(in)sicurezza digitale

2026-05-08 18:21:50

Cyberspionaggio iranian-nexus contro l’Oman: 12 ministeri colpiti, 26.000 record esfiltrati, server C2 lasciato aperto negli Emirati

Un server di staging lasciato in bella vista su internet ha permesso ai ricercatori di Hunt.io di ricostruire un’intera operazione di cyberspionaggio contro il governo dell’Oman. Dietro l’attacco si intravede la firma di un attore con nexus iraniano: 12 ministeri colpiti, oltre 26.000 record di cittadini esfiltrati, e un arsenale di strumenti personalizzati che punta direttamente al Ministero della Giustizia di Muscat.

Il server lasciato aperto: come è stata scoperta l’operazione

La maggior parte degli operatori offensivi ha cura di mantenere il proprio server di staging fuori dalla visibilità pubblica. Questo no. Il server all’indirizzo 172.86.76[.]127, un VPS RouterHosting con sede negli Emirati Arabi Uniti, è stato individuato dagli scanner AttackCapture di Hunt.io l’8 aprile 2026 sulla porta 8000, con una seconda directory esposta sulla porta 8002 catturata il 10 aprile. L’open directory conteneva in chiaro toolkit d’attacco, codice C2, session log, e dati esfiltrati — un errore operativo che ha aperto una finestra eccezionale sull’intera campagna.

L’IP risolve in un unico dominio: dubai-10.vaermb[.]com, registrato in maggio 2025 tramite NameSilo. Il pattern di naming suggerisce l’esistenza di infrastruttura aggiuntiva — un cluster denominato dubai-# sullo stesso ASN che ospita media iraniani della diaspora contraffatti e diversi domini .ir, fornendo un utile contesto geopolitico sull’operatore.

I bersagli: dodici entità governative omanite

La prima directory (porta 8000) rivelava la fase di ricognizione e initial access, con tentativi contro almeno quattro entità governative omanite. La seconda directory (porta 8002), con 211 file e 17 sottodirectory per un totale di 110 MB, rappresentava l’ambiente operativo del C2 — strutturato, organizzato per funzione, con cartelle dedicate per ogni obiettivo.

L’analisi degli script Python nella cartella /scripts/gov.om/ ha permesso di mappare i target all’interno dell’ecosistema governativo omanita:

• Ministero della Giustizia e degli Affari Legali (mjla.gov.om) — Target primario, con webshell deployata su mersaltest.mjla.gov[.]om
• Royal Oman Police — Portal eVisa (evisa.rop.gov.om): brute force su credenziali
• Royal Fleet of Oman — Server mail (mail.rfo.gov.om): sfruttamento ProxyShell
• Tax Authority of Oman — Server mail (email.taxoman.gov.om): sfruttamento ProxyShell
• State Audit Institution — Piattaforma formativa SAILMS: brute force
• Ulteriori ministeri inclusi: Autorità per l’Aviazione Civile, Ufficio del Pubblico Ministero, Ministero delle Finanze

La catena di attacco: webshell, ProxyShell e SQL escalation

L’accesso iniziale al Ministero della Giustizia è avvenuto con ogni probabilità sfruttando CVE-2025-32372, una vulnerabilità SSRF in DotNetNuke (DNN) nelle versioni precedenti alla 9.13.8 — il CMS su cui girano i portali ministeriali omaniti. Gli undici script Python dedicati al MJLA referenziano tutti in modo hardcoded la webshell health_check_t.aspx tramite il percorso /Portals/0/, la directory di storage predefinita di DNN.

La seconda webshell recuperata direttamente dal server C2, denominata hc2.aspx, è un classico web shell ASP.NET che accetta comandi tramite il parametro c ed esegue tramite cmd.exe, restituendo l’output come testo plain. In assenza di parametri, esegue automaticamente whoami /all && hostname && ipconfig — restituendo identità, hostname e configurazione di rete.

Contro i server Microsoft Exchange della Royal Fleet e della Tax Authority, gli operatori hanno utilizzato la catena ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Per il pivot e l’escalation all’interno della rete MJLA, gli script evidenziano l’uso di tecniche di privilege escalation su SQL Server e di un payload a esecuzione riflessa (reflective execution variant).

Il README.txt trovato sul server C2 — denominato “VPS C2 – 172.86.76[.]127” — conteneva porte listener, template per reverse shell, comandi di esfiltrazione e path SCP che puntavano a /opt/c2/loot/. Questo documento suggerisce che il server UAE fosse solo uno dei nodi di un’infrastruttura più ampia non ancora identificata.

