In our previous article we dissected penetration testing techniques for IBM z/OS mainframes protected by the Resource Access Control Facility (RACF) security package. In this second part of our research, we delve deeper into RACF by examining its decision-making logic, database structure, and the interactions between the various entities in this subsystem. To facilitate offline analysis of the RACF database, we have developed our own utility, racfudit, which we will use to perform possible checks and evaluate RACF configuration security. As part of this research, we also outline the relationships between RACF entities (users, resources, and data sets) to identify potential privilege escalation paths for z/OS users.

This material is provided solely for educational purposes and is intended to assist professionals conducting authorized penetration tests.

RACF internal architecture

Overall role

z/OS access control diagram

To thoroughly analyze RACF, let’s recall its role and the functions of its components within the overall z/OS architecture. As illustrated in the diagram above, RACF can generally be divided into a service component and a database. Other components exist too, such as utilities for RACF administration and management, or the RACF Auditing and Reporting solution responsible for event logging and reporting. However, for a general understanding of the process, we believe these components are not strictly necessary. The RACF database stores information about z/OS users and the resources for which access control is configured. Based on this data, the RACF service component performs all necessary security checks when requested by other z/OS components and subsystems. RACF typically interacts with other subsystems through the System Authorization Facility (SAF) interface. Various z/OS components use SAF to authorize a user’s access to resources or to execute a user-requested operation. It is worth noting that while this paper focuses on the operating principle of RACF as the standard security package, other security packages like ACF2 or Top Secret can also be used in z/OS.

Let’s consider an example of user authorization within the Time Sharing Option (TSO) subsystem, the z/OS equivalent of a command line interface. We use an x3270 terminal emulator to connect to the mainframe. After successful user authentication in z/OS, the TSO subsystem uses SAF to query the RACF security package, checking that the user has permission to access the TSO resource manager. The RACF service queries the database for user information, which is stored in a user profile. If the database contains a record of the required access permissions, the user is authorized, and information from the user profile is placed into the address space of the new TSO session within the ACEE (Accessor Environment Element) control block. For subsequent attempts to access other z/OS resources within that TSO session, RACF uses the information in ACEE to make the decision on granting user access. SAF reads data from ACEE and transmits it to the RACF service. RACF makes the decision to grant or deny access, based on information in the relevant profile of the requested resource stored in the database. This decision is then sent back to SAF, which processes the user request accordingly. The process of querying RACF repeats for any further attempts by the user to access other resources or execute commands within the TSO session.

Thus, RACF handles identification, authentication, and authorization of users, as well as granting privileges within z/OS.

RACF database components

As discussed above, access decisions for resources within z/OS are made based on information stored in the RACF database. This data is kept in the form of records, or as RACF terminology puts it, profiles. These contain details about specific z/OS objects. While the RACF database can hold various profile types, four main types are especially important for security analysis:

1. User profile holds user-specific information such as logins, password hashes, special attributes, and the groups the user belongs to.
2. Group profile contains information about a group, including its members, owner, special attributes, list of subgroups, and the access permissions of group members for that group.
3. Data set profile stores details about a data set, including access permissions, attributes, and auditing policy.
4. General resource profile provides information about a resource or resource class, such as resource holders, their permissions regarding the resource, audit policy, and the resource owner.

The RACF database contains numerous instances of these profiles. Together, they form a complex structure of relationships between objects and subjects within z/OS, which serves as the basis for access decisions.

Logical structure of RACF database profiles

Each profile is composed of one or more segments. Different profile types utilize different segment types.

For example, a user profile instance may contain the following segments:

• BASE: core user information in RACF (mandatory segment);
• TSO: user TSO-session parameters;
• OMVS: user session parameters within the z/OS UNIX subsystem;
• KERB: data related to the z/OS Network Authentication Service, essential for Kerberos protocol operations;
• and others.

