I’ll be a bit cheap and repeat my HN comment (but then extend a little).
PDFs are indeed a bit scary.
A few months back I was triaging a GH issue where someone had attached an .rtf of their failure log and I was definitely tingling at the thought of opening it.
I felt a bit paranoid doing it, but I curled it down on a different laptop, went offline, and then checked to see what file thought. It reported that the file was actually a PDF and I was almost certain it was a spearphishing attempt.
(I’m not a committer on this project, so I probably wouldn’t have been the target if it was.)
I finally convinced myself to go online to fetch a PDF -> plaintext converter package, go back offline, and see what it found inside. (Though I wondered if the converter itself would ignore or could be vulnerable to the same kinds of exploits.)
It ultimately just looked like an appropriate log, though I never directly opened it. I decided to risk coming off as paranoid and told the reporter not to do this going forward (and they promptly/happily replaced the attachment with an unformatted copy/paste–better than getting pwned).
I’ve also heard at least twice in the past ~year through coworkers about attempted surprisingly high-effort (but ultimately not sophisticated) ~spearphishing/scam attempts that we had to assume were driven by orgchart knowledge gleaned from linkedin or facebook.
The first was an attempt to run a gift-card scam on someone in a running club by pretending to be president of said club.
The second was an attempt to perpetrate something similar (I didn’t get details this time) against a brand-new hire at a small (fewer than 30 employee) ~content company by pretending to be the chief creative talent.
It seems like there’s more creativity out in this niche than there was a few years ago.
The first was an attempt to run a gift-card scam on someone in a running club by pretending to be president of said club.
This happens all the time for me.
People I know get messages on all sorts of platforms, including ones I am not on, asking to buy gift cards and send “me” the code (but it is not me). The context varies. Sometimes it’s a work teammate getting a WhatsApp message that claims to be me (from a random number), sometimes a family member gets a Facebook message from a name like mine (I haven’t been on Facebook in 6 years), but it’s always the same bottom line (paraphrased) “I’m in a bind, I don’t have much time, and I need your help: Please run to a CVS, buy a $50 Amazon gift card and send me the code.”
It has happened since about 2019 with some regularity.
You’ve touched on something a lot of people are already late to 🙂
I’ve completely “wiped” my LinkedIn. Rather than delete it, signalling to people you are hiding something or afraid or are potentially overprotective, I’ve completely changed my career on the profile to be a fisherman. I’ve learned LinkedIn is pretty much terrible overall.
This has had some very cool consequences:
I can see who is actually looking for my name, and not just me appearing in searches!
I’ve learned “you’ve shown up in ~10 searches” is pretty much complete bullshit: this is still happening now that I’ve completely switched careers.
I think “it can happen to you too” is not right: PDF exploits are a very old thing, and there is something fishy about the whole story here, because the attackers would have to know 1. this person was looking for a job and 2. they ran a mac, otherwise the exploit wouldn’t have worked… Does the same exploit work in mupdf? evince? etc (doubtful based on the Google link)… Additionally for this dev to have not used a hardware wallet in such a position of power is absolutely stupid. I don’t know anyone serious in the space who isn’t using one, or also using tools which is encrypting sensitive information.
The post also touches on another thing which is long time coming: “disconnected dev” in the crypto space. In security focused ecosystems this is usually the default, but in crypto? Nopelol. Everyone is using everyone else’s npm packages and the like (but honestly for understandable reason: cryptography is hard).
At my old employer even though I was a core dev, the infra team was the only team with access to secrets. In this case the dev should not have been in charge of any secrets. Since they were well, it was a matter of time.
It does make me reflect though for my own personal things. Security keys are really the only thing that can save you against keyloggers / RATs…
And yeah VMs are escapable too. I think my vision of the future having “web machines” is more feasible the more stuff like this happens… One machine disconnected for dev, the other connected for everything else. Maybe even residing in the same box.
Lots of people are “open to new opportunities” without actively searching. And everyone has a price… (By which I don’t just mean money, but the whole package. Interesting work/impact, relocation to somewhere awesome, remote work for something that normally requires onsite, specific accommodations like part time work, etc.)
they ran a mac, otherwise the exploit wouldn’t have worked…
If you’ve got incentives to the tune of a few hundred million dollars this doesn’t seem much of a hurdle. You just need to find one person to take the bait who runs a software stack for which you have a workable exploit. I can see a few ways of achieving this:
Presumably the offer letter was preceded by some back-and-forth by email? If using a client-side mail client, you can infer the OS from the mail headers.
