Le reti aziendali sono sotto un’ondata di attacchi ransomware che sfruttano una vulnerabilità critica (CVE-2024-40766) nelle VPN SonicWall. I cybercriminali dei gruppi Fog e Akira hanno intensificato gli assalti, sfruttando questa falla scoperta recentemente nei controlli di accesso SSL VPN per infiltrarsi nei sistemi delle aziende. Nonostante SonicWall abbia rilasciato una patch ad agosto 2024, molte aziende non hanno ancora implementato l’aggiornamento, lasciando le proprie reti vulnerabili e aprendo la porta a intrusioni devastanti.

Arctic Wolf ha documentato che il gruppo affiliato al ransomware Akira ha usato questa vulnerabilità per penetrare le reti e dare il via a una serie di attacchi coordinati e rapidissimi. Le intrusioni sono state spesso seguite da una sequenza d’azione fulminea: in meno di due ore, i dati vengono cifrati, bloccando di fatto le risorse più sensibili dell’azienda. Utilizzando accessi VPN senza autenticazione multi-fattore, gli aggressori riescono facilmente a mascherare i propri indirizzi IP e a evitare il tracciamento. Di conseguenza, i tempi di reazione per le aziende sono minimi, con conseguenze gravi per la sicurezza aziendale e per la riservatezza dei dati.

SonicWall VPN vulnerabile e l’alleanza criminale tra Fog e Akira

La sinergia tra Fog e Akira aggiunge un elemento critico alla minaccia: le intrusioni segnalate rivelano una collaborazione intensa e pericolosa tra i due gruppi, i quali condividono infrastrutture per massimizzare l’impatto degli attacchi. Secondo il report di Arctic Wolf, su almeno 30 intrusioni via VPN SonicWall, il 75% è attribuibile ad Akira, mentre il restante 25% è condotto dal gruppo Fog, attivo solo da maggio 2024 ma in crescita rapida.

Questa strategia coordinata sottolinea l’importanza di un aggiornamento immediato delle patch e dell’abilitazione dell’autenticazione a più fattori per le VPN SSL, ancora troppo spesso trascurate dalle aziende. Gli eventi nei log di sistema SonicWall dimostrano come gli aggressori procedano rapidamente con l’assegnazione di IP e l’accesso remoto una volta entrati, garantendosi il controllo delle macchine virtuali e dei backup e compromettendo dati e software critici.

Sicurezza aziendale: patch tempestive e autenticazione multi-fattore sono vitali

Il caso SonicWall rimarca una verità essenziale: la sicurezza informatica non può essere sottovalutata. Mantenere le patch di sicurezza aggiornate e utilizzare l’autenticazione multi-fattore non solo rappresentano misure essenziali, ma sono requisiti fondamentali in un panorama di minacce sempre più sofisticate e collaborative. Con la rapida evoluzione delle tecniche di attacco, il rischio di trovarsi con reti critiche esposte e dati sensibili cifrati è concreto.

Investire nella protezione informatica non è solo una questione di conformità, ma di salvaguardia della continuità operativa e della fiducia del cliente, valori fondamentali per ogni azienda che voglia difendersi efficacemente in un contesto in cui le minacce cyber non accennano a diminuire.

L'articolo VPN SonicWall sotto attacco: Akira e Fog all’assalto dei dati aziendali! proviene da il blog della sicurezza informatica.

If you’re looking for a hackerspace while on your travels, there is more than one website which shows them on a map, and even tells you whether or not they are open. This last feature is powered by SpaceAPI, a standard way for hackerspaces to publish information about themselves, including whether or not they are closed.

Given such a trove of data then it’s hardly surprising that [S3lph] would use it to create a gigantic map of central Europe with lights in the appropriate places (German language, Google Translate link) to show the spaces and their status.

The lights are a set of addressable LEDs and the brain is an ESP32, making this an accessible project for most hackers with the time to assemble it. Unsurprisingly then it’s not the first such map we’ve seen, though it’s considerably more ambitious than the last one. Meanwhile if your hackerspace doesn’t have SpaceAPI yet or you’re simply curious about the whole thing, we took a look at it back in 2021.

Thanks [Dave] for the tip.

hackaday.com/2024/10/29/an-int…

Electrostatic motors are now common in MEMS applications, but researchers at the University of Wisconsin and spinoff C-Motive Technologies have brought macroscale electrostatic motors back. [via MSN/WSJ]

While the first real application of an electric motor was Ben Franklin’s electrostatically-driven turkey rotisserie, electromagnetic type motors largely supplanted the technology due to the types of materials available to engineers of the time. Newer dielectric fluids and power electronics now allow electrostatic motors to be better at some applications than their electromagnetic peers.

The main advantage of electrostatic motors is their reduced critical materials use. In particular, electrostatic motors don’t require copper windings or any rare earth magnets which are getting more expensive as demand grows for electrically-powered machines. C-Motive is initially targeting direct drive industrial applications, and the “voltage driven nature of an electrostatic machine” means they require less cooling than an electromagnetic motor. They also don’t use much if any power when stalled.

Would you like a refresher on how to make static electricity or a deeper dive on how these motors work?

hackaday.com/2024/10/29/electr…

Checking the voltages on a dead LED lightbulb. Best done by a professional, obviously. (Credit: The Doubtful Technician, YouTube)
We have probably all seen the marketing blurbs on packaging and elsewhere promoting the amazing lifespan of LED lighting solutions. Theoretically you should be able to install a LED bulb in a fixture that used to hold that incandescent lightbulb which had to be replaced annually and have it last a decade or longer. Yet we seem to replace these LED bulbs much more often than that, with them suffering a range of issues. To get to the root cause of this, [The Doubtful Technician] decided to perform an autopsy on a range of dead lightbulbs which he got from a variety of sources and brands.

