La sicurezza degli endpoint è diventata una priorità per le aziende, soprattutto con la diffusione del lavoro distribuito. Questo approfondimento esplora le principali minacce informatiche e le strategie di difesa più efficaci, con un focus sulle soluzioni EPP ed EDR per una protezione avanzata.

L'articolo Endpoint security: cos’è e come si applica alla sicurezza informatica proviene da Cyber Security 360.

Hello to the whole group @Friendica Support

I noticed that the publication of Friendica posts on Bluesky has radically worsened.

Sometimes the messages are brutally cut off; other times, what remains of the message is a residue that is difficult to recognize; but the main problem is that often nothing is published!

I would like to understand if it is a problem with my account, a problem with my instance, or if it is a more widespread problem that has also involved other users and other instances

Update 06.02.2025: Apple removed malicious apps from the App Store.

In March 2023, researchers at ESET discovered malware implants embedded into various messaging app mods. Some of these scanned users’ image galleries in search of crypto wallet access recovery phrases. The search employed an OCR model which selected images on the victim’s device to exfiltrate and send to the C2 server. The campaign, which targeted Android and Windows users, saw the malware spread through unofficial sources. In late 2024, we discovered a new malware campaign we dubbed “SparkCat”, whose operators used similar tactics while attacking Android and iOS users through both official and unofficial app stores. Our conclusions in a nutshell:

• We found Android and iOS apps, some available in Google Play and the App Store, which were embedded with a malicious SDK/framework for stealing recovery phrases for crypto wallets. The infected apps in Google Play had been downloaded more than 242,000 times. This was the first time a stealer had been found in Apple’s App Store.
• The Android malware module would decrypt and launch an OCR plug-in built with Google’s ML Kit library, and use that to recognize text it found in images inside the gallery. Images that matched keywords received from the C2 were sent to the server. The iOS-specific malicious module had a similar design and also relied on Google’s ML Kit library for OCR.
• The malware, which we dubbed “SparkCat”, used an unidentified protocol implemented in Rust, a language untypical of mobile apps, to communicate with the C2.
• Judging by timestamps in malware files and creation dates of configuration files in GitLab repositories, SparkCat has been active since March 2024.

A malware SDK in Google Play apps

The first app to arouse our suspicion was a food delivery app in the UAE and Indonesia, named “ComeCome” (APK name: com.bintiger.mall.android), which was available in Google Play at the time of the research, with more than 10,000 downloads.

The onCreate method in the Application subclass, which is one of the app’s entry points, was overridden in version 2.0.0 (f99252b23f42b9b054b7233930532fcd). This method initializes an SDK component named “Spark”. It was originally obfuscated, so we statically deobfuscated it before analyzing.

Suspicious SDK being called

Spark is written in Java. When initialized, it downloads a JSON configuration file from a GitLab URL embedded in the malware body. The JSON is decoded with base64 and then decrypted with AES-128 in CBC mode.

The config from GitLab being decrypted

If the SDK fails to retrieve a configuration, the default settings are used.

We managed to download the following config from GitLab:
{
"http": ["https://api.aliyung.org"],
"rust": ["api.aliyung.com:18883"],
"tfm": 1
}
The “http” and “rust” fields contain SDK-specific C2 addresses, and the tfm flag is used to select a C2. With tfm equal to 1, “rust” will be used as the C2, and “http” if tfm has any other value.

Spark uses POST requests to communicate with the “http” server. It encrypts data with AES-256 in CBC mode before sending and decrypts server responses with AES-128 in CBC mode. In both cases, the keys are hard-coded constants.

The process of sending data to “rust” consists of three stages:

• Data is encrypted with AES-256 in CBC mode using the same key as in the case of the “http” server.
• The malware generates a JSON, where <PATH> is the data upload path and <DATA> is the encrypted data from the previous stage.
  {
  "path": "upload@<PATH>",
  "method": "POST",
  "contentType": "application/json",
  "data": "<DATA>"
  }
• The JSON is sent to the server with the help of the native libmodsvmp.so library via the unidentified protocol over TCP sockets. Written in Rust, the library disguises itself as a popular Android obfuscator.

Static analysis of the library wasn’t easy, as Rust uses a non-standard calling convention and the file had no function names in it. We managed to reconstruct the interaction pattern after running a dynamic analysis with Frida. Before sending data to the server, the library generates a 32-byte key for the AES-GCM-SIV cipher. With this key, it encrypts the data, pre-compressed with ZSTD. The algorithm’s nonce value is not generated and set to “unique nonce” (sic) in the code.

Extending the AES key using the hard-coded nonce value

The AES key is encrypted with RSA and is then also sent to the server. The public key for this RSA encryption is passed when calling a native method from the malicious SDK, in PEM format. The message is padded with 224 random bytes prior to AES key encryption. Upon receiving the request, the attackers’ server decrypts the AES key with a private RSA key, decodes the data it received, and then compresses the response with ZSTD and encrypts it with the AES-GCM-SIV algorithm. After being decrypted in the native library, the server response is passed to the SDK where it undergoes base64 decoding and decryption according to the same principle used for communication with the “http” server. See below for an example of communication between the malware module and the “rust” server.

An example of communication with the “rust” server

Once a configuration has been downloaded, Spark decrypts a payload from assets and executes it in a separate thread. It uses XOR with a 16-byte key for a cipher.

A payload being decrypted

The payload (c84784a5a0ee6fedc2abe1545f933655) is a wrapper for the TextRecognizer interface in Google’s ML Kit library. It loads different OCR models depending on the system language to recognize Latin, Korean, Chinese or Japanese characters in images. The SDK then uploads device information to /api/e/d/u on the C2 server. The server responds with an object that controls further malware activities. The object is a JSON file, its structure shown below. The uploadSwitch flag allows the malware to keep running (value 1).
{
"code": 0,
"message": "success",
"data": {
"uploadSwitch": 1,
"pw": 0,
"rs": ""
}
}
The SDK then registers an application activity lifecycle callback. Whenever the user initiates a chat with the support team, implemented with the legitimate third-party Easemob HelpDesk SDK, the handler requests access to the device’s image gallery. If the pw flag in the aforementioned object is equal to 1, the module will keep requesting access if denied. The reasoning behind the SDK’s request seems sound at first: users may attach images when contacting support.