User profile segments

Different segment types are distinguished by the set of fields they store. For instance, the BASE segment of a user profile contains the following fields:

• PASSWORD: the user’s password hash;
• PHRASE: the user’s password phrase hash;
• LOGIN: the user’s login;
• OWNER: the owner of the user profile;
• AUTHDATE: the date of the user profile creation in the RACF database;
• and others.

The PASSWORD and PHRASE fields are particularly interesting for security analysis, and we will dive deeper into these later.

RACF database structure

It is worth noting that the RACF database is stored as a specialized data set with a specific format. Grasping this format is very helpful when analyzing the DB and mapping the relationships between z/OS objects and subjects.

As discussed in our previous article, a data set is the mainframe equivalent of a file, composed of a series of blocks.

RACF DB structure

The image above illustrates the RACF database structure, detailing the data blocks and their offsets. From the RACF DB analysis perspective, and when subsequently determining the relationships between z/OS objects and subjects, the most critical blocks include:

• The header block, or inventory control block (ICB), which contains various metadata and pointers to all other data blocks within the RACF database. By reading the ICB, you gain access to the rest of the data blocks.
• Index blocks, which form a singly linked list that contains pointers to all profiles and their segments in the RACF database – that is, to the information about all users, groups, data sets, and resources.
• Templates: a crucial data block containing templates for all profile types (user, group, data set, and general resource profiles). The templates list fields and specify their format for every possible segment type within the corresponding profile type.

Upon dissecting the RACF database structure, we identified the need for a utility capable of extracting all relevant profile information from the DB, regardless of its version. This utility would also need to save the extracted data in a convenient format for offline analysis. Performing this type of analysis provides a comprehensive picture of the relationships between all objects and subjects for a specific z/OS installation, helping uncover potential security vulnerabilities that could lead to privilege escalation or lateral movement.

Utilities for RACF DB analysis

At the previous stage, we defined the following functional requirements for an RACF DB analysis utility:

1. The ability to analyze RACF profiles offline without needing to run commands on the mainframe
2. The ability to extract exhaustive information about RACF profiles stored in the DB
3. Compatibility with various RACF DB versions
4. Intuitive navigation of the extracted data and the option to present it in various formats: plaintext, JSON, SQL, etc.

Overview of existing RACF DB analysis solutions

We started by analyzing off-the-shelf tools and evaluating their potential for our specific needs:

• Racf2john extracts user password hashes (from the PASSWORD field) encrypted with the DES and KDFAES algorithms from the RACF database. While this was a decent starting point, we needed more than just the PASSWORD field; specifically, we also needed to retrieve content from other profile fields like PHRASE.
• Racf2sql takes an RACF DB dump as input and converts it into an SQLite database, which can then be queried with SQL. This is convenient, but the conversion process risks losing data critical for z/OS security assessment and identifying misconfigurations. Furthermore, the tool requires a database dump generated by the z/OS IRRDBU00 utility (part of the RACF security package) rather than the raw database itself.
• IRRXUTIL allows querying the RACF DB to extract information. It is also part of the RACF security package. It can be conveniently used with a set of scripts written in REXX (an interpreted language used in z/OS). However, these scripts demand elevated privileges (access to one or more IRR.RADMIN.** resources in the FACILITY resource class) and must be executed directly on the mainframe, which is unsuitable for the task at hand.
• Racf_debug_cleanup.c directly analyzes a RACF DB from a data set copy. A significant drawback is that it only parses BASE segments and outputs results in plaintext.

As you can see, existing tools don’t satisfy our needs. Some utilities require direct execution on the mainframe. Others operate on a data set copy and extract incomplete information from the DB. Moreover, they rely on hardcoded offsets and signatures within profile segments, which can vary across RACF versions. Therefore, we decided to develop our own utility for RACF database analysis.

Introducing racfudit

We have written our own platform-independent utility racfudit in Golang and tested it across various z/OS versions (1.13, 2.02, and 3.1). Below, we delve into the operating principles, capabilities and advantages of our new tool.