One lamp is an Amazon-bought one by a seller who seems to have vanished, but was promised over 3 years of constant use. Other than the fun blinding of oneself while testing, this one was easy to diagnose, with a dodgy solder joint on a resistor in a MELF package. The next one from Lowes was very dim, and required popping open with some gentle force, which revealed as likely culprit a shorted SMD resistor. Finally a more substantial (i.e. heavier) bulb was tested which had survived about 7 years in the basement until it and its siblings began to suddenly die. Some might consider this the normal lifespan, but what really failed in them?

The electronics in this last bulb were the most impressive, with a full switch mode power supply (SMPS) that appears to have suffered a failure. Ultimately the pattern with these three bulbs was that while the LEDs themselves were still fine, it were things like the soldering joints and singular components on the LED driver PCB that had failed. Without an easy way to repair these issues, and with merely opening the average LED lightbulb being rather destructive, this seems like another area where what should be easy repairs are in fact not, and more e-waste is created.

youtube.com/embed/1l1we3vwnzY?…

hackaday.com/2024/10/29/lies-b…

Most of us using desktop computers, and plenty of us on laptops, have some sort of fan or pump installed in our computer to remove heat and keep our machines running at the most optimum temperature. That’s generally a good thing for performance, but comes with a noise pollution cost. It’s possible to build fanless computers, though, which are passively cooled by using larger heat sinks with greater thermal mass, or by building more efficient computers, or both. But sometimes even fanless designs can benefit from some forced air, so [Sasa] built this system for cooling fanless systems with fans.

The main advantage of a system like this is that the fans on an otherwise fanless system remain off when not absolutely necessary, keeping ambient noise levels to a minimum. [Sasa] does have a few computers with fans, and this system helps there as well. Each fan module is WiFi-enabled, allowing for control of each fan on the system to be set up and controlled from a web page. It also can control 5V and 12V fans automatically with no user input, and can run from any USB power source, so it’s not necessary to find a USB-PD-compatible source just to run a small fan.

Like his previous project, this version is built to easily integrate with scripting and other third-party software, making it fairly straightforward to configure in a home automation setup or with any other system that is monitoring a temperature. It doesn’t have to be limited to a computer, either; [Sasa] runs one inside a server cabinet that monitors the ambient temperature in the cabinet, but it could be put to use anywhere else a fan is needed. Perhaps even a hydroponic setup.

youtube.com/embed/TqN-tWI42gE?…

hackaday.com/2024/10/29/custom…

The story of Commodore computers is one of some truly great machines for their time, and of the truly woeful marketing that arguably spelled their doom. But there’s another Commodore computing story, that of the machines we never received, many of which came close enough to production that they might have made it.

[Old VCR] has the story of one of these, and it’s a portable. It’s not a C64 like the luggable which did emerge, neither is it the legendary LCD portable prototype in the possession of our Hackaday colleague [Bil Herd]. Instead it’s a palmtop branded under licence from Toshiba, and since it’s a rare device even its home country of Japan the article gives us perhaps the only one we’ll ever see with either badge.

The Commodore HHC-4 was announced at Winter CES 1983, and since it was never seen again it’s aroused some curiosity among enthusiasts. The article goes to some lengths to cross-reference the visible features and deduce that it’s in fact a Toshiba Pasopia Mini, a typical palmtop computer of the era with not much in the way of processing power, a small alphanumeric display, and a calculator-style QWERTY keyboard. We’re treated to a teardown of a Toshiba unit and its dock, revealing some uncertainty about which processor architecture lurks in those Toshiba custom chips.

Looking at the magazine reviews and adverts it seems as though Commodore may have had some machines with their branding on even if they never sold them, so there exists the tantalizing possibility of one still lurking forgotten in the possession of a former staffer. We can hope.

If Commodore history interests you, you really should read [Bil]’s autobiographical account of the company in the 1980s.

hackaday.com/2024/10/29/anothe…

La sfida digitale tra Usa e Cina in corso nel continente asiatico riguarda data center, intelligenza artificiale e cavi sottomarini.

The post Data center, IA, Internet… Usa e Cina combattono in Asia la battaglia per il futuro appeared first on InsideOver.

So far in this series, we’ve talked about man-made byproducts — Fordite, which is built-up layers of cured car enamel, and Trinitite, which was created during the first nuclear bomb test.
A lovely fulgurite pendant. Image via Etsy
But not all byproducts are man-made, and not all of them are basically untouchable. Some are created by Mother Nature, but are nonetheless dangerous. I’m talking about fulgurites, which can form whenever lightning discharges into the Earth.

It’s likely that even if you’ve seen a fulgurite, you likely had no idea what it was. So what are they, exactly? Basically, they are natural tubes of glass that are formed by a fusion of silica sand or rock during a lightning strike.

Much like Lichtenberg figures appear across wood, the resulting shape mimics the path of the lightning bolt as it discharged into the ground. And yes, people make jewelry out of fulgurites.

Lightning Striking Again

Image via NOAA’s National Severe Storms Laboratory
Lightning is among the oldest observed phenomena on Earth. You probably know that lightning is just a giant spark of electricity in the atmosphere. It can occur between clouds, the air, or the ground and often hits tall things like skyscrapers and mountaintops.

