Read on Twitter
I was repeatedly targeted by the threat actor from December 4th until January 24th. I never received any LPE. It surprised me so many people did, given the context. I’d like to offer some non-technical advice on how you can avoid becoming a victim of this specific type of attack:
First, the lure was the ask of advice on weaponizing a DirectX Kernel 0day exploit.
Unless you know a researcher, it seems like a dubious choice to advise in the exploitation of an 0day. You never know what they’re going to be doing with it.
Unless you know a researcher, it seems like a dubious choice to advise in the exploitation of an 0day. You never know what they’re going to be doing with it.
Secondly, given that nobody knew this researcher, I was shocked some people showed willingness to help.
Consider: how do you value your time and what was the intent of this 0day?
If you’re in the business of exploitation, giving an unknown actor free 0day help seems dangerous.
Consider: how do you value your time and what was the intent of this 0day?
If you’re in the business of exploitation, giving an unknown actor free 0day help seems dangerous.
Now I know many folks here choose to engage in this line of work. That’s fine.
My next advice is around opsec.
Someone is offering you a free LPE because “they trust you”. Really? Someone you’ve never met “trusts you”? Does it not perhaps look like an ego lure for an 0day?
My next advice is around opsec.
Someone is offering you a free LPE because “they trust you”. Really? Someone you’ve never met “trusts you”? Does it not perhaps look like an ego lure for an 0day?
But say you fall for it, and someone is “trusting you” and giving you an 0day.
I repeatedly refused communication unless it was encrypted. The threat actor suggested all sorts of unencrypted or open channels that are dubious and unverified. They kept wanting to email me a ZIP.
I repeatedly refused communication unless it was encrypted. The threat actor suggested all sorts of unencrypted or open channels that are dubious and unverified. They kept wanting to email me a ZIP.
If you’re in the business of giving free help to unknown researchers that are giving you 0day because “they trust you”, consider not relying on encrypted zip files.
Validate your other party. Phone, video, Skype, authenticated encrypted communication.
Not a ZIP file by email.
Validate your other party. Phone, video, Skype, authenticated encrypted communication.
Not a ZIP file by email.
Because at the end of the day, whether you were just curious, or were hoping for a free 0day, or are just altruistic and wanted to help a fellow human, or ..., next time sometimes offers you a free 0day and you download a zip file by email — it won’t be a poorly run campaign.
Stay safe, friends. The world is a dark & scary place. Nothing comes for free, and when it does, there’s usually nothing good that comes with it.
You’re all talented, helpful, smart folk, regardless of your alignment on the exploit business spectrum — don’t fall for free 0day
You’re all talented, helpful, smart folk, regardless of your alignment on the exploit business spectrum — don’t fall for free 0day
Some will choose to read this as “I’m better than you because I didn’t get phished”. I’m not. I fall for lures all the time. I’ve even run RATs on my system before. Others like @halvarflake didn’t fall for this either. I’m sharing what was successful for me, in this context.