As part of your recruitment cover story, you can get the mark to follow a link to a website to fill out a form or something. This will leave a user-agent trail, including OS & version.
If you stalk people sufficiently on social media, you can learn what devices they use. Twitter for example tells you what client software was used to post a message. Tech people and developers post screenshots, talk about software they use, etc. Their LinkedIn CV might even tell you this. Something like “Junior iOS developer at X from 201A to 201B, senior iOS developer at Y from 201B to 201C” screams “this is a Mac user.”
If you’ve got access to a zero-day PDF exploit for macOS, chances are you might also have one for Windows in your repertoire.
You only have to succeed once, whereas your mark has to succeed every time. It’s not that hard to come up with excuses to send people Word or Excel documents, image files, etc. if the first exploit didn’t work for whatever reason.
Presumably the offer letter was preceded by some back-and-forth by email? If using a client-side mail client, you can infer the OS from the mail headers.
As part of your recruitment cover story, you can get the mark to follow a link to a website to fill out a form or something. This will leave a user-agent trail, including OS & version.
These are really good points and not something I considered…!
goes to check their own mail headers
but yeah like I said, in the end the only way is to store valuable secrets elsewhere…
I’m waiting for the day attackers start grabbing ~/.kube/config for cloud-managed k8s clusters. LinkedIn searching can make that a lot easier too.
Even if you’re using 2FA with OIDC, you still have a token that can be stolen and used for a few hours, enough time to gain persistence in a cluster.
Operating systems commonly used on company laptops (aka macOS and Windows) have bad sandboxing, especially when editors have access to your kubeconfig anyway to download API schemas or whatever they do.
Also, yes we can’t trust PDFs anymore, especially after exploits like FORCEDENTRY became a thing.
It would be nice if people writing parsers & viewers for any format (PDF, image, video, compressed archive…) understood that the only reasonable threat model here is attackers trying to exploit bugs in the parser to do nefarious things. Including but not limited to invoking the Nasal Demons™ of C/C++ Undefined Behaviour® to encrypt your hard drive and display a ransom message.
And at one time, JPEGs were a vector for exploitation—someone at Microsoft felt it was a good idea for a JPEG parser to execute anything that looked like code in found in the JPEG (most likely something related to Excel/Word macros or Visual Basic).
I’ll be a bit cheap and repeat my HN comment (but then extend a little).
PDFs are indeed a bit scary.
A few months back I was triaging a GH issue where someone had attached an .rtf of their failure log and I was definitely tingling at the thought of opening it.
I felt a bit paranoid doing it, but I curled it down on a different laptop, went offline, and then checked to see what
filethought. It reported that the file was actually a PDF and I was almost certain it was a spearphishing attempt. (I’m not a committer on this project, so I probably wouldn’t have been the target if it was.)I finally convinced myself to go online to fetch a PDF -> plaintext converter package, go back offline, and see what it found inside. (Though I wondered if the converter itself would ignore or could be vulnerable to the same kinds of exploits.)
It ultimately just looked like an appropriate log, though I never directly opened it. I decided to risk coming off as paranoid and told the reporter not to do this going forward (and they promptly/happily replaced the attachment with an unformatted copy/paste–better than getting pwned).
I’ve also heard at least twice in the past ~year through coworkers about attempted surprisingly high-effort (but ultimately not sophisticated) ~spearphishing/scam attempts that we had to assume were driven by orgchart knowledge gleaned from linkedin or facebook.
It seems like there’s more creativity out in this niche than there was a few years ago.
I’m continually surprised by my peers in IT who should know better just casually sharing links to PDFs in corporate chat and on social media.
This happens all the time for me.
People I know get messages on all sorts of platforms, including ones I am not on, asking to buy gift cards and send “me” the code (but it is not me). The context varies. Sometimes it’s a work teammate getting a WhatsApp message that claims to be me (from a random number), sometimes a family member gets a Facebook message from a name like mine (I haven’t been on Facebook in 6 years), but it’s always the same bottom line (paraphrased) “I’m in a bind, I don’t have much time, and I need your help: Please run to a CVS, buy a $50 Amazon gift card and send me the code.”