Lightning is often visible during volcanic eruptions, intense forest fires, heavy snowstorms, surface nuclear detonations, and of course, thunderstorms.

In lightning’s infancy, air acts as an insulator between charges — the positive and negative charges between the cloud and the ground. Once the charges have sufficiently built up, the air’s insulating qualities break down and the electricity is rapidly discharged in the form of lightning.

When lightning strikes, the energy in the channel briefly heats up the air to about 50,000 °F, which is several times the surface of the Sun. This makes the air explode outward. As the shock wave’s pressure decreases, we hear thunder.

Of Sand and Rock and Other Stuff

Fulgurites, also known as fossilized lightning, don’t have a fixed composition: they are composed of whatever they’re composed of at the time of the lightning strike. Four main types of fulgurites are officially recognized: sand, soil, caliche (calcium-rich), and rock fulgurites. Sand fulgurites can usually be found on beaches or in deserts where clean sand devoid of silt and clay dominates. And like those Lichtenberg figures, sand fulgurites tend to look like branches of tubes. They have rough surfaces comprised of partially-melted grains of sand.
Sand fulgurites, aka forbidden churros. Image via Wikimedia Commons
When sand fulgurites are formed, the sand rapidly cools and solidifies. Because of this, they tend to take on a glassy interior. As you might imagine, the size and shape of a fulgurite depends on several factors, including the strength of the strike and the depth of the sand being struck. On average, they are 2.5 to 5 cm in diameter, but have been found to exceed 20 cm.

Soil fulgurites can form in a wide variety of sediment compositions including clay-, silt-, and gravel-rich soils as well as leosses, which are wind-blown formations of accumulated dust. These also appear as tubaceous or branching formations, vesicular, irregular, or a combination thereof.

Calcium-rich sediment fulgurites have thick walls and variable shapes, although it’s common for multiple narrow channels to appear. These can run the gamut of morphological and structural variation for objects that can be classified as fulgurites.

Rock fulgurites are typically found on mountain peaks, which act as natural lightning rods. They appear as coatings or crusts of glass formed on rocks, either found as branching channels on the surface, or as lining in pre-existing fractures in the rock. They are most often found at the summit or within several feet of it.

Fact-Finding Fulgurites

Aside from jewelry and such, fulgurites’ appeal comes in wherever they’re found, as their presence can be used to estimate the number of lightning strikes in an area over time.

Then again there’s some stuff you may not necessarily want to use in jewelry making. Stuff that can be found in the dark, dank corners of the Earth. Stay tuned!

hackaday.com/2024/10/29/boss-b…

L’esperto di sicurezza informatica Alexander Hagenah ha pubblicato lo strumento Chrome-App-Bound-Encryption-Decryption per aggirare la nuova funzionalità di sicurezza App-Bound Encryption in Chrome, progettata per proteggere i dati sensibili, inclusi i cookie.

Ricordiamo che la funzionalità di crittografia associata all’app è stata introdotta l’estate scorsa, con il rilascio di Chrome 127. Come hanno affermato gli sviluppatori del browser, lo scopo è crittografare i cookie e le password memorizzate utilizzando un servizio Windows che funziona con privilegi di sistema.

Ciò impedisce al malware in esecuzione come utente che ha effettuato l’accesso di rubare i segreti archiviati in Chrome. In teoria, infatti, per aggirare tale protezione, il malware avrà bisogno dei privilegi di sistema, e non sarà possibile ottenerli senza che nessuno se ne accorga.

Dopo che le persone hanno iniziato a parlare online del fatto che il malware aveva imparato a bypassare la crittografia associata all’app, i rappresentanti di Google hanno detto ai media che ciò era previsto.

L’azienda non si aspettava di creare una protezione “a prova di proiettile” e la crittografia App-Bound aveva solo lo scopo di gettare le basi per la creazione graduale di un sistema più affidabile.

“Siamo consapevoli che la nuova protezione ha suscitato scalpore tra gli sviluppatori di infostealer. Come abbiamo scritto nel blog, ci aspettiamo che questa protezione sposti il ​​comportamento degli aggressori verso metodi di attacco più visibili, tra cui iniezioni e memory scraping. Questo è esattamente ciò a cui stiamo assistendo adesso”, disse all’epoca Google.

Ora che Hagena ha rilasciato pubblicamente la sua soluzione di bypass della crittografia associata all’app su GitHub , chiunque può imparare e compilare lo strumento.

“Questo strumento decodifica le chiavi di crittografia associate all’app archiviate nel file di stato locale di Chrome utilizzando il servizio IElevator interno basato su COM di Chrome”, afferma la descrizione del progetto. “Lo strumento consente di estrarre e decrittografare le chiavi che Chrome protegge con la crittografia associata all’app per impedire l’accesso a dati protetti come cookie, password e informazioni di pagamento.”

Come riporta Bleeping Computer, citando uno specialista di sicurezza informatica noto come g0njxa, lo strumento di Hagena utilizza un metodo di base per aggirare la crittografia associata all’app, che la maggior parte degli infostealer ha già superato. Tuttavia, questo metodo funziona ancora poiché gli sviluppatori di Chrome non hanno ancora rilasciato le patch.

Queste informazioni sono confermate anche dagli analisti di eSentire, i quali affermano che il metodo di Hagena è simile ai primi metodi per aggirare la protezione utilizzati dagli aggressori quando era appena stata introdotta la crittografia associata all’app.