I dati esfiltrati: giustizia, identità e segreti di Stato

L’entità dell’esfiltrazione è significativa sia quantitativamente che qualitativamente. Dal Ministero della Giustizia sono stati estratti:

• Oltre 26.000 record utente dall’applicazione DotNetNuke del MJLA, inclusi indirizzi email del personale e credenziali
• Dati di casi giudiziari attivi e storici
• Decisioni di commissioni governative e dati di certificazione di esperti
• Hive del registro Windows (SAM e SYSTEM) — che contengono gli hash delle password di sistema, utilizzabili per ulteriori movimenti laterali

I session log presenti sul server C2 confermano sessioni operative attive fino al 10 aprile 2026, dimostrando che la compromissione era ancora in corso al momento della scoperta da parte di Hunt.io.

L’attribuzione: il nexus iraniano e la continuità delle operazioni

Hunt.io non attribuisce esplicitamente la campagna a un gruppo specifico, ma i marker sono coerenti con attori Iranian-nexus. Nel 2025, un gruppo allineato all’Iran e collegato al Ministero dell’Intelligence e della Sicurezza (MOIS) aveva compromesso una mailbox del Ministero degli Affari Esteri omanita a Parigi, utilizzandola come launchpad per inviare email di spear phishing ad ambasciate e organizzazioni internazionali nel mondo. La campagna attuale inverte il vettore: questa volta l’Oman non è la piattaforma di lancio, ma il bersaglio diretto, con focus specifico su dati giudiziari, sistemi di immigrazione e identità dei cittadini.

L’infrastruttura adiacente sullo stesso ASN — che ospita media iraniani della diaspora contraffatti e domini .ir — aggiunge contesto alla collocazione geopolitica dell’operatore. Il pattern di targeting (sistemi giudiziari, forze dell’ordine, finanze pubbliche) è coerente con le priorità di intelligence degli apparati statali iraniani nei confronti dei paesi del Golfo.

Due righe per i difensori

Il caso dell’Oman illustra due lezioni critiche per i team di difesa. Prima di tutto, la gestione dell’infrastruttura di staging è essa stessa una superficie di attacco: server di C2 male configurati possono esporre l’intera operazione e fornire preziosi indicatori ai difensori. In secondo luogo, la longevità delle vulnerabilità come ProxyShell — pubblicamente nota dal 2021 — dimostra che molte organizzazioni governative non dispongono di processi di patching adeguati per i sistemi esposti a internet.

Per le organizzazioni che operano in settori sensibili nei paesi del Golfo o che collaborano con entità governative omanite, si raccomanda di verificare immediatamente le versioni di DotNetNuke deployate, controllare la presenza di webshell nei path /Portals/0/ dei CMS DNN, e monitorare la comunicazione verso l’IP 172.86.76[.]127 e il dominio dubai-10.vaermb[.]com.

Indicatori di Compromissione (IoC)

# Iranian-Nexus Oman Government Intrusion - IoC
## Infrastructure
IP: 172.86.76[.]127 (RouterHosting VPS, UAE)
Domain: dubai-10.vaermb[.]com (registrato 2025-05-04, NameSilo)
Cluster: dubai-[N].vaermb[.]com (additional nodes suspected)
C2 path: /opt/c2/loot/
## Targets Compromised
mersaltest.mjla.gov[.]om (primary C2 access point, Ministry of Justice)
evisa.rop.gov[.]om (Royal Oman Police)
mail.rfo.gov[.]om (Royal Fleet of Oman)
email.taxoman.gov[.]om (Tax Authority of Oman)
sailms.gov[.]om (State Audit Institution)
## Webshells
health_check_t.aspx (deployed on MJLA DNN portal, /Portals/0/)
hc2.aspx (recovered from C2 server)
## C2 Files
c2_fixed.py
c2_fixed_v2.py
README.txt (infrastructure reference document)
proxyshell_01.sh
evisa_cookies.txt
## Vulnerabilities Exploited
CVE-2025-32372 - DotNetNuke SSRF (versions before 9.13.8)
CVE-2021-34473 - ProxyShell (Microsoft Exchange)
CVE-2021-34523 - ProxyShell (Microsoft Exchange)
CVE-2021-31207 - ProxyShell (Microsoft Exchange)
## Tunneling Tool
Chisel (encrypted tunnel through firewalls, components in /payloads)
## MITRE ATT&CK TTPs
T1190 - Exploit Public-Facing Application (DNN SSRF, ProxyShell)
T1505.003 - Web Shell
T1003.002 - OS Credential Dumping: SAM (registry hives SAM+SYSTEM)
T1059 - Command Scripting (Python scripts, cmd.exe via webshell)
T1083 - File and Directory Discovery
T1119 - Automated Collection
T1020 - Automated Exfiltration
## Last Active Session
April 10, 2026 (C2 log timestamps)

404 Media

2026-05-08 16:57:36

University Claims Withholding Water From Nuclear Weapons Data Center Is 'Unlawfully Discriminatory' to Data Centers

The University of Michigan has sent a legal threat over a yearlong pause that would prevent water hookup to a proposed nuclear weapons research and AI data center. Los Alamos National Laboratory and the University of Michigan are looking to build a $1.2 billion, 220,000 square foot data center in Ypsitlanti Township. On April 22, the Ypsilanti Community Utility Authority (YCUA) passed a 365-day moratorium on the delivery of water to hyperscale data centers in the area while it conducted environmental sustainability and long-term water use studies.

