Oscillators may use crystals as precise tuned circuits. If you have a vector network analyzer (VNA) — or even some basic test equipment — you can use it to learn the parameters of a crystal. [All Electronics Channel] has the details, and you can see how in the video below.

There was a time when a VNA was an exotic piece of gear, but these days they are relatively common. Crystal parameters are important because crystals have a series resonance and a parallel resonance and they are not at the same frequency. You also may need to know how much loading capacitance you have to supply to get the crystal at the right frequency.

Sometimes, you want to pull the crystal frequency, and the parameters will help you figure that out, too. It can also help if you have a crystal specified as series in a parallel-mode oscillator or vice versa.

If you don’t have a VNA, you can use a tracking signal generator, as [Grégory] shows towards the middle of the video. The quality of a tuned circuit depends on the Q factor, and crystals have a very high Q factor.

We did something similar in 2018. The other way to pull a crystal frequency is a bit extreme.

youtube.com/embed/MbPeYd1N1Xg?…

hackaday.com/2024/12/06/vnas-a…

When thinking of home computers and their portable kin it’s easy to assume that all of them provided BASIC as their interpreter, but for a while APL also played a role. The most quaint APL portable system here might be the Ampere WS-1, called the BIG.APL. Released in Japan in November of 1985, it was a very modern Motorola M68000-based portable with fascinating styling and many expansion options. Yet amidst an onslaught of BASIC-based microcomputers and IBM’s slow retreat out of the APL-based luggables market with its IBM 5110, an APL-only portable in 1985 was a daring choice.

Rather than offering both APL and BASIC as IBM’s offerings had, the WS-1 offered only APL, with a custom operating system (called Big.DOS) which also provided a limited a form of multi-tasking involving a back- and foreground task. Running off rechargeable NiCd batteries it could power the system for eight hours, including the 25 x 80 character LCD screen and the built-in microcassette storage.

Although never released in the US, it was sold in Japan, Australia and the UK, as can be seen from the advertisements on the above linked Computer Ads from the Past article. Clearly the WS-1 never made that much of a splash, but its manufacturer seems to be still around today, which implies that it wasn’t a total bust. You also got to admit that the design is very unique, which is one of the reasons why this system has become a collector’s item today.

hackaday.com/2024/12/06/ampere…

On this episode of the Hackaday Podcast, Editors Elliot Williams and Tom Nardi talk about the optical witchcraft behind holograms, the finer points of designing 3D printable threads, and the challenges of switching your local network over to IPv6. They’ll also cover how a clever software patch improves the graphics in a flight simulator from the 1990s, and why spacecraft flying into orbit powered by the SABRE engine is going to remain a dream for now.

From there you’ll hear about a reproduction VW gas gauge that works better than the real thing, custom ball screws, and the latest and greatest in homebrew battery charging. Finally, they’ll cap the episode off by exploring the conundrum that’s heating up London’s Underground, and diving into the (mostly) fictional history of teleportation.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

html5-player.libsyn.com/embed/…

Direct Download Link

Episode 299 Show Notes:

News:

• Hackaday Europe returns to Berlin on March 14th to the 16th! Details follow next week.

What’s that Sound?

• Think you know that sound? Fill out the form for a chance to win!

Interesting Hacks of the Week:

• Holograms: The Art Of Recording Wavefronts
• Runway-to-Space No More, Reaction Engines Cease Trading
  
  • Air-Breathing Rocket Engine Promises Future Space Planes
  • Single-Stage-to-Orbit: The Launch Technology We Wish Was Real

  
  

• 3D Printing Threaded Replacements
  
  • Bottle Cap Thread Calculator
  • Bottle Neck Types
  • ISBT Threadspecs®

  
  

• Unique 3D Printer Has A Print Head With A Twist
  
  • RotBot Adds An Extra Dimension To 3D Printing
  • 3D Printing 90° Overhangs With Non-Planar Slicing

  
  

• A Month Without IPV4 Is Like A Month Without…
• Cranking Up The Detail In A Flight Simulator From 1992

Quick Hacks:

• Elliot’s Picks:
  
  • Gas Gauge Upgrade Keeps VW Restoration Classy
  • Exercise Wheel Tracker Confirms Suspicions About Cats
  • Rolling Your Own Ball Screws

  
  

• Tom’s Picks:
  
  • Saving A Samsung TV From The Dreaded Boot Loop
  • OSHW Battery Tester Aims To Help Tame Lithium Cells
  • The Automatic Battery Charger You Never Knew You Needed

  
  

Can’t-Miss Articles:

• The London Underground Is Too Hot, But It’s Not An Easy Fix
• A Brief History Of Teleportation

hackaday.com/2024/12/06/hackad…

If you’re nostalgic for the golden age of microprocessors and dream of building your own computer, this story might spark your imagination. [Eric Lind], passionate retro enthusiast and his 14-year-old son, embarked on a mission to craft a microcomputer from scratch, centred around the exotic Motorola 6809 chip: the µLind.