“Lumma ha utilizzato questo metodo per creare un’istanza dell’interfaccia Chrome IElevator tramite COM per accedere al servizio Chrome Elevation per decrittografare i cookie, ma è piuttosto rumoroso e facile da rilevare. Ora gli hacker utilizzano la decrittazione indiretta senza interagire direttamente con Chrome Elevation Service”, afferma eSentire.

Gli sviluppatori di Google hanno dichiarato che non vedono nulla di sbagliato nel rilascio di un simile strumento. Poiché richiede diritti di amministratore per funzionare, la società ritiene di aver “aumentato con successo il livello di accesso richiesto affinché questo tipo di attacco sia efficace”.

L'articolo La crittografia di Chrome è stata violata! lo Strumento di Hagenah sblocca l’App-Bound Encryption proviene da il blog della sicurezza informatica.

Qual è il bilancio dopo 10 mesi di governo Tusk, a un anno dalla vittoria nelle elezioni parlamentari? Ho scritto un'analisi per ResetDoc, partendo dalla svolta securitaria in materia di immigrazione.

What's the balance after 10 months of Tusk's government, one year after the victory in the parliamentary elections? I wrote an analysis for ResetDoc.

resetdoc.org/story/polands-imm…

Poland’s Immigration Law: Tusk’s Struggle to Hold the Center

“Regain control, ensure security.” This is the slogan of a draft law promoted by Polish Prime Minister Donald Tusk and adopted by his government to outline the country’s migration strategy from 2025 to 2030.

^{Reset DOC}

Dealing with all the wiring can quickly become a challenge on robots, especially the walking variety which have actuators everywhere. [Eric Yufeng Wu] sidestepped the wiring issue by creating Q8bot, a little quadruped where all the components, including the actuators, are mounted directly on the PCB.

[Eric] uses a custom PCB as the spine of the robot, and the eight servos plug directly into connectors on the PCB. With their bottom covers removed, the servos screw neatly into a pair of 3D printed frames on either side of the PCB, which also have integrated 14500 battery holders. The PCB is minimalist, with just the XIAO ESP32C3 module, a boost converter circuit to drive the servos, and a battery fuel gauge. Each SCARA-style leg consists of four SLS 3D printed segments, with press-fit bearings in the joints.

The little one moves quickly, and can even do little jumps. For this prototype, most of the control processing is done on a laptop, which sends raw joint angles to the onboard ESP32 via the ESP-Now protocol. We think this little robot has a lot of development potential, and fortunately [Eric] has made all the hardware and software files available for others to build their own.

youtube.com/embed/YJDc1xAhaOI?…

hackaday.com/2024/10/29/little…

La futura versione del kernel Linux 6.13 include una patch che rielabora l’algoritmo per trovare il checksum CRC32C. La nuova implementazione ha permesso di ridurre la quantità di codice di circa dieci volte, da 4546 byte a 418 byte.

La riduzione del numero di operazioni e l’ottimizzazione della logica del loop hanno comportato un notevole aumento della velocità, particolarmente evidente quando la protezione retpoline contro gli attacchi Spectre era disabilitata.

Pertanto, sui processori AMD Zen 2 si registra un aumento delle prestazioni fino all’11,8%, su Intel Emerald Rapids – 6,4% e su Intel Haswell – 4,8%.

Con la protezione retpoline abilitata, l’effetto dell’ottimizzazione è ancora più pronunciato: le prestazioni su Intel Emerald Rapids aumentano del 66,8%, su Intel Haswell del 35,0% e su AMD Zen 2 del 29,5%.

In precedenza, CRC32C utilizzava 128 loop, il che aumentava significativamente la quantità di codice. Poiché i moderni processori supportano l’esecuzione di istruzioni fuori ordine, il numero eccessivo di istruzioni di salto all’interno dei cicli è diventato un ostacolo all’ottimizzazione.

Nella nuova implementazione, il numero di iterazioni è stato ridotto a quattro, il che ha ridotto significativamente la quantità di codice e allo stesso tempo ha migliorato la velocità dell’operazione.

L'articolo Linux 6,13 Performance Boost: La Nuova Patch di Porta Vantaggi Incredibili! proviene da il blog della sicurezza informatica.

Introduction

Organizations often rely on a layered defense strategy, yet breaches still occur, slipping past multiple levels of protection unnoticed. This is where compromise assessment enters the game. The primary objective of these services is risk reduction. They help discover active cyberattacks as well as unnoticed sophisticated attacks that occurred in the past by doing the following:

• Tool-assisted scanning of all endpoints;
• Host and network equipment log analysis;
• Threat intelligence analysis, including darknet search;
• Initial incident response to contain discovered threats.

In this article, we delve into the root causes of real-world cases from our practice, where despite having numerous security controls in place, the organizations still found themselves compromised. In all the cases in question, compromise assessment was the last line of defense that successfully detected incidents.

Patch management issues

The vulnerability patching process typically takes time for a variety of reasons: from actual patch release all the way to identifying vulnerable assets and “properly” patching them, considering any pre-existing asset inventory and whether the accountable personnel will learn about the vulnerability in time. There are multiple factors that may delay this process, including formality in business continuity requirements, e.g. inability to reboot the server without a downtime window.

That’s why insufficient patch management processes on the customer side are one of the most common root causes of incidents we observe in compromise assessment projects. Moreover, exploitation of a public-facing application was the root cause in 42.37% of cases investigated by the Kaspersky Global Emergency Response Team (GERT) in 2023.