The reason given when requesting read access to the gallery

If access is granted, the SDK runs its main functionality. This starts with sending a request to /api/e/config/rekognition on the C2 and getting parameters for processing OCR results in a response.
{
"code": 0,
"message": "success",
"data": {
"letterMax": 34,
"letterMin": 2,
"enable": 1,
"wordlistMatchMin": 9,
"interval": 100,
"lang": 1,
"wordMin": 12,
"wordMax": 34
}
}
These parameters are used by processor classes that filter images by OCR-recognized words. The malware also requests a list of keywords at /api/e/config/keyword for KeywordsProcessor, which uses these to select images to upload to the C2 server.

Searching for keywords among OCR image processing results

Besides KeywordsProcessor, the malware contains two further processors: DictProcessor and WordNumProcessor. The former filters images using localized dictionaries stored decrypted inside rapp.binary in the assets, and the latter filters words by length. The letterMin and letterMax parameters for each process define the permitted range of word length. For DictProcessor, wordlistMatchMin sets a minimum threshold for dictionary word matches in an image. For WordNumProcessor, wordMin and wordMax define the acceptable range for the total number of recognized words. The rs field in the response to the request for registering an infected device controls which processor will be used.

Images that match the search criteria are downloaded from the device in three steps. First, a request containing the image’s MD5 hash is sent to /api/e/img/uploadedCheck on the C2. Next, the image is uploaded to either Amazon’s cloud storage or to file@/api/res/send on the “rust” server. After that, a link to the image is uploaded to /api/e/img/rekognition on the C2. So, the SDK, designed for analytics as suggested by the package name com.spark.stat, is actually malware that selectively steals gallery content.

Uploading an image link

We asked ourselves what kind of images the attackers were looking for. To find out, we requested from the C2 servers a list of keywords for OCR-based search. In each case, we received words in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish and Portuguese. The terms all indicated that the attackers were financially motivated, specifically targeting recovery phrases also known as “mnemonics” that can be used to regain access to cryptocurrency wallets.
{
"code": 0,
"message": "success",
"data": {
"keywords": ["助记词", "助記詞", "ニーモニック", "기억코드", "Mnemonic",
"Mnemotecnia", "Mnémonique", "Mnemonico", "Mnemotechnika", "Mnemônico",
"클립보드로복사", "복구", "단어", "문구", "계정", "Phrase"]
}
}
Unfortunately, ComeCome was not the only app we found embedded with malicious content. We discovered a number of additional, unrelated apps covering a variety of subjects. Combined, these apps had been installed over 242,000 times at the time of writing this, and some of them remained accessible on Google Play. A full inventory can be found under the Indicators of Compromise section. We alerted Google to the presence of infected apps in its store.

Popular apps containing the malicious payload

Furthermore, our telemetry showed that malicious apps were also being spread through unofficial channels.

SDK features could vary slightly from app to app. Whereas the malware in ComeCome only requested permissions when the user opened the support chat, in some other cases, launching the core functionality acted as the trigger.

One small detail…

As we analyzed the trojanized Android apps, we noticed how the SDK set deviceType to “android” in device information it was sending to the C2, which suggested that a similar Trojan existed for other platforms.

Collecting information about an infected Android device

A subsequent investigation uncovered malicious apps in App Store infected with a framework that contained the same Trojan. For instance, ComeCome for iOS was infected in the same way as its Android version. This is the first known case of an app infected with OCR spyware being found in Apple’s official app marketplace.

The ComeCome page in the App Store

Negative user feedback about ComeCome

Malicious frameworks in App Store apps

We detected a series of apps embedded with a malicious framework in the App Store. We cannot confirm with certainty whether the infection was a result of a supply chain attack or deliberate action by the developers. Some of the apps, such as food delivery services, appeared to be legitimate, whereas others apparently had been built to lure victims. For example, we saw several similar AI-featured “messaging apps” by the same developer:

Messaging apps in the App Store designed to lure victims

Besides the malicious framework itself, some of the infected apps contained a modify_gzip.rb script in the root folder. It was apparently used by the developers to embed the framework in the app:

The contents of modify_gzip.rb

The framework itself is written in Objective-C and obfuscated with HikariLLVM. In the apps we detected, it had one of three names:

1. GZIP;
2. googleappsdk;
3. stat.

As with the Android-specific version, the iOS malware utilized the ML Kit interface, which provided access to a Google OCR model trained to recognize text and a Rust library that implemented a custom C2 communication protocol. However, in this case, it was embedded directly into the malicious executable. Unlike the Android version, the iOS framework retained debugging symbols, which allowed us to identify several unique details:

• The lines reveal the paths on the framework creators’ device where the project was stored, including the user names:
  
  • /Users/qiongwu/: the project author’s home directory
  • /Users/quiwengjing/: the Rust library creator’s home directory

  
  

• The C2-rust communication module was named im_net_sys. Besides the client, it contains code that the attackers’ server presumably uses to communicate with victims.
• The project’s original name is GZIP.

Project details from code lines in the malicious framework

The framework contains several malicious classes. The following are of particular interest:

• MMMaker: downloads a configuration and gathers information about the device.
• ApiMgr: sends device data.
• PhotoMgr: searches for photos containing keywords on the device and uploads them to the server.
• MMCore: stores information about the C2 session.
• MMLocationMgr: collects the current location of the device. It sent no data during our testing, so the exact purpose of this class remained unclear.

Certain classes, such as MMMaker, could be missing or bear a different name in earlier versions of the framework, but this didn’t change the malware’s core functionality.