As first reported by MLive, the University hand delivered and emailed a legal threat to the YCUA on April 21, the day before it was to vote on the proposed water moratorium. According to a copy of the letter obtained by 404 Media, the university feels the moratorium is “unlawfully discriminatory” against data centers and it promised to pursue “all rights and claims for relief” if its demands weren’t met.
playlist.megaphone.fm?p=TBIEA2…
Luther Blackburn, YCUA’s executive director, told 404 Media that the organization had no comment on potential or pending litigation, but did confirm that he’d received a legal communication from the university. “YCUA staff are working on a Request for Proposal to complete the investigations and studies outlined in the moratorium,” he said. “I believe YCUA has acted lawfully and in accordance with industry best practices by issuing the moratorium.”

The university disagreed. “The University objects to any such sector-specific moratorium which would be legally invalid because, among other defects, it would be unrelated to any documented utility or public health needs,” the letter said, according to a copy obtained by 404 Media. “As a threshold matter, a moratorium on utility service is permissible only when linked to legitimate utility considerations such as documented capacity constraints, public health issues, or genuine financing challenges.”
embed.documentcloud.org/docume…
The University argued, citing various legal precedents, that the courts will not be on Ypsilanti’s side and claimed that the area has plenty of water. “The record contains no evidence supporting any such YCUA capacity constraint,” the letter said. “To the contrary, YCUA’s leadership has publicly stated that serving the University’s proposed facility would not affect the authority’s ability to provide or treat water.”

The letter quoted Blackburn as saying he had confirmed in 2025 that the data center’s proposed use of 200,000 gallons a day were within YCUA’s 8-10 million gallon per day capacity. “In addition, YCUA leadership has stated that serving the University's project would likely help mitigate overall utility costs by improving efficiency and cost distribution,” the letter said.

Sean Knapp, the YCUA’s director of service operations, told Planet Detroit last year that the YCUA is operating below capacity at the moment. “Adding the data center as a customer would help mitigate overall costs by improving efficiency and cost distribution,” he said at the time.

After saying it was illegal for the Ypsilanti community to not give it water, the University claimed the moratorium discriminated against data centers. “Beyond the above legal deficiencies, the proposed moratorium is pretextual and unlawfully discriminatory because it singles out ‘data centers’ by label rather than by utility impact,” the letter said. “It is discriminatory to permit other users to connect and consume currently available capacity while the utility conducts undefined studies to determine whether there is sufficient capacity for the University’s proposed facility.”

The University then asked the YCUA not to pass a moratorium and promised to “pursue” the matter. “The University respectfully requests that YCUA refuse to issue any sector-specific moratorium, instead basing any service decisions on documented utility factors, applied evenhandedly through existing permitting and technical review processes,” the letter said. “If these legal requirements are not followed by YCUA, the University reserves the right to pursue all rights and claims for necessary relief.”

The University of Michigan did not return 404 Media’s request for comment.

Ypsilanti Township has been fighting the proposed datacenter for more than a year now. Data centers are wildly unpopular in the United States. They often cause noise pollution, affect water quality, and drive up utility bills for their neighbors. Local opposition to the Ypsilanti Township data center has been compounded by its connection to America’s nuclear weapons industry.

Ypsilanti Township residents speak out against University of Michigan's ‘biggest, baddest’ data center

The $1.2 billion data center project by the University of Michigan in Ypsilanti Township sparks worries about water consumption, surveillance, and noise.

^{Brian Allnutt (Planet Detroit)}

404 Media

2026-05-08 16:03:52

Behind the Blog: Storage Woes and RSS

This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we discuss storage, RSS, and a big reporting project.

JOSEPH: In an earlier BTB I mentioned the pain of obtaining cryptocurrency in 2026. Well, that was in service for the article we published this week called ‘HELLO BOSS’: Inside the Chinese Realtime Deepfake Software Powering Scams Around the World. This has been a long time coming. As you can read in the piece, it took weeks, eventually more than a month really, to get the people to sell me the software and for us to test it.