What sets this project apart is its ambition: bridging retro computing with modern enhancements. Starting with just a 6809 and some basic peripherals, the men designed a multi-stage roadmap to realize their dream. Each stage brought new challenges: debugging an address decoder, reworking memory management, and evolving glue logic into programmable GAL chips. Fascinatingly, the project isn’t just about nostalgia—it’s a playground for exploring multitasking operating systems and pushing the boundaries of 8-bit computing.

Their creativity shines in solutions like a C64-compatible joystick port, add-on expansion cards, and a memory overkill of 1MB RAM. With every setback—a missing pull-up resistor or a misrouted IRQ signal—their determination grew stronger. By combining old-school know-how with modern tools like KiCad, they’ve created something that is both personal and profoundly inspiring.

[Eric]’s hope and goal is to establish a community of people that want to expand beyond the traditional Z80 and 6502 based SBC’s. Interested? Read [Eric]’s project log on Hackaday.io and start crafting!

hackaday.com/2024/12/06/the-68…

Maybe those backdoors weren’t such a great idea. Several US Telecom networks have been compromised by a foreign actor, likely China’s Salt Typhoon, and it looks like one of the vectors of compromise is the Communications Assistance for Law Enforcement Act (CALEA) systems that allow for automatic wiretapping at government request.

[Jeff Greene], a government official with the Cybersecurity and Infrastructure Security Agency (CISA), has advised that end user encryption is the way to maintain safe communications. This moment should forever be the touchstone we call upon when discussing ideas like mandated encryption backdoors, and even the entire idea of automated wiretapping systems like CALEA. He went on to make a rather startling statement:

I think it would be impossible for us to predict a time frame on when we’ll have full eviction

There are obviously lots of unanswered questions, but with statements like this from CISA, this seems to be an extremely serious compromise. CALEA has been extended to Internet data, and earlier reports suggest that attackers have access to Internet traffic as a result. This leaves the US telecom infrastructure in a precarious position where any given telephone call, text message, or data packet may be intercepted by an overseas attacker. And the FCC isn’t exactly inspiring us with confidence as to its “decisive steps” to fix things.

We are taking decisive steps to address vulnerabilities in telecommunications networks following the Salt Typhoon cyberattack. pic.twitter.com/FLGCe9pS1I

— The FCC (@FCC) December 5, 2024

In a sense, nothing has really changed: We’re each ultimately responsible for our own security, and if anything is truly sensitive, it needs auditable encryption that doesn’t have any backdoors. The Salt Typhoon national breach has just serves as a painful reminder of the fact.

AI Fuzzing

There’s yet another researcher thinking about LLM guided fuzzing. This time, it’s looking for HTTP/S endpoints on a public site. The idea here is that you can crawl a domain, and collect every link to build a URL map of the site — but that list is likely incomplete. There may be an administrative page, or undocumented API endpoints, or even unintended .git files. Finding those endpoints is a useful step to finding vulnerabilities. Brainstorm is a new tool Open Source tool to use AI to find those non-obvious URLs.

There are a couple of interesting metrics to measure how well endpoint discovery is done. The most straightforward is how many endpoints are found for a given site. The other is the ratio of requests to discovered. And while this is just a sample size of one on a test site, brainstorm found 10 hidden endpoints with only 328 requests. Impressive!

Fuzzing Android

And while we’re talking about fuzzing, let’s cover a part of Android that is sometimes forgotten about. Lots of apps are written for Java, but Android has a Native Development Kit, the NDK, that’s very useful for using existing C/C++ code in Android apps. And as the NDK is powerful, complicated, and not as widely used, it’s a prime target for finding issues.

This first article by Conviso doesn’t actually cover any vulnerabilities, though it’s fairly strongly hinted that there were bugs found. Instead, this is a great start on how to set up a fuzzing solution with the afl++ fuzzer, looking for issues in the NDK and native code. We’re looking forward to more posts in this series.

Breaking out of the VRChat Matrix

VRChat is an interesting experience. It’s nominally a game intended for VR interactions in virtual worlds. There’s a large element of the game that’s just wondering around the virtual worlds, many of them being homages to other games or movies. That fact was not lost on the creators behind VRChat, who created the Udon scripting engine to expose lots of functionality, including access to some APIs of Unity, the underlying game engine. And that’s interesting, because little quirks in Unity APIs may not be vulnerabilities in themselves, but exposing those APIs to potentially untrusted code might become a problem.