Extracting data from the RACF DB

To analyze RACF DB information offline, we first needed a way to extract structured data. We developed a two-stage approach for this:

• The first stage involves analyzing the templates stored within the RACF DB. Each template describes a specific profile type, its constituent segments, and the fields within those segments, including their type and size. This allows us to obtain an up-to-date list of profile types, their segments, and associated fields, regardless of the RACF version.
• In the second stage, we traverse all index blocks to extract every profile with its content from the RACF DB. These collected profiles are then processed and parsed using the templates obtained in the first stage.

The first stage is crucial because RACF DB profiles are stored as unstructured byte arrays. The templates are what define how each specific profile (byte array) is processed based on its type.

Thus, we defined the following algorithm to extract structured data.

Extracting data from the RACF DB using templates

1. We offload the RACF DB from the mainframe and read its header block (ICB) to determine the location of the templates.
2. Based on the template for each profile type, we define an algorithm for structuring specific profile instances according to their type.
3. We use the content of the header block to locate the index blocks, which store pointers to all profile instances.
4. We read all profile instances and their segments sequentially from the list of index blocks.
5. For each profile instance and its segments we read, we apply the processing algorithm based on the corresponding template.
6. All processed profile instances are saved in an intermediate state, allowing for future storage in various formats, such as plaintext or SQLite.

The advantage of this approach is its version independence. Even if templates and index blocks change their structure across RACF versions, our utility will not lose data because it dynamically determines the structure of each profile type based on the relevant template.

Analyzing extracted RACF DB information

Our racfudit utility can present collected RACF DB information as an SQLite database or a plaintext file.

RACF DB information as an SQLite DB (top) and text data (bottom)

Using SQLite, you can execute SQL queries to identify misconfigurations in RACF that could be exploited for privilege escalation, lateral movement, bypassing access controls, or other pentesting tactics. It is worth noting that the set of SQL queries used for processing information in SQLite can be adapted to validate current RACF settings against security standards and best practices. Let’s look at some specific examples of how to use the racfudit utility to uncover security issues.

Collecting password hashes

One of the primary goals in penetration testing is to get a list of administrators and a way to authorize using their credentials. This can be useful for maintaining persistence on the mainframe, moving laterally to other mainframes, or even pivoting to servers running different operating systems. Administrators are typically found in the SYS1 group and its subgroups. The example below shows a query to retrieve hashes of passwords (PASSWORD) and password phrases (PHRASE) for privileged users in the SYS1 group.
select ProfileName,PHRASE,PASSWORD,CONGRPNM from USER_BASE where CONGRPNM LIKE "%SYS1%";
Of course, to log in to the system, you need to crack these hashes to recover the actual passwords. We cover that in more detail below.

Searching for inadequate UACC control in data sets

The universal access authority (UACC) defines the default access permissions to the data set. This parameter specifies the level of access for all users who do not have specific access permissions configured. Insufficient control over UACC values can pose a significant risk if elevated access permissions (UPDATE or higher) are set for data sets containing sensitive data or for APF libraries, which could allow privilege escalation. The query below helps identify data sets with default ALTER access permissions, which allow users to read, delete and modify the data set.
select ProfileName, UNIVACS from DATASET_BASE where UNIVACS LIKE "1%";
The UACC field is not present only in data set profiles; it is also found in other profile types. Weak control in the configuration of this field can give a penetration tester access to resources.

RACF profile relationships

As mentioned earlier, various RACF entities have relationships. Some are explicitly defined; for example, a username might be listed in a group profile within its member field (USERID field). However, there are also implicit relationships. For instance, if a user group has UPDATE access to a specific data set, every member of that group implicitly has write access to that data set. This is a simple example of implicit relationships. Next, we delve into more complex and specific relationships within the RACF database that a penetration tester can exploit.