Obfuscation significantly complicates the static analysis of samples, as strings are encrypted and the program’s control flow is obscured. To quickly decrypt the strings of interest, we opted for dynamic analysis. We ran the application under Frida and captured a dump of the _data section where these strings were stored. What caught our attention was the fact that the app bundleID was among the decrypted data:

com.lc.btdj: the ComeCome bundleID as used in the +[MMCore config] selector

As it turned out, the framework also stored other app bundle identifiers used in the +[MMCore config] selector. Our takeaways are as follows:

1. The Trojan can behave differently depending on the app it is running in.
2. There are more potentially infected apps than we originally thought.

For the full list of bundle IDs we collected from decrypted strings in various framework samples, see the IoC section. Some of the apps associated with these IDs had been removed from the App Store at the time of the investigation, whereas others were still there and contained malicious code. Some of the IDs on the list referred to apps that did not contain the malicious framework at the time of this investigation.

As with the Android-specific version, the Trojan implements three modes of filtering OCR output: keywords, word length, and localized dictionaries stored in encrypted form right inside the framework, in a “wordlists” folder. Unfortunately, we were unable to ascertain that the malware indeed made use of the last method. None of the samples we analyzed contained links to the dictionaries or accessed them while running.

Sending selected photos containing keywords is a key step in the malicious framework’s operation. Similar to the Android app, the Trojan requests permission to access the gallery only when launching the View Controller responsible for displaying the support chat. At the initialization stage, the Trojan, depending on the application it is running in, replaces the viewDidLoad or viewWillAppear method in the relevant controller with its own wrapper that calls the method +[PhotoMgr startTask:]. The latter then checks if the application has access to the gallery and requests it if needed. Next, if access is granted, PhotoMgr searches for photos that match sending criteria among those that are available and have not been processed before.

The code snippet of the malicious wrapper around the viewDidLoad method that determines which application the Trojan is running in

Although it took several attempts, we managed to make the app upload a picture to Amazon’s cloud and then send information about it to the attackers’ server. The app was using HTTPS to communicate with the server, not the custom “rust” protocol:

The communication with the C2 and upload to AWS

The data being sent looks as follows:
POST /api/e/img/uploadedCheck
{
"imgSign": <imgMD5>,
"orgId": <implantId>,
"deviceId": <deviceUUID>
}

POST api/e/img/rekognition
{
"imgUrl": "https://dmbucket102.s3.ap-northeast-
1.amazonaws.com/"<app_name>_<device_uuid>"/photo_"<timestamp>".jpg",
"deviceName": "ios",
"appName": <appName>,
"deviceUUID": <deviceUUID>,
"imgSign": <imgMD5>,
"imgSize": <imgSize>,
"orgId":<implantId>,
"deviceChannel": <iphoneModel>,
"keyword":<keywordsFoundOnPicture>,
"reksign":<processor type>
}
The oldest version of the malicious framework we were investigating was built on March 15, 2024. While it doesn’t differ significantly from newer versions, this one contains more unencrypted strings, including API endpoints and a single, hardcoded C2 address. Server responses are received in plaintext.

URLs hard-coded into the oldest version of the malicious framework

File creation date in the app

Campaign features

While analyzing the Android apps, we found that the word processor code contained comments in Chinese. Error descriptions returned by the C2 server in response to malformed requests were also in Chinese. These, along with the name of the framework developer’s home directory which we obtained while analyzing the iOS-specific version suggest that the creator of the malicious module speaks fluent Chinese. That being said, we have insufficient data to attribute the campaign to a known cybercrime gang.

Our investigation revealed that the attackers were targeting crypto wallet recovery phrases, which were sufficient for gaining full control over a victim’s crypto wallet to steal the funds. It must be noted that the malware is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots. Multiple OCR results processing modes mitigate the effects of model errors that could affect the recognition of access recovery phrase images if only keyword processing were used.

Our analysis of the malicious Rust code inside the iOS frameworks revealed client code for communicating with the “rust” server and server-side encryption components. This suggests that the attackers’ servers likely also use Rust for protocol handling.

Server-side private RSA key import

We believe that this campaign is targeting, at a minimum, Android and iOS users in Europe and Asia, as indicated by the following:

• The keywords used were in various languages native to those who live in European and Asian countries.
• The dictionaries inside assets were localized in the same way as the keywords.
• Some of the apps apparently operate in several countries. Some food delivery apps support signing up with a phone number from the UAE, Kazakhstan, China, Indonesia, Zimbabwe and other countries.

We suspect that mobile users in other regions besides Europe and Asia may have been targeted by this malicious campaign as well.

One of the first malicious modules that we started our investigation with was named “Spark”. The bundle ID of the malicious framework itself, “bigCat.GZIPApp”, caught our attention when we analyzed the iOS-specific Trojan. Hence the name, “SparkCat”. The following are some of the characteristics of this malware:

• Cross-platform compatibility;
• The use of the Rust programming language, which is rarely found in mobile apps;
• Official app marketplaces as a propagation vector;
• Stealth, with C2 domains often mimicking legitimate services and malicious frameworks disguised as system packages;
• Obfuscation, which hinders analysis and detection.

Conclusion

Unfortunately, despite rigorous screening by the official marketplaces and general awareness of OCR-based crypto wallet theft scams, the infected apps still found their way into Google Play and the App Store. What makes this Trojan particularly dangerous is that there’s no indication of a malicious implant hidden within the app. The permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance. The malware also runs quite stealthily. This case once again shatters the myth that iOS is somehow impervious to threats posed by malicious apps targeting Android. Here are some tips that can help you avoid becoming a victim of this malware:

• If you have one of the infected apps installed on your device, remove it and avoid reinstalling until a fix is released.
• Avoid storing screenshots with sensitive information, such as crypto wallets recovery phrases, in the gallery. You can store passwords, confidential documents and other sensitive information in special apps.
• Use a robust security product on all your devices.