The problem here is the Unity functions for applying textures to objects. Texture sizes are 64-bit unsigned integers, but internally those values get mapped onto a 32-bit integer for an intermediary step. The value overflows, writing to the texture writes past the end of a buffer, and suddenly we have a read/write primitive. Then a slight detour through the Steam overlay library gets us arbitrary shellcode execution, and we’ve escaped the VR Matrix.

youtube.com/embed/zQepvGpZFJc?…

Nearest WiFi Neighbor

Modern WiFi security is split roughly between PSK and Enterprise, where PSK is a Pre-Shared Key, and Enterprise is a scheme using individual usernames and individual authentication. One form that authentication can take is a simple username/password pair. An advanced threat actor, believed to be APT28 out of Russia, developed and deployed an impressive attack campaign that took advantage of the username/password authentication of WiFi networks in a very unique and creative way.

This was the Nearest Neighbor attack, and to understand it we first have to talk about credential stuffing. It’s reasonably easy to generate a list of email addresses of users at a target business. That list can be combined with a list of potential passwords from breaches, and all the most promising combinations used to attempt to log in to public services. This is the basis of credential stuffing, and it’s been used in multiple breaches of the last few years. One of the sure-fire safeguards against stiffing is multi-factor authentication. Even if a password is correct, it still doesn’t get you into the service, because 2FA.

The kicker is that Enterprise WiFi doesn’t do 2FA. If a single user account is used for both accounts, then verifying the user account gets you a valid WiFi sign-on. Then part two of Nearest Neighbor is how hackers in Russia actually used those credentials against an unnamed US organization.

This is where the name comes from. The approach was to first hack the nearest neighbor, move laterally until you find an Ethernet connected machine that also has a WiFi card, and use the purloined credentials to hop the gap into the target’s network. Check the link for more details. The actual target has not been revealed, and it may be quite some time before we learn who exactly was breached by this new, creative technique.

$150,000+ Gone

Solana runs a blockchain platform, primarily doing web3 and smart contracts. To make those products work, Solana publishes solana-web3.js on npm. This week, that library was compromised, and a pair of malicious versions were uploaded. The exact timing was December 2, from 1520 and 2025 UTC.

The malicious package was a simple key stealer, obviously aimed at compromising wallets of any developers or other use cases where the code has access to those keys. The value of the stolen cryptocurrency currently sits between $150,000 and $200,000.

Bits and Bytes

Don’t trust the Webcam LED. Many webcams have a light to indicate when they are capturing images. This is your periodic reminder: that LED is just connected to a GPIO, and isn’t necessarily trustworthy. The Lights Out attack re-flashes the webcam’s firmware, giving arbitrary control over that LED.

Scareware has long been a problem, and it’s been around on mobile for quite a while now, but this was a new trick to me: a full screen image that mimics a broken screen. Now this one is really leaning into the scare element, and the prompt drawn over the “broken” screen quickly gives the trick away.

VPN appliances are built to keep unauthorized users out, but what happens when a user tries to connect to a malicious VPN? For many clients, the results aren’t pretty. And now, to better explore those potential issies, AmberWolf has released NachVPN. (Love the pun.) The tool is open source, and available on Github.

And finally, if you want to brush up on your OAuth2 understanding, there’s a new project that may be for you: OAuth Labs. This is a series of simulated challenges, where you can exploit vulnerable OAuth implementations. The challenges are self hosted as Docker runners. Let us know if you decide to take on the challenge!

hackaday.com/2024/12/06/this-w…

Il messenger Telegram ha iniziato a collaborare con la International Internet Watch Foundation (IWF) per combattere la diffusione di materiale sugli abusi sessuali sui minori. La piattaforma si era precedentemente rifiutata di impegnarsi con l’IWF o altre iniziative simili, nonostante le ripetute richieste.

L’IWF collabora con le principali società Internet per fornire strumenti per identificare e rimuovere i contenuti vietati. Derek Ray-Hill, CEO ad interim dell’IWF, ha osservato che l’adesione di Telegram alla fondazione consentirà loro di iniziare a utilizzare i loro strumenti avanzati per garantire che tali materiali non possano essere distribuiti sulla piattaforma. Il fondo ha descritto questa decisione come “trasformativa”, sottolineando che questa è solo la fase iniziale sul percorso verso il cambiamento.

