This is absolutely nuts. I mean, anyone with a CS degree can see that if you’ve got memory & a bunch of logic gates you can implement a small CPU, especially if you have access to a loop construct to make things a bit easier. But to actually follow through on that to implement a full RCE exploit? If only the exploit authors’ actions didn’t mark them out for shame, it would be amazing.
As it is, it’s depressing that such talent is being spent (burnt?) aiding and abetting authoritarian regimes around the world.
Overall the Israelis has a pretty darn good offensive sec. screening, recruitment, training and then letting mil.tech or startups pick them up- flow that beats anything academia can achieve.
You can find this kind of creativity/knowhow often enough in the emulation and CTF wargaming scenes, but the engineering effort in taking it to something reliable enough to deploy is impressive. Writing emulators in particular quickly gets you to the kind of thinking that “anything graphics is just memory r/w instructions with weird constraints and code vs. data is just a matter of perspective”.
I would bet a fair amount that there is a packing/obfuscation engine based off a patched LLVM somewhere in their repositories that takes desired shellcode and emits this ‘bitop’ instruction format (also recall the xoreaxeax movfuscator and related projects, it is the same kind of vibe).
Here’s to hoping a HackingTeam style leak occurs eventually. Would image working on the involved teams now being disowned and disbanded and rebranded has some disillusioned members that would like to pastebin a thing or two.
the level of complexity and sheer brute force work required to pull this off is out of my comprehension. I’m from the age of NOP slides and simple buffer overflows with shellcode at the end of the NOP slide.. or at most a ret2lib attack..
this is just a whole two orders of magnitude away from that..
I don‘t think, at least not completely. First for that every employee would vaguely need to know about every security exploit which could lead to leaks. Second Edward Snowden was able to leak a lot of data from the NSA fairly easily, which is in a similar situation. May be they they have a list of things they will not hack, but then again this could easily be leaked and be used against them.
First for that every employee would vaguely need to know about every security exploit which could lead to leaks.
Not necessarily. They could just say something along the lines of “due to the nature of your work, our security policy specifies you must use the provided phone and laptop for all your work stuff, and you must leave your personal phone at home”. And to someone who works for a cybersec/hacking company - at any level - they’d just assume this is because of their sensitive work, and their clients, not because they themselves are targets?
But which hardware and software would they use for work? Certainly nothing which they know a security exploit for (other could also discover it too and use it against them). So if they would only use hard- and software which is deemed „safe“ this would mean there exist a set of hard- and software which could be considered safe against there attacks. This is why the NSA invests more and more resources into enabling researchers to find bugs (ghidra) and publish their exploits, so they get fixed. Its the only way to be really safe.
This is absolutely nuts. I mean, anyone with a CS degree can see that if you’ve got memory & a bunch of logic gates you can implement a small CPU, especially if you have access to a loop construct to make things a bit easier. But to actually follow through on that to implement a full RCE exploit? If only the exploit authors’ actions didn’t mark them out for shame, it would be amazing.
As it is, it’s depressing that such talent is being spent (burnt?) aiding and abetting authoritarian regimes around the world.
Overall the Israelis has a pretty darn good offensive sec. screening, recruitment, training and then letting mil.tech or startups pick them up- flow that beats anything academia can achieve.
You can find this kind of creativity/knowhow often enough in the emulation and CTF wargaming scenes, but the engineering effort in taking it to something reliable enough to deploy is impressive. Writing emulators in particular quickly gets you to the kind of thinking that “anything graphics is just memory r/w instructions with weird constraints and code vs. data is just a matter of perspective”.
I would bet a fair amount that there is a packing/obfuscation engine based off a patched LLVM somewhere in their repositories that takes desired shellcode and emits this ‘bitop’ instruction format (also recall the xoreaxeax movfuscator and related projects, it is the same kind of vibe).
Here’s to hoping a HackingTeam style leak occurs eventually. Would image working on the involved teams now being disowned and disbanded and rebranded has some disillusioned members that would like to pastebin a thing or two.
What do you mean by this? It struck me as an excellent write-up that really made a complex subject accessible.
To clarify: I meant the authors of the exploit, i.e NSO employees. Have edited the original post to make that clear.
That makes sense. I completely misread that. Sorry!
the level of complexity and sheer brute force work required to pull this off is out of my comprehension. I’m from the age of NOP slides and simple buffer overflows with shellcode at the end of the NOP slide.. or at most a ret2lib attack..
this is just a whole two orders of magnitude away from that..
All this makes me wonder what NSO’s OPSEC is like for their staff.
Do they protect themselves against their own exploits?
I don‘t think, at least not completely. First for that every employee would vaguely need to know about every security exploit which could lead to leaks. Second Edward Snowden was able to leak a lot of data from the NSA fairly easily, which is in a similar situation. May be they they have a list of things they will not hack, but then again this could easily be leaked and be used against them.
Not necessarily. They could just say something along the lines of “due to the nature of your work, our security policy specifies you must use the provided phone and laptop for all your work stuff, and you must leave your personal phone at home”. And to someone who works for a cybersec/hacking company - at any level - they’d just assume this is because of their sensitive work, and their clients, not because they themselves are targets?
But which hardware and software would they use for work? Certainly nothing which they know a security exploit for (other could also discover it too and use it against them). So if they would only use hard- and software which is deemed „safe“ this would mean there exist a set of hard- and software which could be considered safe against there attacks. This is why the NSA invests more and more resources into enabling researchers to find bugs (ghidra) and publish their exploits, so they get fixed. Its the only way to be really safe.