RACF profile fields

A deep dive into RACF internal architecture reveals that misconfigurations of access permissions and other attributes for various RACF entities can be difficult to detect and remediate in some scenarios. These seemingly minor errors can be critical, potentially leading to mainframe compromise. The explicit and implicit relationships within the RACF database collectively define the mainframe’s current security posture. As mentioned, each profile type in the RACF database has a unique set of fields and attributes that describe how profiles relate to one another. Based on these fields and attributes, we have compiled lists of key fields that help build and analyze relationship chains.
User profile fields

• SPECIAL: indicates that the user has privileges to execute any RACF command and grants them full control over all profiles in the RACF database.
• OPERATIONS: indicates whether the user has authorized access to all RACF-protected resources of the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR classes. While actions for users with this field specified are subject to certain restrictions, in a penetration testing context the OPERATIONS field often indicates full data set access.
• AUDITOR: indicates whether the user has permission to access audit information.
• AUTHOR: the creator of the user. It has certain privileges over the user, such as the ability to change their password.
• REVOKE: indicates whether the user can log in to the system.
• Password TYPE: specifies the hash type (DES or KDFAES) for passwords and password phrases. This field is not natively present in the user profile, but it can be created based on how different passwords and password phrases are stored.
• Group-SPECIAL: indicates whether the user has full control over all profiles within the scope defined by the group or groups field. This is a particularly interesting field that we explore in more detail below.
• Group-OPERATIONS: indicates whether the user has authorized access to all RACF-protected resources of the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR classes within the scope defined by the group or groups field.
• Group-AUDITOR: indicates whether the user has permission to access audit information within the scope defined by the group or groups field.
• CLAUTH (class authority): allows the user to create profiles within the specified class or classes. This field enables delegation of management privileges for individual classes.
• GROUPIDS: contains a list of groups the user belongs to.
• UACC (universal access authority): defines the UACC value for new profiles created by the user.

Group profile fields

• UACC (universal access authority): defines the UACC value for new profiles that the user creates when connected to the group.
• OWNER: the creator of the group. The owner has specific privileges in relation to the current group and its subgroups.
• USERIDS: the list of users within the group. The order is essential.
• USERACS: the list of group members with their respective permissions for access to the group. The order is essential.
• SUPGROUP: the name of the superior group.

General resource and data set profile fields

• UACC (universal access authority): defines the default access permissions to the resource or data set.
• OWNER: the creator of the resource or data set, who holds certain privileges over it.
• WARNING: indicates whether the resource or data set is in WARNING mode.
• USERIDS: the list of user IDs associated with the resource or data set. The order is essential.
• USERACS: the list of users with access permissions to the resource or data set. The order is essential.

RACF profile relationship chains

The fields listed above demonstrate the presence of relationships between RACF profiles. We have decided to name these relationships similarly to those used in BloodHound, a popular tool for analyzing Active Directory misconfigurations. Below are some examples of these relationships – the list is not exhaustive.

• Owner: the subject owns the object.
• MemberOf: the subject is part of the object.
• AllowJoin: the subject has permission to add itself to the object.
• AllowConnect: the subject has permission to add another object to the specified object.
• AllowCreate: the subject has permission to create an instance of the object.
• AllowAlter: the subject has the ALTER privilege for the object.
• AllowUpdate: the subject has the UPDATE privilege for the object.
• AllowRead: the subject has the READ privilege for the object.
• CLAuthTo: the subject has permission to create instances of the object as defined in the CLAUTH field.
• GroupSpecial: the subject has full control over all profiles within the object’s scope of influence as defined in the group-SPECIAL field.
• GroupOperations: the subject has permissions to perform certain operations with the object as defined in the group-OPERATIONS field.
• ImpersonateTo: the subject grants the object the privilege to perform certain operations on the subject’s behalf.
• ResetPassword: the subject grants another object the privilege to reset the password or password phrase of the specified object.
• UnixAdmin: the subject grants superuser privileges to the object in z/OS UNIX.
• SetAPF: the subject grants another object the privilege to set the APF flag on the specified object.

These relationships serve as edges when constructing a graph of subject–object interconnections. Below are examples of potential relationships between specific profile types.

Examples of relationships between RACF profiles

Visualizing and analyzing these relationships helped us identify specific chains that describe potential RACF security issues, such as a path from a low-privileged user to a highly-privileged one. Before we delve into examples of these chains, let’s consider another interesting and peculiar feature of the relationships between RACF database entities.