I wanted to talk about my opinion on the ethics around a story like this. This is not a science. Many journalists have a different view on all sorts of different techniques or conduct. But these are my thoughts.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Behind the Blog: Storage Woes and RSS

^{Samantha Cole (404 Media)}

404 Media

2026-05-08 15:50:03

'The Biggest Student Data Privacy Disaster in History': Canvas Hack Shows the Danger of Centralized EdTech

Thursday afternoon, millions of students at thousands of universities and K-12 schools were locked out of Canvas, a piece of catch-all education technology software that has become the de facto core of many classes. ShinyHunters, a ransomware group, hacked Canvas’s parent company and apparently stole “billions” of messages and accessed more than 275 million individuals’ data, according to the hacking group. The group also locked students out of Canvas.

Later Thursday, Instructure, which makes Canvas, was able to mostly put Canvas back online; it is not clear if the company paid a ransom or not. The breach demonstrates the danger in centralizing the educational and personal data of millions of students in a single service. Canvas is essentially a portal where teachers post assignments and lectures, have discussion boards, and students can message with each other and their teachers and connect with other pieces of education tech software.

Instructure noted on an incident update page that the stolen data includes “certain personal information of users at affected organizations. That includes names, email addresses, student ID numbers, and messages among Canvas users.” Instructure also noted that it was breached twice—once on April 29 and again on Thursday.

Soon after the hack, I called up Ian Linkletter, a digital librarian specializing in emerging education tech, to talk about the implications of the breach. Linkletter has worked in education tech for 20 years and over the last few years has become known for exposing privacy concerns in Proctorio, a remote test proctoring software that rose to prominence during the early days of the COVID-19 pandemic. Linkletter was sued by Proctorio but eventually the case was dropped.

Linkletter told me the Canvas hack is “the biggest student data privacy disaster in history” in part because of its scale and the sensitive nature of what was stolen. This is my conversation with Linkletter, which has been lightly condensed.

404 Media: What do we know about the hack so far?
Linkletter: At about 1:20 PM [Pacific, Thursday], people started posting screenshots to Reddit of this breach message that they got. Some institutions were cautioning people to change their passwords if they were logged in, right now it just seems like people are in panic mode, some senior administration at schools are in meetings talking about whether they need to cancel finals next week. It’s just the implications are on everything because schools are reliant on this learning management system for everything—communications, grading, finals, everything.

In your email to me, you said you've worked in EdTech for 20 years and you said this is the biggest student data privacy disaster in history. I'm curious what sort of made you frame it that way.
I supported Blackboard [a similar piece of tech] way back in the day and I supported Canvas from about 2017 to 2022 when I worked at the University of British Columbia. And what I was there for when we switched to Canvas in 2017 was the shift from like these scrappy little self-hosted learning management system apps that would be on Canadian servers to this centralized, all eggs-in-one basket faith in a U.S. tech company. This idea that our data would be just as safe with them as it was when we had it. And because this move to the cloud happened so suddenly about 10 years ago, all of a sudden data got centralized. The only way that I can think of that this type of hack where everything went down, where so much was stolen would be if Instructure had access to everybody's data, which doesn't seem necessary. For it to be just so widespread across every customer is something that, like, [we’ve] never seen before.

Because the contents of messages got leaked, it’s really easy for phishing attacks to get customized. Like, Canvas got hacked [...] and continuing our conversation type of thing, you can get some really personal information from people. And that's also new.

I can also imagine messages between students and teachers to be pretty sensitive.
I supported instructors that used Canvas. And so I would hear these stories like, and they're on like the professor’s subreddit and stuff too, like students are telling you that people died [to explain absences]. There's personal circumstances, medical circumstances, accessibility accommodations, disputes, sexual assault allegations, like all sorts of stuff would be getting reported to the instructor using Canvas. If that information is out across hundreds of millions of people, there's a lot of harm that's going to happen.

What will you be kind of monitoring as this plays out?
My biggest concern right now is monitoring the institutional response. I feel very strongly that students should have been warned about this like days ago. And it just took this second hack where students got something in their face notifying them that really made schools respond. So I believe that students need to be warned or else they're going to get harmed. And the longer schools wait to tell students about what’s going on, even the little that they know, the more stress and chaos and potential risk to student privacy and safety is at stake.

He got sued for sharing public YouTube videos; nightmare ended in settlement

Librarian vows to stop invasive ed tech after ending lawsuit with Proctorio.

^{Ashley Belanger (Ars Technica)}

Hannah Grace

2026-05-08 09:53:39

Excited to announce that the @EUCommission has updated it's follow buttons on the website footer!
What's that first platform there? Could that be #Mastodon?
And where did the link to #X go?
All the posts and comments here on Mastodon calling for this, trust me we read them!

#SocialMedia #EU #EuropeanCommission #FollowUs