It has happened since about 2019 with some regularity.
You’ve touched on something a lot of people are already late to 🙂
I’ve completely “wiped” my LinkedIn. Rather than delete it, signalling to people you are hiding something or afraid or are potentially overprotective, I’ve completely changed my career on the profile to be a fisherman. I’ve learned LinkedIn is pretty much terrible overall.
This has had some very cool consequences:
I think “it can happen to you too” is not right: PDF exploits are a very old thing, and there is something fishy about the whole story here, because the attackers would have to know 1. this person was looking for a job and 2. they ran a mac, otherwise the exploit wouldn’t have worked… Does the same exploit work in mupdf? evince? etc (doubtful based on the Google link)… Additionally for this dev to have not used a hardware wallet in such a position of power is absolutely stupid. I don’t know anyone serious in the space who isn’t using one, or also using tools which is encrypting sensitive information.
The post also touches on another thing which is long time coming: “disconnected dev” in the crypto space. In security focused ecosystems this is usually the default, but in crypto? Nopelol. Everyone is using everyone else’s npm packages and the like (but honestly for understandable reason: cryptography is hard).
At my old employer even though I was a core dev, the infra team was the only team with access to secrets. In this case the dev should not have been in charge of any secrets. Since they were well, it was a matter of time.
It does make me reflect though for my own personal things. Security keys are really the only thing that can save you against keyloggers / RATs…
And yeah VMs are escapable too. I think my vision of the future having “web machines” is more feasible the more stuff like this happens… One machine disconnected for dev, the other connected for everything else. Maybe even residing in the same box.
Lots of people are “open to new opportunities” without actively searching. And everyone has a price… (By which I don’t just mean money, but the whole package. Interesting work/impact, relocation to somewhere awesome, remote work for something that normally requires onsite, specific accommodations like part time work, etc.)
If you’ve got incentives to the tune of a few hundred million dollars this doesn’t seem much of a hurdle. You just need to find one person to take the bait who runs a software stack for which you have a workable exploit. I can see a few ways of achieving this:
These are really good points and not something I considered…!
goes to check their own mail headers
but yeah like I said, in the end the only way is to store valuable secrets elsewhere…
You are looking for Qubes OS, which even comes with a PDF sanitization system (you can also just open the PDF in an ephemeral VM). I know you noted that VMs are escapable too, and that’s true, but Qubes’ architecture makes this significantly harder than it would be to e.g. escape VirtualBox.
I’m waiting for the day attackers start grabbing ~/.kube/config for cloud-managed k8s clusters. LinkedIn searching can make that a lot easier too.
Even if you’re using 2FA with OIDC, you still have a token that can be stolen and used for a few hours, enough time to gain persistence in a cluster.
Operating systems commonly used on company laptops (aka macOS and Windows) have bad sandboxing, especially when editors have access to your kubeconfig anyway to download API schemas or whatever they do.
How long would it take you to find a crypto miner daemonset with a name like kube-net-proxy and capped to one core a node or something small.
It would be nice if people writing parsers & viewers for any format (PDF, image, video, compressed archive…) understood that the only reasonable threat model here is attackers trying to exploit bugs in the parser to do nefarious things. Including but not limited to invoking the Nasal Demons™ of C/C++ Undefined Behaviour® to encrypt your hard drive and display a ransom message.
I found the recent announcement that Ghostscript is being rewritten in C to be quite concerning
https://lobste.rs/s/flxao4/pdfi_new_ghostscript_pdf_interpreter
But I guess GS isn’t that widely used…
Ob the one hand, that’s terrifying. On the other hand, GS already has a history of RCE vulns, so this could barely be worse, I guess.
This is sarcasm, right?
Not really, I meant I don’t think it’s widely used on the sort of desktop systems that the particular attack under discussion targeted.
Ghostscript gets involved as a dependency from a bunch of desktop apps, like CUPS uses it. iirc ImageMagick will under some circumstances invoke it.
And at one time, JPEGs were a vector for exploitation—someone at Microsoft felt it was a good idea for a JPEG parser to execute anything that looked like code in found in the JPEG (most likely something related to Excel/Word macros or Visual Basic).