Il cambio di posizione di Telegram è avvenuto quattro mesi dopo la detenzione in Francia del suo fondatore Pavel Durov. È stato accusato di cooperazione insufficiente con le forze dell’ordine nella lotta al traffico di droga, alla frode e alla distribuzione di materiale relativo agli abusi sessuali su minori. Un’ordinanza del tribunale vieta a Durov di lasciare la Francia fino al completamento delle indagini. I rappresentanti dell’azienda hanno definito ingiuste le accuse, affermando che il fondatore non è responsabile delle azioni degli utenti.

In questo contesto, Telegram ha annunciato l’introduzione di nuove misure volte a migliorare la moderazione. La società ha affermato che inizierà a condividere gli indirizzi IP e i numeri di telefono dei trasgressori su richiesta ufficiale delle forze dell’ordine, disabiliterà la funzione “persone nelle vicinanze” utilizzata dai truffatori e pubblicherà regolarmente rapporti sulla moderazione dei contenuti. Pavel Durov ha annunciato la sua intenzione di trasformare l’approccio alla moderazione di Telegram da oggetto di critica in un esempio da seguire.

Il messaggero è popolare nei paesi della CSI, in Iran e in Medio Oriente. Tuttavia, le indagini dei giornalisti hanno rivelato che Telegram viene utilizzato per pubblicizzare farmaci, fornire servizi di criminalità informatica e distribuire materiale proibito. Un esperto ha descritto la piattaforma come “la darknet in tasca” a causa della sua popolarità tra gli elementi criminali.

Telegram ha riferito che prima di aderire all’IWF, rimuoveva ogni mese centinaia di migliaia di contenuti vietati utilizzando i propri algoritmi. Ora i rappresentanti dell’azienda affermano che la cooperazione con il fondo rafforzerà i meccanismi di controllo volti a combattere la diffusione di materiali vietati.

L'articolo Pavel Durov Contro l’Underground! Telegram si Allinea nella Lotta agli Abusi Dei Minori proviene da il blog della sicurezza informatica.

Il 4 Dicembre 2024 è stato rivendicato sul Data Leak Site del RaaS Black Basta un presunto attacco informatico alla Medica Corporation, azienda americana specializzata in analizzatori diagnostici del sangue.

E’ attivo un countdown che segna il tempo per la pubblicazione dei dati, che secondo i criminali informatici avverrà tra 5 Giorni e 18 ore.

Attualmente, non possiamo confermare l’autenticità della notizia, poiché l’organizzazione non ha ancora pubblicato un comunicato ufficiale sul proprio sito web in merito all’incidente. Le informazioni riportate provengono da fonti pubbliche accessibili su siti underground, pertanto vanno interpretate come una fonte di intelligence e non come una conferma definitiva.

I samples dei dati esfiltrati comprendono documenti aziendali, amministrativi, NDA’s, ma anche documenti d’identità dei dipendenti e molti altri, non abbiamo ancora una conferma sulla metodologia usata per violare il database della MEDICA, si presume gli attacanti abbiano messo in atto una strategia di Spear Phishing inviando mail con allegati malevoli, per ottenere credenziali di accesso di un utente remoto all’interno della rete aziendale e procedere con azioni di persistenza e privilege escalation tramite la creazione di un falso account con privilegi “admin”.

“Black Basta” è un nuovo ceppo di ransomware scoperto nell’aprile 2022 (sembra in fase di sviluppo almeno dall’inizio di febbraio 2022) e, data la sua capacità di accumulare rapidamente nuove vittime e lo stile delle sue negoziazioni. È probabile che non si tratti di una nuova operazione, ma piuttosto di un rebranding di del famoso RaaS Conti chiuso per appunto 2022.

CONCLUSIONI

Ad oggi il ramsonware resta ancora una delle minacce informatiche più gravi, per poterla contrastare bisogna attuare, oltre all’implementazione della sicurezza dei sistemi informatici, bisogna mettere in atto una politica di informazione e consapevolezza degli utenti sulla portata di tali minacce e come poterle riconoscere e bloccare sul nascere.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

DarkLab monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Black Basta rivendica un attacco Informatico a Medica Corp. – Esfiltrati circa 1,5 Tera Byte di dati proviene da il blog della sicurezza informatica.

Le autorità americane hanno arrestato un black hacker di 19 anni associato al noto gruppo Scattered Spider. Il sospettato è legato all’hacking di un istituto finanziario senza nome e di due società di telecomunicazioni.

Secondo le forze dell’ordine , il detenuto Remington Goy Ogletree, noto anche online come remi, si è infiltrato nelle reti di tre società senza nome. Per farlo, ha utilizzato le credenziali dei propri dipendenti, rubate tramite attacchi di phishing (sia testuali che vocali). Ad esempio, secondo quanto riferito, si è spacciato per un impiegato del supporto tecnico, inducendo le vittime a siti di phishing che chiedevano loro di inserire le proprie credenziali.