Our security products return the following verdicts when detecting malware associated with this campaign:

• HEUR:Trojan.IphoneOS.SparkCat.*
• HEUR:Trojan.AndroidOS.SparkCat.*

Indicators of compromise

Infected Android apps
0ff6a5a204c60ae5e2c919ac39898d4f
21bf5e05e53c0904b577b9d00588e0e7
a4a6d233c677deb862d284e1453eeafb
66b819e02776cb0b0f668d8f4f9a71fd
f28f4fd4a72f7aab8430f8bc91e8acba
51cb671292eeea2cb2a9cc35f2913aa3
00ed27c35b2c53d853fafe71e63339ed
7ac98ca66ed2f131049a41f4447702cd
6a49749e64eb735be32544eab5a6452d
10c9dcabf0a7ed8b8404cd6b56012ae4
24db4778e905f12f011d13c7fb6cebde
4ee16c54b6c4299a5dfbc8cf91913ea3
a8cd933b1cb4a6cae3f486303b8ab20a
ee714946a8af117338b08550febcd0a9
0b4ae281936676451407959ec1745d93
f99252b23f42b9b054b7233930532fcd
21bf5e05e53c0904b577b9d00588e0e7
eea5800f12dd841b73e92d15e48b2b71

iOS framework MD5s:
35fce37ae2b84a69ceb7bbd51163ca8a
cd6b80de848893722fa11133cbacd052
6a9c0474cc5e0b8a9b1e3baed5a26893
bbcbf5f3119648466c1300c3c51a1c77
fe175909ac6f3c1cce3bc8161808d8b7
31ebf99e55617a6ca5ab8e77dfd75456
02646d3192e3826dd3a71be43d8d2a9e
1e14de6de709e4bf0e954100f8b4796b
54ac7ae8ace37904dcd61f74a7ff0d42
caf92da1d0ff6f8251991d38a840fb4a
db128221836b9c0175a249c7f567f620

Trojan configuration in GitLab
hxxps://gitlab[.]com/group6815923/ai/-/raw/main/rel.json
hxxps://gitlab[.]com/group6815923/kz/-/raw/main/rel.json

C2
api.firebaseo[.]com
api.aliyung[.]com
api.aliyung[.]org
uploads.99ai[.]world
socket.99ai[.]world
api.googleapps[.]top

Photo storage
hxxps://dmbucket102.s3.ap-northeast-1.amazonaws[.]com

Names of Infected Android APKs from Google Play
com.crownplay.vanity.address
com.atvnewsonline.app
com.bintiger.mall.android
com.websea.exchange
org.safew.messenger
org.safew.messenger.store
com.tonghui.paybank
com.bs.feifubao
com.sapp.chatai
com.sapp.starcoin

BundleIDs encrypted inside the iOS frameworks
im.pop.app.iOS.Messenger
com.hkatv.ios
com.atvnewsonline.app
io.zorixchange
com.yykc.vpnjsq
com.llyy.au
com.star.har91vnlive
com.jhgj.jinhulalaab
com.qingwa.qingwa888lalaaa
com.blockchain.uttool
com.wukongwaimai.client
com.unicornsoft.unicornhttpsforios
staffs.mil.CoinPark
com.lc.btdj
com.baijia.waimai
com.ctc.jirepaidui
com.ai.gbet
app.nicegram
com.blockchain.ogiut
com.blockchain.98ut
com.dream.towncn
com.mjb.Hardwood.Test
com.galaxy666888.ios
njiujiu.vpntest
com.qqt.jykj
com.ai.sport
com.feidu.pay
app.ikun277.test
com.usdtone.usdtoneApp2
com.cgapp2.wallet0
com.bbydqb
com.yz.Byteswap.native
jiujiu.vpntest
com.wetink.chat
com.websea.exchange
com.customize.authenticator
im.token.app
com.mjb.WorldMiner.new
com.kh-super.ios.superapp
com.thedgptai.event
com.yz.Eternal.new
xyz.starohm.chat
com.crownplay.luckyaddress1

securelist.com/sparkcat-steale…

ZTNA rappresenta un’evoluzione fondamentale nella sicurezza delle reti aziendali, superando i limiti delle tradizionali VPN grazie a un approccio basato su identità e contesto. Le soluzioni ZTNA garantiscono un accesso sicuro alle applicazioni, riducendo la superficie di attacco e migliorando la gestione degli accessi in ambienti di lavoro ibridi.

L'articolo ZTNA Zero Trust Network Access: cos’è e quali sono le migliori soluzioni proviene da Cyber Security 360.

You know, it’s a tale as old as custom mechanical keyboards. [penkia] couldn’t find any PCBs with 36 keys and Gateron low-profile switch footprints, so they made their own and called it the LoremIpsum36. Isn’t it lovely?

This baby runs on an RP2040, which sits flush as can be in a cutout in the PCB. This maneuver, along with the LP switches in hard-to-find SK-33 sockets results in quite the thin board.

[penkia] says that despite using a 3 mm tray for added rigidity, the entire thing is thinner than the Nuphy Air60 v2, which is just over half an inch (13.9 mm) thick. For keycaps, [penkia] has used both XVX profile and FKcaps’ LPF.

And yeah, that area in the middle is crying out for something; maybe a trackball or something similar. But [penkia] is satisfied with it as-is for the first version, so we are, too.

Do you like 36-key boards, but prefer curves? Check out the Lapa keyboard, which doubles as a mouse.

hackaday.com/2025/02/06/lorem-…

Sfruttando una debolezza nei sistemi Active Directory Federation Services (ADFS), gli attori della minaccia stanno conducendo attacchi avanzati per aggirare l’autenticazione MFA e ottenere l’accesso non autorizzato a sistemi aziendali critici. Ecco tutti i dettagli e i consigli di mitigazione del rischio

L'articolo Così aggirano l’MFA in Active Directory Federation Services: rischi e contromisure proviene da Cyber Security 360.