During the investigation of one case, we identified that the web server was patched a month after the attacker infiltrated the network: this delay was a treasure trove for the threat actor, since the organization was left unprotected and the attack went unnoticed.

• Immediately after compromising the server, the attacker deployed a SILENTTRINITY C2 stager.
• They attempted to dump credentials via a custom packed version of Mimikatz on the first day, and by dumping the LSASS process memory to disk on the fourth day.
• During that month, they conducted internal reconnaissance of SMB shares until they obtained the credentials of the domain administrator.

Policy violations by employees

Most organizations focus on external threats; however, policy violations pose a major risk, with 51% of SMB incidents and 43% of enterprise incidents involving IT security policy violations caused by employees. An “employee” here is any person who has a regular employee’s level of access to the organization’s systems.

In one of our compromise assessments, we identified an incident whose root cause was traced to a contracted cybersecurity consultant. During an interim report meeting, we presented a list of compromised accounts (a result of darknet search playbook execution) to the customer’s board of directors along with statistics on the accounts on the list. Of all the compromised accounts, 71% belonged to the customer’s employees, with 63% of these being employees’ accounts in the services accessible from outside the company.

Statistics on the organization’s compromised accounts. Source: Kaspersky Digital Footprint Intelligence

The list contained a C-level officer’s account, among others. Since this was a critical situation, with everyone suspecting that officer’s laptop had been compromised, we ran a quick investigation during the meeting and figured out that credentials had been leaked from a third-party consultant’s machine. The chairman created an account in an external system with his own corporate email and shared the credentials with the consultant. Since it was clear that consultant’s laptop might contain other confidential data, we developed the following tactical response plan.

1. Collect a forensic triage package from the consultant’s laptop.
   
   • Analyze the package to identify all leaked credentials.
   • Check the consultant’s laptop for malware.
   • Run a keyword-based search to identify potential leaked documents.

   
   

2. Review email/VPN/other logs of likely affected services available from outside the organization to detect any abnormal activity by compromised accounts.
3. Double-check if multi-factor authentication was enabled for the compromised accounts at the time of compromise.
4. Update the incident response plan based on the findings. Reset the password and install a new OS image on the laptop at a minimum.

This incident could have been prevented by ensuring that employees and any third party with access to the network followed the policies. This is easy to say but it sometimes gets tricky and requires time, effort and deep technical knowledge in practice.

MSP/MSSP issues

Usually, MSSPs are more focused on continuous monitoring and alerting, ignoring detection gaps identification and visibility enhancements: a periodic review of the customer’s event audit policy, enabling a disabled log source or highlighting a poorly configured log source. For example, the X-Forwarded-For HTTP header is often not enabled on web servers. As a result, the SOC can’t see the original IP of the connection and determine the attack source, which complicates incident investigation.

In our compromise assessment practice, we frequently identify incidents that external SOCs have missed. During one project, we reviewed third-party antivirus logs and identified multiple webshell detections on the same server for several days.

The MSSP SOC analysts had failed to raise an alert, because the malware was deleted by the antivirus each time. This is a textbook example of a junior’s mistake. If a motivated adversary has access to the server via a vulnerability, they would try a range of techniques and tactics to try to bypass security. This is where the human analyst’s attention is needed to add an additional layer of protection and prevent this from happening.

This was exactly our case: the Kaspersky experts initiated deep forensic analysis and found out that the attacker tried different webshells over a few weeks. They finally found one that was not detectable by the AV vendor at the time, so they were able to get into the network. Further investigation revealed that the entire domain remained compromised for several months.

Monitoring and verifying the quality of service from your MSP or MSSP is often challenging. Contractual agreements typically prevent clients from accessing the provider’s internal systems for a thorough review. Additionally, customers may lack the technical expertise or time required to oversee every action taken by their subcontractors.

MSPs and subcontractors might not have enough cybersecurity awareness, which poses a challenge, where they might inadvertently expose the network to a cybersecurity risk by misconfiguring some security control or not following the best practice.

Incomplete incident response

Post-breach eradication of a threat actor requires planning of multiple actions to ensure complete removal of the attacker from the network or systems:

• Removal of malware, scripts, tools, and backdoors installed by the attacker.
• Changing the passwords for the compromised accounts and deleting any unauthorized service accounts that attackers might have created
• Rolling back system configurations that might increase the attack surface or introduce new vulnerabilities

Even after the malware is deleted, certain forensic artifacts remain in the system. Therefore, it is common to identify past attacks during compromise assessment. Intentional misconfiguration introduced by an attacker is a rarer case, but we occasionally find that enterprise incident response teams fail to eradicate these procedures.

As part of the Active Directory configuration review playbook, Kaspersky analysts identified a Group Policy with several suspicious properties.

1. A modification to the AllowReversiblePasswordEncryption property of each AD account, which made domain controllers store passwords in decryptable form (without using the one-way hash function). This configuration would enable the attacker to dump credentials in plaintext via attacks like DCSync.
2. Disabling the audit of operations related to Kerberos Tickets. This configuration would hide attacker logons on all endpoints managed via Active Directory.

False sense of security

It’s crucial to remember that the effectiveness of even top-tier products is at its highest when these are properly installed, configured, and integrated. Without proper configuration, organizations cannot fully harness the potential of their cybersecurity solutions, which hinders their ability to create a robust defense.