Nel febbraio di quest’anno, durante una perquisizione nella casa di Ogletree, l’FBI ha trovato molte prove di attività criminale sull’iPhone che gli era stato sequestrato. Inclusi: screenshot di messaggi di phishing e pagine di phishing che raccolgono credenziali, nonché screenshot di portafogli crittografici contenenti decine di migliaia di dollari in criptovaluta.

L’istituto finanziario vittima di un attacco informatico ha informato l’FBI che circa 149 dei suoi dipendenti sono stati oggetto di attacchi di phishing (tra ottobre 2023 e novembre 2023). Nell’ambito degli attacchi hanno cercato di attirare le persone su pagine di phishing mascherate da risorse dell’azienda stessa.

“L’analisi degli screenshot dei messaggi di phishing ha rivelato email progettate per indurre in errore i dipendenti a fornire le proprie credenziali. Ciò includeva messaggi fraudolenti secondo cui “i pacchetti di benefici per i dipendenti sono stati aggiornati” e che “gli orari di lavoro sono stati modificati”, affermano i documenti giudiziari. “Altre e-mail di phishing informavano i dipendenti di aver ricevuto una “richiesta HR” o un “aggiornamento del profilo VPN”.

Inoltre, secondo l’indagine, tra ottobre 2023 e maggio 2024, Ogletree ha utilizzato il suo accesso ai sistemi di società di telecomunicazioni anonime per inviare più di 8,6 milioni di SMS di phishing indirizzati a utenti in tutti gli Stati Uniti. L’obiettivo di questa campagna su larga scala era rubare la criptovaluta.

Nell’ottobre 2023 Trend Micro ha riferito che alcuni di questi attacchi erano rivolti a clienti di piattaforme di criptovaluta come Gemini e KuCoin e che gli aggressori hanno utilizzato i domini yourgeminiclaims[.]net e kucoinclaims[.]com negli attacchi.

Vale la pena notare che durante l’interrogatorio, Ogletree ha detto all’FBI di conoscere “persone che commettono tutti i tipi di crimini” e “membri chiave di Scattered Spider“. Ha aggiunto inoltre che il gruppo di hacker criminale attacca soprattutto le aziende coinvolte nell’outsourcing dei processi aziendali, perché sono molto meno protette dei loro clienti.

Scattered Spider è conosciuto anche con altri nomi: Starfraud, Octo Tempest, Muddled Libra 0ktapus (Group-IB), UNC3944 (Mandiant) e Scatter Swine (Okta).

Si ritiene che il gruppo sia attivo dal 2022 e i suoi attacchi a sfondo finanziario si rivolgano principalmente a organizzazioni che operano nei settori della gestione delle relazioni con i clienti (CRM), dell’outsourcing dei processi aziendali, delle telecomunicazioni e della tecnologia.

In genere, il gruppo utilizza complessi schemi di ingegneria sociale, che spesso portano allo scambio di SIM. In particolare, Scattered Spider è noto per i suoi attacchi utilizzando i ransomware BlackCat (Alphv), Qilin e RansomHub, anche contro MGM Resorts e la catena di casinò Caesars Entertainment .

Lo scorso autunno, gli specialisti di Mandiant avevano avvertito che Scattered Spider aveva violato almeno 100 organizzazioni, per lo più situate negli Stati Uniti e in Canada. Allo stesso tempo, anche allora, gli specialisti della sicurezza informatica sono giunti alla conclusione che la composizione principale di Scattered Spider erano adolescenti di lingua inglese di età compresa tra 16 e 22 anni.

L'articolo Catturato l’Hacker Dietro Scattered Spider: Come un 19enne Ha Violato le Reti di Aziende Globali proviene da il blog della sicurezza informatica.

When tackling a retrocomputing project, plenty of us will go back to a place like the 80s and restore something like a Commodore64 or Apple II. These computers were very popular and have plenty of parts and documentation available. Fewer will go back to the Intel 8008 or even 4004 era which were the first integrated circuit chips commercially available. But before even those transistor-based computers is a retrocomputing era rarely touched on: the era of programmable vacuum tube machines. [Mike] has gone back to the 1950s with this computer which uses vacuum tubes instead of transistors.

thetubecomputer.com/

youtube.com/embed/RcCteNX9hJQ?…

hackaday.com/2024/12/06/retro-…

If you want to play with radar — and who could blame you — you can pretty easily get your hands on something like the automotive radar sensors used for collision avoidance and lane detection. But the “R” in radar still stands for “Radio,” and RF projects are always fraught, especially at microwave frequencies. What’s the radar enthusiast to do?