Il responsabile della protezione dei dati (RPD o DPO) ricopre un ruolo cruciale nella governance della privacy. Ecco quali sono i controlli esperibili sull’architettura della privacy nelle organizzazioni e quali opzioni servono per rafforzare la compliance complessiva, rispettando al contempo l’indipendenza del DPO

L'articolo DPO: chi, come e perché può controllare la sua attività proviene da Cyber Security 360.

While we aren’t heavy-duty woodworkers, we occasionally make some sawdust as part of a project, and we admire people who know how to make wood and do what they want. We were surprised when [Newton Makes] showed a wooden dowel that was quite long and was mostly hollow. The wall was thin, the hole was perfectly centered, and he claimed he did not use a drill to produce it. Check it out in the video below and see what you think.

We don’t want to spoil the surprise, but we can tell you that making something that long with a drill or even a drill press would be very difficult. The problem is that drills have runout — the bits are usually not totally centered, so the bit doesn’t spin like you think it does. Instead, it spins and rotates around a small circle.

At the chuck, that small circle isn’t a big deal. But the further you get from the chuck, the bigger the runout circle gets. So a 10 cm long drill bit won’t amplify the runout much, but a 100 cm bit will make more of a cone shape unless the drill press is very accurate.

Take your guess, go watch the video, then come back and tell us if you guessed correctly. We didn’t. If you want to get better at woodworking, we can help. If you get really good, you can bend wood to your will.

youtube.com/embed/OVdINYWrTNs?…

hackaday.com/2025/02/06/a-tube…

La banda di criminali informatici di Lynx rivendica all’interno del proprio Data Leak Site (DLS) un attacco informatico all’italiana Banfi. Riportano all’interno del post “Banfi Vintners, the exclusive importer of Riunite in the United States, was founded in New York in 1919 by John F. Mariani, Sr. and built into America’s leading wine marketer over the last four decades. The company continues to be family-owned by the founder’s children and grandchildren, who are also proprietors of the Castello Banfi vineyard estate in Montalcino, Tuscany; Vigne Regali Cellars in Strevi, Piedmont; and Pacific Rim Winery in Washington’s Columbia Valley.”

Nel post pubblicato nelle underground dai criminali informatici viene riportato che i dati in loro possesso, esfiltrati dalle infrastrutture IT dell’azienda verranno pubblicati tra 4 giorni.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come una ‘fonte di intelligence’.

Sul sito della gang è attivo anche un countdown che mostra che tra 4g, 15 ore e 54 minuti ci sarà un aggiornamento del post. Sicuramente la gang in quella data pubblicherà una parte dei dati in loro possesso per aumentare la pressione sulla vittima. I criminali informatici, per poter attestare che l’attacco è avvenuto con successo, pubblicano una serie di documenti (samples) afferenti all’azienda sottratti illegalmente durante la compromissione delle infrastrutture.

Questo modo di agire – come sanno i lettori di RHC – generalmente avviene quando ancora non è stato definito un accordo per il pagamento del riscatto richiesto da parte dei criminali informatici. In questo modo, i criminali minacciando la pubblicazione dei dati in loro possesso, aumenta la pressione verso l’organizzazione violata, sperando che il pagamento avvenga più velocemente.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

Cos’è il ransomware as a service (RaaS)

Il ransomware, è una tipologia di malware che viene inoculato all’interno di una organizzazione, per poter cifrare i dati e rendere indisponibili i sistemi. Una volta cifrati i dati, i criminali chiedono alla vittima il pagamento di un riscatto, da pagare in criptovalute, per poterli decifrare.

Qualora la vittima non voglia pagare il riscatto, i criminali procederanno con la doppia estorsione, ovvero la minaccia della pubblicazione di dati sensibili precedentemente esfiltrati dalle infrastrutture IT della vittima.

Per comprendere meglio il funzionamento delle organizzazioni criminali all’interno del business del ransomware as a service (RaaS), vi rimandiamo a questi articoli:

• Il ransomware cos’è. Scopriamo il funzionamento della RaaS
• Perché l’Italia è al terzo posto negli attacchi ransomware
• Difficoltà di attribuzione di un attacco informatico e false flag
• Alla scoperta del gruppo Ransomware Lockbit 2.0
• Intervista al rappresentante di LockBit 2.0
• Il 2021 è stato un anno difficile sul piano degli incidenti informatici
• Alla scoperta del gruppo Ransomware Darkside
• Intervista al portavoce di Revil UNKNOW, sul forum XSS
• Intervista al portavoce di BlackMatter

Come proteggersi dal ransomware

Le infezioni da ransomware possono essere devastanti per un’organizzazione e il ripristino dei dati può essere un processo difficile e laborioso che richiede operatori altamente specializzati per un recupero affidabile, e anche se in assenza di un backup dei dati, sono molte le volte che il ripristino non ha avuto successo.

Infatti, si consiglia agli utenti e agli amministratori di adottare delle misure di sicurezza preventive per proteggere le proprie reti dalle infezioni da ransomware e sono in ordine di complessità:

• Formare il personale attraverso corsi di Awareness;
• Utilizzare un piano di backup e ripristino dei dati per tutte le informazioni critiche. Eseguire e testare backup regolari per limitare l’impatto della perdita di dati o del sistema e per accelerare il processo di ripristino. Da tenere presente che anche i backup connessi alla rete possono essere influenzati dal ransomware. I backup critici devono essere isolati dalla rete per una protezione ottimale;
• Mantenere il sistema operativo e tutto il software sempre aggiornato con le patch più recenti. Le applicazioni ei sistemi operativi vulnerabili sono l’obiettivo della maggior parte degli attacchi. Garantire che questi siano corretti con gli ultimi aggiornamenti riduce notevolmente il numero di punti di ingresso sfruttabili a disposizione di un utente malintenzionato;
• Mantenere aggiornato il software antivirus ed eseguire la scansione di tutto il software scaricato da Internet prima dell’esecuzione;
• Limitare la capacità degli utenti (autorizzazioni) di installare ed eseguire applicazioni software indesiderate e applicare il principio del “privilegio minimo” a tutti i sistemi e servizi. La limitazione di questi privilegi può impedire l’esecuzione del malware o limitarne la capacità di diffondersi attraverso la rete;
• Evitare di abilitare le macro dagli allegati di posta elettronica. Se un utente apre l’allegato e abilita le macro, il codice incorporato eseguirà il malware sul computer;
• Non seguire i collegamenti Web non richiesti nelle e-mail;
• Esporre le connessione Remote Desktop Protocol (RDP) mai direttamente su internet. Qualora si ha necessità di un accesso da internet, il tutto deve essere mediato da una VPN;
• Implementare sistemi di Intrusion Prevention System (IPS) e Web Application Firewall (WAF) come protezione perimetrale a ridosso dei servizi esposti su internet.
• Implementare una piattaforma di sicurezza XDR, nativamente automatizzata, possibilmente supportata da un servizio MDR 24 ore su 24, 7 giorni su 7, consentendo di raggiungere una protezione e una visibilità completa ed efficace su endpoint, utenti, reti e applicazioni, indipendentemente dalle risorse, dalle dimensioni del team o dalle competenze, fornendo altresì rilevamento, correlazione, analisi e risposta automatizzate.

Sia gli individui che le organizzazioni sono scoraggiati dal pagare il riscatto, in quanto anche dopo il pagamento le cyber gang possono non rilasciare la chiave di decrittazione oppure le operazioni di ripristino possono subire degli errori e delle inconsistenze.

La sicurezza informatica è una cosa seria e oggi può minare profondamente il business di una azienda.

Oggi occorre cambiare immediatamente mentalità e pensare alla cybersecurity come una parte integrante del business e non pensarci solo dopo che è avvenuto un incidente di sicurezza informatica.

L'articolo Gli hacker criminali di Lynx rivendicano un attacco informatico all’italiana Banfi proviene da il blog della sicurezza informatica.

Un nuovo caso di sorveglianza digitale sta scuotendo l’Italia: Luca Casarini, fondatore della ONG Mediterranea Saving Humans, ha ricevuto una notifica da WhatsApp, che lo ha avvisato che il suo telefono è stato preso di mira da uno spyware di livello militare prodotto dalla società israeliana Paragon Solutions, riporta The Guardian.

Casarini, noto per le sue denunce contro la complicità dell’Italia negli abusi sui migranti in Libia, non è l’unico ad aver ricevuto l’allarme. Anche il giornalista Francesco Cancellato e l’attivista libico residente in Svezia Husam El Gomati sono stati identificati come potenziali vittime dello spyware. In comune avevano avuto posizioni critiche verso il Governo italiano.

WhatsApp ha annunciato che almeno 90 giornalisti e attivisti in tutto il mondo sarebbero stati colpiti da attacchi informatici legati allo spyware di Paragon, venduto ufficialmente solo a governi di paesi democratici per contrastare il crimine. Tuttavia, il suo utilizzo su membri della società civile solleva interrogativi inquietanti. E’ anche emerso che il numero di utenti italiani finora interessati sembra essere sette.

Il governo italiano ha negato qualsiasi coinvolgimento dei servizi segreti o di altre agenzie governative italiane in queste operazioni di sorveglianza. In una nota ufficiale, Palazzo Chigi ha definito le accuse “particolarmente gravi” e ha incaricato l’Agenzia Nazionale per la Cybersecurity (ACN) di indagare.

Sotto l’amministrazione Biden, Paragon ha stipulato un contratto da 2 milioni di dollari con l’Immigration and Customs Enforcement (ICE) degli Stati Uniti, ma l’accordo è stato sospeso dopo che sono state sollevate domande sulla conformità dell’accordo con un ordine esecutivo che limitava l’uso di spyware da parte del governo federale, nel caso in cui il suo utilizzo rappresentasse un “rischio significativo di controspionaggio o sicurezza”.

Per ora l’attenzione si concentra se l’Italia abbia effettivamente utilizzato lo spyware. “È diventato chiaro; l’Italia ha un problema Paragon. Visti i casi che sono già rapidamente emersi, è tempo di chiedersi: chi era il cliente? E quanto lontano vanno questi casi?”, ha affermato John Scott Railton, ricercatore senior presso il Citizen Lab presso l’Università di Toronto, che monitora la sorveglianza digitale della società civile.

Una persona vicina alla Paragon ha rifiutato di commentare l’identità dei suoi clienti, ma ha affermato che “non avrebbe negato” che l’Italia fosse un cliente.

Casarini è stato un’importante figura attivista in Italia per decenni, ma in un’intervista al Guardian ha detto che il suo obiettivo principale era la ONG di soccorso marittimo che ha fondato nel 2018. Era su un treno diretto a Bologna, ha detto, quando ha ricevuto un “ping” sul suo telefono da WhatsApp.

Ha scherzato dicendo che inizialmente si era chiesto perché Mark Zuckerberg, la cui Meta possiede WhatsApp, gli stesse inviando messaggi. Era una delle 90 persone a ricevere l’avviso di essere stato preso di mira da un aggressore sconosciuto che utilizzava uno spyware di livello militare.

L’utilizzo di spyware militare contro attivisti e giornalisti non è una novità. In passato, casi simili hanno coinvolto strumenti come Pegasus, sviluppato dalla NSO Group, che è stato utilizzato da diversi governi per spiare oppositori politici, giornalisti e difensori dei diritti umani.

Questa nuova rivelazione solleva ulteriori dubbi sulla sicurezza digitale in Italia ed Europa, e apre un dibattito su chi abbia accesso a questi strumenti di sorveglianza e come vengano realmente utilizzati. Nel frattempo, resta un nodo fondamentale: chi ha ordinato l’attacco contro Casarini, Cancellato ed El Gomati?

L'articolo Spyware israeliano contro attivisti Italiani: WhatsApp avvisa Luca Casarini preso di mira da Paragon proviene da il blog della sicurezza informatica.

