnot (I
| think it can actually become less useful if the goal is
| just to communicate something to a person), but the first
| line in wiki says:
|
| > a homoglyph is one of two or more graphemes,
| characters, or glyphs with shapes that appear identical
| or very similar.
|
| "Very similar" and "two or more" being the key words.
|
| As for homograph I found homoglyph by reading the wiki
| and it saying homoglyph is more appropriate.
|
| (Insert obligatory "wiki it's not always accurate etc
| etc"). Overall I'd take either one and personally don't
| care. Just trying to match what you're saying with what
| I'm reading and make sense of where the truth is.
| wolverine876 wrote:
| > (Insert obligatory "wiki it's not always accurate etc
| etc"). Overall I'd take either one and personally don't
| care. Just trying to match what you're saying with what
| I'm reading and make sense of where the truth is.
|
| Diving in (even if the parent doesn't care :) ):
|
| The last sentence is the real challenge: Meanings depend
| 100% on writer and reader understandings. If two agree
| that 'homograph' means 'chicken poop', as long as they're
| the only ones communicating then 'chicken poop' it is;
| but if someone else reads it, our language subsystem
| fails.
|
| Some dictionaries influence meaning by being
| _prescriptive_ (e.g., American Heritage, IIRC); others
| report what has been understood by being _descriptive_
| (e.g., Oxford). The problem is, Wikipedia is neither: It
| represents the understandings of a few editors of unknown
| knowledge; it is neither descriptive nor prescriptive and
| we quickly get into chicken poop scenarios.
|
| * _Homograph_ , report Merriam-Webster and Oxford, means
| words with the same spelling but different meanings (or
| origin or pronunciation), e.g., the _bow_ of a ship and a
| _bow_ and arrow.
|
| * _Homoglyph_ doesn 't appear in Oxford, Merriam-Webster,
| American Heritage, or any others (per Wordnik and
| OneLook), except Wiktionary. Wiktionary descriptively
| traces the word back to 1938 (though maybe with a
| different meaning in that case) and says it means a glyph
| with the same or similar appearance but different
| meaning. That still doesn't define a term for the entire
| string "ycornbinator.com", only the "rn", but close
| enough!
| naniwaduni wrote:
| > Some dictionaries influence meaning by being
| prescriptive (e.g., American Heritage, IIRC); others
| report what has been understood by being descriptive
| (e.g., Oxford). The problem is, Wikipedia is neither: It
| represents the understandings of a few editors of unknown
| knowledge; it is neither descriptive nor prescriptive and
| we quickly get into chicken poop scenarios.
|
| To be clear: reporting what has been understood still
| influences meaning. Choice of inclusion moderates spread;
| definitions are inherently lossy and cannot capture the
| whole range of nuance; the compiler's understanding can
| be inaccurate. Lexicography is not a neutral art, no
| matter your choice of biases. And OED no less "represents
| the understandings of a few editors of unknown knowledge"
| than Wikipedia does. With different goals, and to
| different standards, to be sure, but Gell-Mann amnesia
| goes hard until you get into the weeds.
|
| In any case, to understand "homoglyph" to refer only to
| 1:1 character correspondences gratuitously misunderstands
| the nature of writing. Recall that we have a letter
| called "double u".
| kovvy wrote:
| There is also 'homeograph' - "A word similar -- but not
| identical -- in spelling to another." That seems a better
| fit for your needs.
| mot0rola wrote:
| I am receiving increased SMS spam past week. Is connected to
| this exploit? Msgs are all different domains with unique ID
| appended.
| huntsman wrote:
| Probably not. No signs that this is linked to any mass
| activity.
| ipaddr wrote:
| Tax time
| samsonradu wrote:
| Me too, receiving spam job offers with bit.ly links.
| xunn0026 wrote:
| I too saw one of these. Very odd since I was expecting a
| note about a job.
| TedDoesntTalk wrote:
| Don't reply to those SMS. Your geolocation can be derived
| from your reply, even a STOP or UNSUBSCRIBE reply.
| politelemon wrote:
| For targeted ones I think it is. The details that emerged
| around SolarWinds were quite sophisticated in terms of
| execution, timing, hiding, and cleanup.
| adolph wrote:
| Much of it seems like normal ad-tech practice to identify
| individuals and discourage click-farming. Unique keys sent in
| an email campaign? Oh my scaaary stuff.
___________________________________________________________________
(page generated 2022-03-27 23:00 UTC)