While it’s not radar, subbing in ultrasonic sensors is how [Dzl] built this sonar imaging system using a lot of radar porinciples. Initial experiments centered around the ubiquitous dual-transducer ultrasonic modules used in all sorts of ranging and detection project, with some slight modifications to tap into the received audio signal rather than just using the digital output of the sensor. An ESP32 and a 24-bit ADC were used to capture the echo signal, and a series of filters were implemented in code to clean up the audio and quantify the returns. [Dzl] also added a downsampling routine to bring the transmitted pings and resultant echoes down in the human-audible range; they sound more like honks than pings, but it’s still pretty cool.

To make the simple range sensor more radar-like, [Dzl] needed to narrow the beamwidth of the sensor and make the whole thing steerable. That required a switch to an automotive backup sensor, which uses a single transducer, and a 3D-printed parabolic dish reflector that looks very much like a satellite TV dish. With this assembly stuck on a stepper motor to swivel it back and forth, [Dzl] was able to get pretty good images showing clear reflections of objects in the lab.

If you want to start seeing with sound, [Dzl]’s write-up has all the details you’ll need. If real radar is still your thing, though, we’ve got something for that too.

Thanks to [Vanessa] for the tip.

hackaday.com/2024/12/06/hacked…

Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number of exploits for it will drop. As for Linux, this operating system has the Linux Kernel Runtime Guard (LKRG), implemented as a separate kernel module. Although the first version of LKRG was released back in 2018, it is undergoing constant refinement. And it is becoming more actively used in various Linux builds.

Statistics on registered vulnerabilities

As is customary, this section presents statistics on registered vulnerabilities. The data is taken from cve.org.

Total number of registered vulnerabilities and number of critical ones, Q3 2023 and Q3 2024 (download)

Q3 2024 preserved the upward trend in the number of vulnerabilities detected and registered. As before, the graph shows an increase relative to the same period in 2023 in both the total number of vulnerabilities and the number of critical ones. Notably, the number of discovered vulnerabilities over the three quarters is almost four-fifths of the whole of last year’s figure, further evidence of a marked increase.

Number of vulnerabilities and the shares of those that are critical and of those for which exploits exist, 2019 — 2024 (download)

The total number of first-time publications of PoCs for fresh CVEs rose by 2%, which indicates an acceleration in exploit creation. The rise in the number of PoCs may also be due to the fact that security researchers increasingly are not just commenting on vulnerability detection, but releasing detailed data that includes an exploit. Most PoCs appear within a week of the developers of vulnerable software releasing a patch.

Exploitation statistics

This section presents statistics on exploit usage in Q3 2024. The data is obtained from open sources and our own telemetry.

Windows and Linux vulnerability exploitation

Among the exploits detected by Kaspersky solutions for Windows are ones for relatively new vulnerabilities that are gaining popularity. These include vulnerabilities in WinRAR, Microsoft Office, Windows Error Reporting Service and Microsoft Streaming Service Proxy:

• CVE-2023-38831 – a vulnerability in WinRAR to do with incorrect handling of objects in an archive;
• CVE-2023-23397 – a vulnerability that allows an attacker to steal authentication data from Outlook;
• CVE-2023-36874 – an impersonation vulnerability that allows the CreateProcess function to run under SYSTEM user;
• CVE-2023-36802 – a UAF vulnerability in the mskssrv.sys driver.

Meanwhile, the most common vulnerabilities in Microsoft Office products are quite old ones:

• CVE-2018-0802 – a remote code execution vulnerability in the Equation Editor component;
• CVE-2017-11882 – another remote code execution vulnerability in Equation Editor;
• CVE-2017-0199 – Microsoft Office and WordPad vulnerability that can be used to gain control over the victim system;
• CVE-2021-40444 – a remote code execution vulnerability in the MSHTML component.

Because these old vulnerabilities are leveraged as tools for initial access to user systems, we recommend updating the relevant software.

Dynamics of the number of Windows users who encountered exploits, Q1 2023 — Q3 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

For Linux, Kaspersky products detected exploits for the following vulnerabilities:

• CVE-2023-2640 – a vulnerability in the OverlayFS kernel module. Allows privileged labels to be applied to files that can be used after mounting the file system;
• CVE-2023-22809 – a vulnerability in the Sudo utility that allows an attacker to run commands under another user in the system. An attacker can bypass initial settings restricting access to the utility’s functionality and act as any user;
• CVE-2023-4911 – a vulnerability in the dynamic loader ld.so to do with a buffer overflow when processing the environment variable GLIBC_TUNABLES;
• CVE-2023-32233 – a UAF vulnerability in the Netfilter subsystem that allows writing and reading data at arbitrary addresses in kernel memory;
• CVE-2023-3269 – a UAF vulnerability in the kernel memory management system that allows an attacker to run arbitrary code;
• CVE-2023-31248 – a UAF vulnerability in nftables that allows an attacker to run arbitrary code when firewall rules are being processed.