Implicit RACF profile relationships

We have observed a fascinating characteristic of the group-SPECIAL, group-OPERATIONS, and group-AUDITOR fields within a user profile. If the user has any group specified in one of these fields, that group’s scope of influence extends the user’s own scope.

Scope of influence of a user with a group-SPECIAL field

For instance, consider USER1 with GROUP1 specified in the group-SPECIAL field. If GROUP1 owns GROUP2, and GROUP2 subsequently owns USER5, then USER1 gains privileges over USER5. This is not just about data access; USER1 essentially becomes the owner of USER5. A unique aspect of z/OS is that this level of access allows USER1 to, for example, change USER5’s password, even if USER5 holds privileged attributes like SPECIAL, OPERATIONS, ROAUDIT, AUDITOR, or PROTECTED.

Below is an SQL query, generated using the racfudit utility, that identifies all users and groups where the specified user possesses special attributes:
select ProfileName, CGGRPNM, CGUACC, CGFLAG2 from USER_BASE WHERE (CGFLAG2 LIKE '%10000000%');
Here is a query to find users whose owners (AUTHOR) are not the standard default administrators:
select ProfileName,AUTHOR from USER_BASE WHERE (AUTHOR NOT LIKE '%IBMUSER%' AND AUTHOR NOT LIKE 'SYS1%');
Let’s illustrate how user privileges can be escalated through these implicit profile relationships.

Privilege escalation via the group-SPECIAL field

In this scenario, the user TESTUSR has the group-SPECIAL field set to PASSADM. This group, PASSADM, owns the OPERATOR user. This means TESTUSR’s scope of influence expands to include PASSADM’s scope, thereby granting TESTUSR control over OPERATOR. Consequently, if TESTUSR’s credentials are compromised, the attacker gains access to the OPERATOR user. The OPERATOR user, in turn, has READ access to the IRR.PASSWORD.RESET resource, which allows them to assign a password to any user who does not possess privileged permissions.

Having elevated privileges in z/OS UNIX is often sufficient for compromising the mainframe. These can be acquired through several methods:

• Grant the user READ access to the BPX.SUPERUSER resource of the FACILITY class.
• Grant the user READ access to UNIXPRIV.SUPERUSER.* resources of the UNIXPRIV class.
• Set the UID field to 0 in the OMVS segment of the user profile.

For example, the DFSOPER user has READ access to the BPX.SUPERUSER resource, making them privileged in z/OS UNIX and, by extension, across the entire mainframe. However, DFSOPER does not have the explicit privileged fields SPECIAL, OPERATIONS, AUDITOR, ROAUDIT and PROTECTED set, meaning the OPERATOR user can change DFSOPER’s password. This allows us to define the following sequence of actions to achieve high privileges on the mainframe:

1. Obtain and use TESTUSR’s credentials to log in.
2. Change OPERATOR’s password and log in with those credentials.
3. Change DFSOPER’s password and log in with those credentials.
4. Access the z/OS UNIX Shell with elevated privileges.

We uncovered another implicit RACF profile relationship that enables user privilege escalation.

Privilege escalation from a chain of misconfigurations

In another example, the TESTUSR user has READ access to the OPERSMS.SUBMIT resource of the SURROGAT class. This implies that TESTUSR can create a task under the identity of OPERSMS using the ImpersonateTo relationship. OPERSMS is a member of the HFSADMIN group, which has READ access to the TESTAUTH resource of the TSOAUTH class. This resource indicates whether the user can run an application or library as APF-authorized – this requires only READ access. Therefore, if APF access is misconfigured, the OPERSMS user can escalate their current privileges to the highest possible level. This outlines a path from the low-privileged TESTUSR to obtaining maximum privileges on the mainframe.

At this stage, the racfudit utility allows identifying these connections only manually through a series of SQLite database queries. However, we are planning to add support for another output format, including Neo4j DBMS integration, to automatically visualize the interconnected chains described above.