In our compromise assessment practice, we have witnessed several cases, listed below, which were detected because specialized scanners were deployed alongside an existing AV/EDR solution, providing a second layer of detection capabilities.

• Absence of detection rules. The customer’s antivirus was unable to detect a pivotnacci webshell because the vendor did not have a defined detection rule.
• Outdated malware signatures. The client antivirus was unable to detect malware because the network port listening to the central update server was blocked by a firewall, preventing the antivirus from receiving the latest updates.
• Shadow IT. The customer’s antivirus was not deployed on certain servers because those servers were not part of Active Directory, which left them unprotected.

Conclusion

Compromise assessment has proven to be an indispensable component in the broader cybersecurity strategy of these organizations. The cases discussed above underscore that no security measure, no matter how advanced, is entirely foolproof. From internal policy violations to patch management failures and overlooked misconfigurations by third-party service providers, the risks are manifold and often hidden in plain sight. These examples highlight that a false sense of security can be more dangerous than no security at all, as it leaves organizations vulnerable to threats that might have otherwise been detected with thorough, periodic assessments.

By integrating compromise assessment into the security framework, organizations can uncover these hidden threats, address vulnerabilities that slip through the cracks, and ultimately strengthen their overall security posture. In a world where cyberthreats are constantly evolving, the proactive identification and mitigation of potential compromises is not just advisable but also necessary. This approach ensures that organizations are not only reacting to breaches but are continuously verifying the effectiveness of their defenses, thereby reducing the risk of undetected compromises and safeguarding their assets more effectively.

securelist.com/compromise-asse…

If you’re hear a rushing noise, don’t be alarmed — that’s just the rapidly approaching 2024 Hackaday Supercon. As hard as it is to believe, a whole year has gone by, and we’re now just a few days away from kicking off our annual hardware hacking extravaganza in Pasadena. Tickets just sold out over the weekend — thank you procrastinators!

For those of you who have tickets to join us this weekend, we’ve got a few last minute announcements and bits of information we wanted to get out to you. As a reminder, you can find the full schedule for all three days on the official Supercon site.

New Events Added!

For those who’ve attended a Supercon before, you know we like to cram as much content as we can into the weekend. But there’s always room for more, and this year we’ve managed to squeeze in a couple extra activities that we’re very excited about.

Halloween Hacker Happy Hour

It just so happens that Halloween is the night before Supercon officially kicks off, and that seemed like too good of an opportunity to pass up. So we’ll be throwing a pre-event party at the nearby KingsRow Gastropub where costumes and all manner of blinking LEDs are very much encouraged. Officially we’ll be hanging out from 7:00 to 10:00 PM, but don’t be surprised if you find yourself still talking to Hackaday folks at last call.

You don’t need tickets for this event, but we’d like to have a rough head count, so if you could RSVP through Eventbrite we’d appreciate it.

Tina’s Junk Challenge

Tina’s been piling up her treasures for weeks
We’ve always wanted to introduce some kind of swap meet aspect to Supercon, but the logistics have always been a challenge. This year though, we’re finally going to get the chance to test out the idea. Former DesignLab Resident Tina Belmont is in the process of moving out of the country and needs to find a new home for her electronic bric-a-brac.

Everything is free, so attendees are encouraged to take anything they think they can make use of. Naturally, an influx of interesting hardware could provide for some very unique badge hacking possibilities. If we can get enough people to graft these second-hand components onto their badges, we just might be able to turn it into a proper category come Sunday night.

A table where folks can offload their electronic bits and bobs has worked well at other hacker cons, so we’re eager to see how it goes at Supercon. If this is something you’d like to see more of, or would potentially like to participate in next year, let us know.

Krux’s Side Quests

Let’s be honest, most of us are already taking our marching orders from the computer in one way or another. So why not turn it into a fun interactive game?

The idea is simple: use the mysterious retrocomputer oracle, and it gives you a quest. Maybe you’ll have to find a hidden item, or solve a riddle. Krux has a run a variation of this game at Toor Con in the past, but the challenges spit out by the computer this time will be tailored to Supercon.

Windows Through Wires Exhibition

You may recall that we asked the Hackaday community if they had any unusual display technology they’d like to show off during Supercon as part of an exhibit.

Well, as you might have imagined, the response was incredible. From gorgeous vintage pieces to completely custom hardware, there’s going to be a wide array of fascinating hardware for attendees to study up-close.

While getting a chance to see various display technologies throughout the years would have our attention as it is, what’s really exciting is that many of the custom-built devices in the exhibit are either projects hosted on Hackaday.io or ones that we’ve covered at some point on the front page.

Considering how gorgeous some of them have looked in photographs, we’re eager to drool over them in the real world — and we bet you are to.

Workshop Technical Difficulties

Hopefully we’ve provided enough good news that we can slip in a bit of the bad. Unfortunately, we’ve had to cancel the “Hands on with an Electron Microscope” workshop that was to be hosted by Adam McCombs and Isabel Burgos. Everyone with tickets will of course be getting a refund, and you should be receiving an email to that effect shortly if you haven’t already.

While we’re just as disappointed by this news as you are, it’s one of those situations where there simply weren’t any good solutions. Long story short, the scanning electron microscope that was small enough to bring to Supercon is down, and there’s just not enough time to get it up and running at this point. An attempt was made to find another small-ish electron microscope on short notice but…well, that’s just as tricky to pull off as it sounds.

Send Us Your Lightning Talks!