Changes in the number of Linux users who encountered exploits in Q1 2023 — Q3 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

As the detection statistics and the list of common exploits for Linux show, it is critical to update both kernel components and applications that you use regularly.

Most prevalent exploits

Distribution of exploits for critical vulnerabilities by platform, Q1 2024 (download)

Distribution of exploits for critical vulnerabilities by platform, Q2 2024 (download)

Distribution of exploits for critical vulnerabilities by platform, Q3 2024 (download)

In Q3, vulnerabilities that have workable exploits and are considered the most critical (according to our methodology) were more likely than before to be related to operating system subsystems. This is because researchers, like attackers, give preference to code that is present in the operating system regardless of what software the user prefers. This allows them to target more devices and find new ways to run commands on vulnerable systems.

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities were most often used in advanced persistent threats (APTs) in Q3. The ranking below is based on our telemetry, research and open sources.

TОР 10 vulnerabilities exploited in APT attacks, Q3 2024

The list of vulnerabilities exploited in APT attacks has changed since last quarter. It now includes vulnerabilities that grant access to systems running web applications and mail servers. Some of the vulnerabilities are quite fresh, with one being registered last year and three this year. That said, most of the listed vulnerabilities are at least three years old. This suggests that developing exploits for new vulnerabilities is a harder task than writing new code for known ones. The longer an issue remains unfixed, the more information about it available to attackers since researchers and vendors publish data on vulnerabilities. In addition, if potential targets fail to patch old vulnerabilities for whatever reason, there is no need for attackers to look for new ones. This only goes to show yet again how important it is to update systems in a timely manner.

Interesting vulnerabilities

This section presents information about vulnerabilities of interest that were registered in Q3 2024.

CVE-2024-47177 (CUPS filters)

The issue was discovered in the Linux version of CUPS, a printing toolkit for Unix-like operating systems, such as iOS, macOS and Linux. Specifically, CUPS helps manage printers on a local network. See below for a flowchart of how it works.

CUPS flowchart

To start any job, the CUPS scheduler creates a job file. The file may contain print setup information and special PostScript commands. One of these commands, FoomaticRIPCommandLine, contains a logical vulnerability that allows arbitrary commands to be run in the operating system shell. To exploit the vulnerability, an attacker just needs to create a malicious printer configuration, but in order to run the code, the user must be persuaded to print any document on that printer. The malicious code automatically executes when printing begins.

The main problem with CUPS is the lack of restrictions on actions that can be performed in the system using this toolkit. To detect an exploitation of the vulnerability, it is essential to monitor commands executed on the part of the foomatic-rip print filter.

CVE-2024-38112 (MSHTML Spoofing)

Discovered in active attacks carried out in May 2024, this vulnerability can be used to run code on a system through an old version of Internet Explorer. It stems from being able to create a malicious .url file that bypasses Microsoft Edge and runs an old version of Internet Explorer. This is achieved by using !x-usc, a special directive that must be handled by the MSHTML protocol. Such sleight of hand recalls to mind the exploitation of another popular vulnerability in Microsoft Office, CVE-2021-40444, which we wrote about here.

While researching the vulnerability, we learned that in early August an exploit with functionality similar to the exploit for CVE-2024-38112 was up for sale on the dark web:

Screenshot of an ad selling an exploit, presumably for CVE-2024-38112 (data provided by Kaspersky Digital Footprint Intelligence)

Such attacks can be prevented by denylisting emails with .url file attachments and, of course, by applying Microsoft patch.

CVE-2024-6387 (regreSSHion)

Security issues with the OpenSSH tool always reverberate far and wide, since many systems run on the Linux kernel, where effectively the main way to remotely access the OS functionality is via an SSH server. In 2023, for instance, the CVE-2023-51385 vulnerability was found to exist in all versions of OpenSSH right up to 9.6 – the dark web was selling an exploit that covered this invulnerable version too, but it may have been a dummy:

Ad selling an exploit for OpenSSH (data provided by Kaspersky Digital Footprint Intelligence)

A new vulnerability, CVE-2024-6387, dubbed regreSSHion, also caused a stir in Q3 2024. The issue arises during SSH authentication. The vulnerable code is located in the SIGALRM handler, which runs asynchronously and uses unsafe functions to interact with memory. This makes it possible to launch an attack on the system at the very stage when the SSH server receives authentication data.