Il rinomato esperto di sicurezza macOS Patrick Wardle ha segnalato che nel 2024 sono state scoperte più di 22 nuove famiglie di malware mirati a macOS. Tra questi rientrano stealer, ransomware, backdoor e downloader.

Si tratta di un numero pressoché in linea con quello del 2023 ma notevolmente superiore a quello del 2021 e del 2022. Vale la pena notare che l’elenco non include i malware pubblicitari, né quelli scoperti negli anni precedenti.

Tra gli infostealer per macOS emersi nel 2024 ci sono CloudChat, Poseidon (noto anche come Rodrigo), Cthulhu, BeaverTail, PyStealer e Banshee. CloudChat è specializzato nel furto di dati e chiavi di portafogli di criptovalute. PyStealer, Banshee e Poseidon rubano dati da portafogli di criptovalute, browser e altre informazioni. BeaverTail viene utilizzato dagli hacker nordcoreani per rubare dati e installare carichi utili aggiuntivi.

Per quanto riguarda i nuovi ransomware per macOS, l’anno scorso i ricercatori di sicurezza informatica hanno scoperto NotLockBit, che crittografa i file delle vittime e presenta anche funzionalità di base per il furto di dati. Nella categoria backdoor, Wardle menziona il malware SpectralBlur, dotato di funzionalità di base per il download, l’upload e l’esecuzione di file. Si ritiene che la minaccia sia legata agli hacker nordcoreani.

Un’altra nuova famiglia di backdoor è Zuru. Zuru è stato individuato per la prima volta nel 2021, ma Wardle lo ha incluso nell’elenco del 2024 perché i campioni scoperti l’anno scorso potrebbero essere malware completamente nuovi e non semplicemente una nuova versione di Zuru.

Apparentemente legato alla Cina, LightSpy prende di mira non solo macOS, ma anche iOS, Android e Windows. Sebbene questo malware sia stato utilizzato principalmente a scopo di spionaggio, le sue ultime versioni presentano anche funzionalità distruttive. HZ Rat è un’altra backdoor apparsa nel 2024. È stata individuato come un attacco che prende di mira gli utenti in Cina e fornisce agli aggressori il pieno controllo su un dispositivo macOS infetto.

Tra le altre backdoor emerse l’anno scorso, ha osservato Wardle, figurano Activator (un backdoor downloader e ladro di criptovalute), HiddenRisk (un malware nordcoreano utilizzato negli attacchi alle criptovalute) e RustDoor.

L’elenco dei downloader per macOS nel 2024 è stato ampliato con strumenti quali: RustyAttr, InletDrift, ToDoSwift e DPRK Downloader (associato alla Corea del Nord); EvasivePanda e SnowLight (collegati alla Cina); VShell Downloader e Downloader noname.

Nel suo rapporto, Wardle ha pubblicato dettagli tecnici su ciascuna delle nuove famiglie di malware, tra cui informazioni sui vettori di infezione, sui meccanismi di persistenza, sulle caratteristiche e sulle capacità. Sono disponibili anche campioni di malware da scaricare.

L'articolo macOS Sotto Attacco! 22 nuove famiglie di infostealer, ransomware e backdoor nel 2024 proviene da il blog della sicurezza informatica.

Il Cloud Security Posture Management (CSPM) è fondamentale per garantire la sicurezza negli ambienti cloud complessi e distribuiti. Grazie a funzionalità come visibilità completa degli asset, automazione dei processi di sicurezza, gestione degli accessi e conformità normativa, i CSPM aiutano le organizzazioni a ridurre i rischi, migliorare l'efficienza operativa e ottimizzare la gestione della sicurezza.

L'articolo CSPM: 5 soluzioni per garantire maggiore sicurezza su cloud proviene da Cyber Security 360.

Il Security Information and Event Management (SIEM) è uno strumento cruciale per la sicurezza informatica, capace di raccogliere, analizzare e correlare dati da diverse fonti per rilevare minacce e anomalie in tempo reale. Grazie a funzionalità avanzate, il SIEM migliora la gestione del rischio, supporta la conformità normativa e ottimizza l'efficienza operativa.

L'articolo SIEM: quale scegliere e perché è fondamentale per la sicurezza dell’azienda proviene da Cyber Security 360.

A PCB ruler is a common promotional item, or design exercise. Usually they have some sample outlines and holes as an aid to PCB design, but sometimes they also incorporate some circuitry. [Clovis Fritzen] has given us an ingenious example, in the form of a PCB ruler with a built-in thermometer.

This maybe doesn’t have the fancy seven segment or OLED display you were expecting though, instead it’s an ATtiny85 with a lithium cell, the minimum of components, a thermistor for measurement, and a couple of LEDs that serve as the display. These parts are interesting, because they convey the numbers by flashing. One LED is for the tens and the other the units, so count the flashes and you have it.

We like this display for its simplicity, we can see the same idea could be used in many other places.On a PCB ruler, it certainly stands apart from the usual. It has got plenty of competition though.

hackaday.com/2025/02/05/this-t…

Influenza, Influenza, Influenza… Bloccare l’influenza è la parola d’ordine negli Stati Uniti D’America, con qualsiasi mezzo. Con le sanzioni e ora con una proposta di reclusione e una maxi multa che equipara chi scarica DeepSeek al terrorismo.

Negli Stati Uniti, una nuova proposta di legge potrebbe comportare sanzioni severe, inclusi milioni di dollari di multe e pene detentive, per gli utenti dell’applicazione di intelligenza artificiale cinese DeepSeek. Il disegno di legge, presentato dal senatore repubblicano Josh Hawley, mira a “proibire alle persone negli Stati Uniti di promuovere le capacità dell’intelligenza artificiale all’interno della Repubblica Popolare Cinese“.

La legislazione proposta vieterebbe l’importazione di “tecnologia o proprietà intellettuale” sviluppata in Cina, con pene che includono fino a 20 anni di reclusione per i trasgressori. Le sanzioni pecuniarie previste ammontano fino a 1 milione di dollari per gli individui e fino a 100 milioni di dollari per le aziende coinvolte.