To end this update on a high note, we want to remind everyone that this year we’ll once again be going Lighting Talks on Sunday morning. If you’ve never given a talk before, the shorter seven minute format is perfect for getting your feet wet. Or maybe you’ve got something you want to talk about that doesn’t take a whole hour to explain. Either way, the Lightning Talks are a great way to share what your passionate about with the Supercon audience.

If you’d like to give a Lightning Talk, simply fill out this form. You can upload slides if you’ve got them, but they aren’t strictly necessary.

hackaday.com/2024/10/29/2024-s…

Frontiere Sonore Radio Show Ep. 4: Simone inizia una sezione di presentazione di piccole etichette italiane, in questa puntata presentiamo Stanze Fredde Records di Torino

iyezine.com/frontiere-sonore-r…

#radio

Frontiere Sonore Radio Show Ep. 4

Frontiere Sonore Radio Show Ep. 4 - Frontiere Sonore Radio Show Ep. 4: Simone inizia una sezione di presentazione di piccole etichette italiane, in questa puntata presentiamo Stanze Fredde Records di Torino -

^{Simone Benerecetti (In Your Eyes ezine)}

The Animal Kingdom, In un futuro prossimo alcuni umani iniziano a mutare trasformandosi gradualmente in animali.

iyezine.com/the-animal-kingdom

The Animal Kingdom

The Animal Kingdom - The Animal Kingdom, In un futuro prossimo alcuni umani iniziano a mutare trasformandosi gradualmente in animali. - The Animal Kingdom

^{Roberto Pardini (In Your Eyes ezine)}

Gli specialisti della Nanyang Technological University di Singapore hanno creato un microrobot delle dimensioni di un chicco di riso per la somministrazione mirata di farmaci in diverse parti del corpo. L’ispirazione è stata il film Fantastic Voyage degli anni ’60, in cui un equipaggio di sottomarini in scala ridotta entrava in un corpo umano per riparare il cervello di uno scienziato dall’interno.

Secondo il leader del team, Lum Guo Zhang, i metodi tradizionali di trattamento – compresse e iniezioni – hanno un’efficacia inferiore alla somministrazione mirata di farmaci tramite un microdispositivo. Lo sviluppo si basa su microparticelle magnetiche e polimeri sicuri per il corpo umano. Il movimento del robot è controllato utilizzando campi magnetici.

Ciò che è particolarmente importante è che per la prima volta la scienza è riuscita a creare un robot in miniatura in grado di trasportare quattro farmaci diversi contemporaneamente e di rilasciarli in un determinato ordine con il dosaggio richiesto. Nei modelli precedenti la sequenza non poteva essere programmata: i farmaci venivano rilasciati simultaneamente. Inoltre, il robot poteva erogare solo tre sostanze alla volta.

“La nostra invenzione è uno strumento importante per la medicina futura, soprattutto nel trattamento del cancro, dove è necessario un controllo preciso su più farmaci”, spiega il coautore Yang Zilin.

Anche il chirurgo Yeo Leong Litt Leonard delle cliniche di Singapore – National University Hospital e Ng Teng Fong General Hospital – vede un grande potenziale nell’uso dei microrobot. Secondo lui, potrebbero sostituire le moderne procedure minimamente invasive con cateteri e sonde, poiché possono raggiungere facilmente le zone del corpo difficili da raggiungere.

“Tali dispositivi potranno essere posizionati nel punto desiderato del corpo e rilasciare gradualmente i farmaci. Questo è molto più sicuro che lasciare un catetere o uno stent nel corpo del paziente per un lungo periodo”, afferma Yeo.

Ora il team sta lavorando per ridurre le dimensioni del dispositivo in modo che possa essere utilizzato nel trattamento dei tumori del cervello, della vescica e dell’intestino.

Ci sono già sviluppi simili nel mondo. Pertanto, gli ingegneri del Massachusetts Institute of Technology hanno creato batterie in miniatura delle dimensioni di un granello di sabbia: possono essere utilizzate come fonte di energia per i microrobot che forniscono medicinali. Una soluzione interessante è stata proposta anche dall’azienda californiana Endiatx. Il loro sviluppo, la capsula robotica PillBot delle dimensioni di un pistacchio , può sostituire l’endoscopia standard. Il dispositivo è dotato di una telecamera controllata ed è sicuro per il corpo.

L'articolo Microrobot Contro il Cancro! Terapia e Farmaci Mirati Grandi come un Chicco di Riso proviene da il blog della sicurezza informatica.

For those of you longing for better gaming on an Apple Silicon device, Asahi Linux is here to help.

While Apple’s own line of CPUs are relatively new kids on the block, they’ve still been around for four years now, giving hackers ample time to dissect their innards. The team behind Asahi Linux has now brought us “the only conformant OpenGL®, OpenCL, and Vulkan® drivers” for Apple’s M1 and M2.

The emulation overhead of the system means that most games will need at least 16 GB of RAM to run. Many games are playable, but newer titles can’t yet hit 60 frames per second. The developers are currently focused on “correctness” and hope to improve performance in future updates. Many indie titles are reported to already be working at full speed though.

You can hear more about some of the fiddly bits of how to “tessellate with arcane compute shaders” in the video below. Don’t worry, it’s only 40 minutes of the nine hour video and it should start right at the presentation by GPU dev [Alyssa Rosenzweig].

If you want to see some of how Linux on Apple Silicon started or some of the previous work on hacking the M1 GPU, we have you covered.

youtube.com/embed/pDsksRBLXPk?…

hackaday.com/2024/10/29/asahi-…

Attackers are increasingly distributing malware through a rather unusual method: a fake CAPTCHA as the initial infection vector. Researchers from various companies reported this campaign in August and September. The attackers, primarily targeting gamers, initially delivered the Lumma stealer to victims through websites hosting cracked games.