Threat actors have used regreSSHion to attack researchers in a very unconventional way. No sooner had the general principle of the vulnerability been published than there appeared false PoCs and various malware projects that in reality had nothing to do with regreSSHion.

At the time of writing this post, around 105 fake projects had been published online claiming to contain an exploit for CVE-2024-6387. However, a working proof of concept (PoC) for this vulnerability has not yet been published.

CVE-2024-3183 (Free IPA)

A vulnerability found inside the open-source FreeIPA, which provides centralized identity management and authentication for Linux systems. The issue occurs during Kerberos authentication. A user with minimal privileges on the network can sniff ticket encryption data and use it to carry out a Kerberoasting attack, which attackers have previously done to gain access to Windows-based infrastructure.

Most interesting of all, this vulnerability can be exploited by performing a minimal update of the toolkit used for Kerberoasting attacks on Windows Active Directory systems.

An effective countermeasure is this patch, but if for some reason installation isn’t possible, you need to monitor ticket requests for users (principals) that are on the FreeIPA network and are different from the user making the request.

CVE-2024-45519 (Zimbra)

A vulnerability in the postjournal service allowing an attacker to manipulate email messages. What the vulnerability essentially allows is an OS Command Injection attack in its simplest form. An attacker with the ability to send emails to the server can specify in the To field of a message a payload to run in the target service. The command will be executed with the privileges of the mail user.

You can guard against this vulnerability by disabling the postjournal service or updating the mail server to the latest version. At the time of posting, it was no longer possible to install the vulnerable postjournal. Instead, the patched version is automatically loaded when deploying the mail server.

CVE-2024-5290 (Ubuntu wpa_supplicant)

Wpa_supplicant is a set of tools for handling wireless security protocols. It includes utilities with graphical and terminal interfaces.

These interfaces can be used either directly through the command line, or through RPC mechanisms. The Ubuntu operating system uses D-Bus to describe RPC functions. This technology can be used to communicate with an application and leverage its functionality. It was a misconfigured RPC interface that caused the wpa_supplicant vulnerability: the default settings allowed a regular user to access quite critical functionality.

Through this vulnerability, any .so file could be loaded into process memory, with its path specified by the user when interfacing with wpa_supplicant via D-Bus.

Conclusion and advice

The number of discovered vulnerabilities for which there are working PoCs continues to grow. Some exploits are sold on the dark web, others are in the public domain. Moreover, threat actors leverage not only real PoCs, but also interest in the topic of high-profile vulnerabilities. For instance, they create fake exploits to attack security researchers: while the victim is studying the behavior of the pseudo-exploit, an entirely different malicious payload compromises their system.

To stay safe, it is essential to respond promptly to the evolving threat landscape. Also, make sure that you:

• Never research exploits for vulnerabilities outside of a secure virtual environment.
• Know your way around and closely monitor your infrastructure, paying special attention to the perimeter.
• Wherever possible, install patches for vulnerabilities as soon as they become available. Specialized solutions such as Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed can automate and simplify vulnerability and patch management.
• Use comprehensive solutions that feature not only basic malware protection, but incident response scenarios, employee awareness training and an up-to-date database of cyberthreats. Our Kaspersky NEXT line of solutions ticks all these boxes and more.

securelist.com/exploits-and-vu…

If you’ve wanted to get in on the “fuzzy skin” action with 3D printing but held off because you didn’t want to fiddle with slicer post-processing, you need to check out the paint-on fuzzy skin generator detailed in the video below.

For those who haven’t had the pleasure, fuzzy skin is a texture that can be applied to the outer layers of a 3D print to add a little visual interest and make layer lines a little less obvious. Most slicers have it as an option, but limit the wiggling action of the print head needed to achieve it to the XY plane. Recently, [TenTech] released post-processing scripts for three popular slicers that enable non-planar fuzzy skin by wiggling the print head in the Z-axis, allowing you to texture upward-facing surfaces.

The first half of the video below goes through [TenTech]’s updates to that work that resulted in a single script that can be used with any of the slicers. That’s a pretty neat trick by itself, but not content to rest on his laurels, he decided to make applying a fuzzy skin texture to any aspect of a print easier through a WYSIWYG tool. All you have to do is open the slicer’s multi-material view and paint the areas of the print you want fuzzed. The demo print in the video is a hand grip with fuzzy skin applied to the surfaces that the fingers and palm will touch, along with a little bit on the top for good measure. The print looks fantastic with the texture, and we can see all sorts of possibilities for something like this.

youtube.com/embed/cNkHfydnUCI?…

Thanks for the tip, [John].

hackaday.com/2024/12/06/non-pl…