Google researchers say currently unfixed vulnerability affects a popular software package.
See full article...
See full article...
North Korea-backed hackers target security researchers with 0-day
- Thread starter JournalBot
- Start date
It’s messed up that the dictator pays for hacking while the people in that country are starving.
Upvote
38
(39
/
-1)
Obviously very troubling, but it shows the limited resources of their operation that they're doing this. Other sanctioned countries don't generally need to hack security researchers to find zero-days, they buy them black market or find them themselves. It's a continual surprise to me how relatively effective the DPRK intelligence services are in cyber operations considering their incredibly limited budgets compared to all of their adversaries.
Upvote
25
(25
/
0)
What's annoying is that this isn't actually a "responsible disclosure". Responsible means you do the most to protect the potential users, not protect the vendor. Not disclosing the name of the software means this is repeatable until the software is patched. It's one thing when there's no known exploit being utilized. Quite another when there's exploits in the wild being used to target people even if it's targeted attacks. One can't vet every single person contacting you before you even know who they are. Many targeted high end exploits need very little user interaction. It's better to know what the problem is then remove or isolate the problem software, than depend on fallible human reactions.
Upvote
35
(38
/
-3)
He also pays for missiles and nukes, so hacking seems to be the lesser problem.
Upvote
25
(25
/
0)
It sounds elaborate but the ROI for North Korea on a successful hack must be very lucrative.
If you put 3 programmers at North Korean wages to work for a year on an exploit, and then manage to use that exploit for ransomware against a company, at a market average of $1MM, I mean you'd be foolish not to do it.
The worst thing that might happen to those individual programmers is they might get poached by China or Russia for even more lucrative gigs.
If you put 3 programmers at North Korean wages to work for a year on an exploit, and then manage to use that exploit for ransomware against a company, at a market average of $1MM, I mean you'd be foolish not to do it.
The worst thing that might happen to those individual programmers is they might get poached by China or Russia for even more lucrative gigs.
Upvote
11
(11
/
0)
Google jelly that North Korea have better spyware than them.
https://meincmagazine.com/gadgets/202...tform-the-privacy-sandbox-launches-in-chrome/
https://meincmagazine.com/gadgets/202...tform-the-privacy-sandbox-launches-in-chrome/
Upvote
10
(14
/
-4)
Pedant, here. 0-days are exploits devs just learned about, not exploits that are unpatched.
Upvote
-17
(1
/
-18)
Do you have a source for your definition? Trend Micro says something opposite for example:
And to be a pedant here, an exploit is not something that you patch, an exploit is simply a tool used to, well, exploit a vulnerability.
A vulnerability is something that you patch.
Last edited:
Upvote
29
(30
/
-1)
Agreed. And the only thing worse than that damnable phrase "technically correct is the best kind of correct" are those who are actually incorrect in their pedantry.
Upvote
9
(10
/
-1)
Depends a bit on what the tool being targetted is. If it's specialized enough to security researches, then it's probable they could share information internally and it would create lower overall risk than letting other actors know about the vulnerability as well.
Upvote
2
(3
/
-1)
So there is a recommendation that you take action if you have run this software, but they aren't going to tell us which software that is? That's helpful.
Upvote
5
(6
/
-1)
yep, plain old classic intel techniques. sidle up to the researchers (or any worthwhile target), act like they are your buddy buddy's to gain a modicum of trust, then offer some 'helpful software' to enhance the 'value' of the researchers/business opportunities.
EXCEPT once a few of these benign transactions pass muster, then another hunk of less than useful software is used to 'stick a knife' into the adversary.
grooming people to think in ways that make use of innocence and love, from the narcissistic ideology of the N Korean leadership (aka psychotic weaklings) is par for the course.
worse yet, is just how GULLIBLE and NAIVE the elite educated western societies have remained, despite all the deeply humanitarian (but financially un-equitable) positions they claim.
EXCEPT once a few of these benign transactions pass muster, then another hunk of less than useful software is used to 'stick a knife' into the adversary.
grooming people to think in ways that make use of innocence and love, from the narcissistic ideology of the N Korean leadership (aka psychotic weaklings) is par for the course.
worse yet, is just how GULLIBLE and NAIVE the elite educated western societies have remained, despite all the deeply humanitarian (but financially un-equitable) positions they claim.
Upvote
-8
(0
/
-8)
Well, the hacking activities are known to finance the nuking activities. The only caveat is that I'm not sure the hackers get "paid" in any meaningful way.
Upvote
0
(1
/
-1)
moosemaimer
Ars Scholae Palatinae
They likely get to live in Pyongyang, in a decent-looking apartment, with access to things like food and consumer goods; unlike the hoi polloi, who live in the countryside, and have to grow what they can while proclaiming their undying love for the Kims.
Upvote
4
(5
/
-1)
Upvote
-1
(0
/
-1)
No. The 0-day is seperate from the piece of software they also peddled and which your quote was about. From the article:
It's probably the tool linked in the screenshot of one of the actors. But otherwise it's in the original post.
Upvote
2
(2
/
0)
There may have been some linguistic drift here, similar to "bricking" etc.
Disclosed vulnerabilities are n-day
https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerabilityhttps://www.bleepingcomputer.com/ne...h-gap-makes-n-days-as-dangerous-as-zero-days/etc, just google n-day.
Re exploit vs vuln, I would not call every vulnerability a 0-day, only those that have been exploited. There are vulnerabilities that only the dev knows about, and others floating in the ether, and others that are purely theoretical (e.g. quantum vulnerable assymetric keys). I wouldn't call any of those 0-day, even going by your definition. (edit: but again this is just based on experienced usage that's decades stale at this point, so if everything is a 0 day now, I guess that's the world we live in )
Last edited:
Upvote
1
(2
/
-1)
I'm kind of curious if the new NK sub is going to have an "accident" while undergoing sea trials In deep water. Not that it's necessary. Those old boats are so noisy, tracking them undetected should a pretty easy task.
Upvote
-1
(0
/
-1)
This.
I agree, it is frustrating '0-day' devolved into such an encompassing term over the years. I'm of the opinion tech writers are to blame: it is too tempting to use it in more flashy titles than not, so gradually the definition just changed itself.
We need a term for unpatched vulnerabilities that were discovered being exploited in the wild. Why? Because those are the really scary ones.
Upvote
3
(3
/
0)
Upvote
0
(0
/
0)