Sebbene il disegno di legge non menzioni esplicitamente DeepSeek, la proposta arriva poco dopo che il chatbot cinese è diventato l’app di intelligenza artificiale più popolare negli Stati Uniti, causando un calo nelle azioni delle aziende tecnologiche statunitensi. La rapida diffusione di DeepSeek ha sollevato preoccupazioni riguardo alla sicurezza, alla privacy e all’etica, inclusa l’incapacità dell’app di rispondere a domande su argomenti sensibili per il Partito Comunista Cinese.

Il presidente degli Stati Uniti, Donald Trump, ha descritto l’app cinese come una “chiamata al risveglio” per l’industria tecnologica americana, con la Casa Bianca che sta valutando le implicazioni di DeepSeek per la sicurezza nazionale. In risposta, la Marina degli Stati Uniti ha vietato ai suoi membri l’uso di DeepSeek sia per compiti lavorativi che per uso personale, mentre la NASA ha proibito la tecnologia di intelligenza artificiale su dispositivi e reti governative.

Anche diversi stati stanno considerando un divieto su DeepSeek. Il Texas è diventato il primo a implementare un divieto sugli apparecchi governativi. Il governatore del Texas, Greg Abbott, ha dichiarato: “Il Texas non permetterà al Partito Comunista Cinese di infiltrarsi nelle infrastrutture critiche del nostro stato attraverso applicazioni di intelligenza artificiale e di raccolta dati sui social media“.

Queste misure riflettono una crescente preoccupazione negli Stati Uniti riguardo all’influenza delle tecnologie cinesi e al potenziale rischio per la sicurezza nazionale. La proposta di legge e le azioni correlate mirano a proteggere le infrastrutture critiche e a limitare la diffusione di tecnologie che potrebbero compromettere la privacy e la sicurezza degli utenti americani.

L'articolo USA: DeepSeek come il Terrorismo! 20 anni di carcere e 100M$ di multa. La Proposta Shock proviene da il blog della sicurezza informatica.

If you’re like most makers, you have a few product ideas kicking about, but you may not have made it all the way to production of those things. If you’re thinking about making the leap, [Simone Giertz] recently discussed all the perils and pitfalls of the process from idea to reality.

The TLDR is that there’s a big difference between making one item and making hundreds or thousands of them, which you probably already knew, but it is nice to see what sort of issues can crop up in this seemingly simple example of the Yetch Screwdriver Ring. It turns out that the metalworking skills of tool making and jewelry making rarely overlap in the contract manufacturing world.

[Giertz] also shares some of the more mundane, yet terrifying, parts of business like finally committing to bulk orders and whether it’s wise to go with intermediaries when working with suppliers overseas. She also keys us into parts of the process where things can go wrong, like how product samples typically use a different manufacturing process than bulk for practical reasons and how you need to have very specific quality control requirements not just decide if a product is good enough based on vibes.

If you’d like some more advice on making your own products, check out [Carrie Sundra]’s Supercon talk about Manufacturing on a Shoestring Budget.

youtube.com/embed/7gTz_JmlYtQ?…

hackaday.com/2025/02/05/making…

Before the digital age, when transistors were expensive, unreliable, and/or nonexistent, engineers had to use other tricks to do things that we take for granted nowadays. Motor positioning, for example, wasn’t as straightforward as using a rotary encoder and a microcontroller. There are a few other ways of doing this, though, and [Void Electronics] walks us through an older piece of technology called a synchro (or selsyn) which uses a motor with a special set of windings to keep track of its position and even output that position on a second motor without any digital processing or microcontrollers.

Synchros are electromagnetic devices similar to transformers, where a set of windings induces a voltage on another set, but they also have a movable rotor like an electric motor. When the rotor is energized, the output windings generate voltages corresponding to the rotor’s angle, which are then transmitted to another synchro. This second device, if mechanically free to move, will align its rotor to match the first. Both devices must be powered by the same AC source to maintain phase alignment, ensuring their magnetic fields remain synchronized and their rotors stay in step.

While largely obsolete now, there are a few places where these machines are still in use. One is in places where high reliability or ruggedness is needed, such as instrumentation for airplanes or control systems or for the electric grid and its associated control infrastructure. For more information on how they work, [Al Williams] wrote a detailed article about them a few years ago.

youtube.com/embed/Gkn-A0F9JFM?…

hackaday.com/2025/02/05/invest…

Mick Jagger famously said that you cain’t always get what you want. But this is Hackaday, and we make what we want or can’t get. Case in point: [Andrew Tudoroi] is drawn to retro LEDs and wanted one of Pimoroni’s micro-LED boards pretty badly, but couldn’t get his hands on one. You know how this ends — with [Andrew] designing his first PCB.

The Pitanga hat is equally inspired by additional fruit that [Andrew] had lying around in the form of an 8devices Rambutan board. (Trust us, it’s a fruit.) With some research, he discovered the HT16K33 LED driver, which checked all the boxen.

The first version worked, but needed what looks like a couple of bodge wires. No shame in that! For the next revision, [Andrew] added buttons and decided to make it into a Raspberry Pi HAT.

This HAT is essentially a simple display with a basic input device, and a beauty at that. You can see all the various cool displays that [Andrew] tried both here and in the project log. Although he included pads for an ARM M0 microcontroller, he never did populate it. Maybe in the future.

Of course, this project was not without its challenges. For one thing, there was power compatibility to wrestle with. The Pi can sometimes work with I²C devices at 5 V, but this isn’t ideal long-term. So [Andrew] put the LED driver on the 3.3 V I²C bus. Despite the data sheet calling for 4.5 to 5.5 V, the setup worked fine. But for better reliability, [Andrew] threw a dedicated I²C logic level converter chip into the mix.

Don’t forget, you can run a noble amassment of HATs with the PiSquare.

hackaday.com/2025/02/05/good-l…