Our recent research into the adware landscape revealed that this malicious CAPTCHA is spreading through a variety of online resources that have nothing to do with games: adult sites, file-sharing services, betting platforms, anime resources, and web apps monetizing through traffic. This indicates an expansion of the distribution network to reach a broader victim pool. Moreover, we discovered that the CAPTCHA delivers not only Lumma but also the Amadey Trojan.

Malicious CAPTCHA in ad networks

To avoid falling for the attackers’ tricks, it’s important to understand how they and their distribution network operate. The ad network pushing pages with the malicious CAPTCHA also includes legitimate, non-malicious offers. It functions as follows: clicking anywhere on a page using the ad module redirects the user to other resources. Most redirects lead to websites promoting security software, ad blockers, and the like – standard practice for adware. However, in some cases, the victim lands on a page with the malicious CAPTCHA.

Examples of sites redirecting the user to a CAPTCHA

Unlike genuine CAPTCHAs designed to protect websites from bots, this imitation serves to promote shady resources. As with the previous stage, the victim doesn’t always encounter malware. For example, the CAPTCHA on one of the pages prompts the visitor to scan a QR code leading to a betting site:

CAPTCHA with QR code

The Trojans are distributed through CAPTCHAs with instructions. Clicking the “I’m not a robot” button copies the line powershell.exe -eC bQBzAGgAdABhA<…>MAIgA= to the clipboard and displays so-called “verification steps”:

• Press Win + R (this opens the Run dialog box);
• Press CTRL + V (this pastes the line from the clipboard into the text field);
• Press Enter (this executes the code).

CAPTCHA with instructions

We’ve also come across similar instructions in formats other than CAPTCHAs. For instance, the screenshot below shows an error message for a failed page load, styled like a Chrome message. The attackers attribute the problem to a “browser update error” and instruct the user to click the “Copy fix” button. Although the page design is different, the infection scenario is identical to the CAPTCHA scheme.

Fake update error message

The line from the clipboard contains a Base64-encoded PowerShell command that accesses the URL specified there and executes the page’s content. Inside this content is an obfuscated PowerShell script that ultimately downloads the malicious payload.

Payload: Lumma stealer

Initially, the malicious PowerShell script downloaded and executed an archive with the Lumma stealer. In the screenshot below, the stealer file is named 0Setup.exe:

Contents of the malicious archive

After launching, 0Setup.exe runs the legitimate BitLockerToGo.exe utility, normally responsible for encrypting and viewing the contents of removable drives using BitLocker. This utility allows viewing, copying, and writing files, as well as modifying registry branches – functionality that the stealer exploits.

Armed with BitLocker To Go, the attackers manipulate the registry, primarily to create the branches and keys that the Trojan needs to operate:

That done, Lumma, again using the utility, searches the victim’s device for files associated with various cryptocurrency wallets and steals them:

Then, the attackers view browser extensions related to wallets and cryptocurrencies and steal data from them:

Following this, the Trojan attempts to steal cookies and other credentials stored in various browsers:

Finally, the malware searches for password manager archives to steal their contents as well:

Throughout the data collection process, the Trojan tries to use the same BitLocker To Go to send the stolen data to the attackers’ server:

Once the malware has found and exfiltrated all valuable data, it starts visiting the pages of various online stores. The purpose here is likely to generate further revenue for its operators by boosting views of these websites, similar to adware:

Payload: Amadey Trojan

We recently discovered that the same campaign is now spreading the Amadey Trojan as well. Known since 2018, Amadey has been the subject of numerous security reports. In brief, the Trojan downloads several modules for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. It also detects crypto wallet addresses in the clipboard and substitutes them with those controlled by the attackers. One of the modules can also take screenshots. In some scenarios, Amadey downloads the Remcos remote access tool to the victim’s device, giving the attackers full access to it.

Snippet of Amadey code used in this campaign

Statistics

From September 22 to October 14, 2024, over 140,000 users encountered ad scripts. Kaspersky’s telemetry data shows that out of these 140,000, over 20,000 users were redirected to infected sites, where some of them saw a fake update notification or a fake CAPTCHA. Users in Brazil, Spain, Italy, and Russia were most frequently affected.

Conclusion

Cybercriminals often infiltrate ad networks that are open to all comers. They purchase advertising slots that redirect users to malicious resources, employing various tricks to achieve infections. The above campaign is of interest because (a) it leverages trust in CAPTCHA to get users to perform unsafe actions, and (b) one of the stealers makes use of the legitimate BitLocker To Go utility. The malware works to enrich its operators both by stealing victims’ credentials and crypto wallets, and by exploiting online stores that pay money for traffic to their websites.

Indicators of compromise

e3274bc41f121b918ebb66e2f0cbfe29
525abe8da7ca32f163d93268c509a4c5
ee2ff2c8f49ca29fe18e8d18b76d4108
824581f9f267165b7561388925f69d3av

securelist.com/fake-captcha-de…

La legge Calderoli spezzetta l'Italia e peggiora i iservizi "per tutti". Quello che migliora, se si vuol dire così, è il potere dei Presidenti di Regione e la "vicinanza" fra grossi imprenditori locali ed il sistema di potere.
Altro proprio non mi sovviene.

#autonomiadifferenziata