Password hashes in RACF

To escalate privileges and gain mainframe access, we need the credentials of privileged users. We previously used our utility to extract their password hashes. Now, let’s dive into the password policy principles in z/OS and outline methods for recovering passwords from these collected hashes.

The primary password authentication methods in z/OS, based on RACF, are PASSWORD and PASSPHRASE. PASSWORD is a password composed by default of ASCII characters: uppercase English letters, numbers, and special characters (@#$). Its length is limited to 8 characters. PASSPHRASE, or a password phrase, has a more complex policy, allowing 14 to 100 ASCII characters, including lowercase or uppercase English letters, numbers, and an extended set of special characters (@#$&*{}[]()=,.;’+/). Hashes for both PASSWORD and PASSPHRASE are stored in the user profile within the BASE segment, in the PASSWORD and PHRASE fields, respectively. Two algorithms are used to derive their values: DES and KDFAES.

It is worth noting that we use the terms “password hash” and “password phrase hash” for clarity. When using the DES and KDFAES algorithms, user credentials are stored in the RACF database as encrypted text, not as a hash sum in its classical sense. Nevertheless, we will continue to use “password hash” and “password phrase hash” as is customary in IBM documentation.

Let’s discuss the operating principles and characteristics of the DES and KDFAES algorithms in more detail.

DES

When the DES algorithm is used, the computation of PASSWORD and PHRASE values stored in the RACF database involves classic DES encryption. Here, the plaintext data block is the username (padded to 8 characters if shorter), and the key is the password (also padded to 8 characters if shorter).

PASSWORD

The username is encrypted with the password as the key via the DES algorithm, and the 8-byte result is placed in the user profile’s PASSWORD field.

DES encryption of a password

Keep in mind that both the username and password are encoded with EBCDIC. For instance, the username USR1 would look like this in EBCDIC: e4e2d9f140404040. The byte 0x40 serves as padding for the plaintext to reach 8 bytes.

This password can be recovered quite fast, given the small keyspace and low computational complexity of DES. For example, a brute-force attack powered by a cluster of NVIDIA 4090 GPUs takes less than five minutes.

The hashcat tool includes a module (Hash-type 8500) for cracking RACF passwords with the DES algorithm.

PASSPHRASE

PASSPHRASE encryption is a bit more complex, and a detailed description of its algorithm is not readily available. However, our research uncovered certain interesting characteristics.

First, the final hash length in the PHRASE field matches the original password phrase length. Essentially, the encrypted data output from DES gets truncated to the input plaintext length without padding. This design can clearly lead to collisions and incorrect authentication under certain conditions. For instance, if the original password phrase is 17 bytes long, it will be encrypted in three blocks, with the last block padded with seven bytes. These padded bytes are then truncated after encryption. In this scenario, any password whose first 17 encrypted bytes match the encrypted PASSPHRASE would be considered valid.

The second interesting feature is that the PHRASE field value is also computed using the DES algorithm, but it employs a proprietary block chaining mode. We will informally refer to this as IBM-custom mode.

DES encryption of a password phrase

Given these limitations, we can use the hashcat module for RACF DES to recover the first 8 characters of a password phrase from the first block of encrypted data in the PHRASE field. In some practical scenarios, recovering the beginning of a password phrase allowed us to guess the remainder, especially when weak dictionary passwords were used. For example, if we recovered Admin123 (8 characters) while cracking a 15-byte PASSPHRASE hash, then it is plausible the full password phrase was Admin1234567890.

KDFAES

Computing passwords and password phrases generated with the KDFAES algorithm is significantly more challenging than with DES. KDFAES is a proprietary IBM algorithm that leverages AES encryption. The encryption key is generated from the password using the PBKDF2 function with a specific number of hashing iterations.

PASSWORD

The diagram below outlines the multi-stage KDFAES PASSWORD encryption algorithm.

KDFAES encryption of a password

The first stage mirrors the DES-based PASSWORD computation algorithm. Here, the plaintext username is encrypted using the DES algorithm with the password as the key. The username is also encoded in EBCDIC and padded if it’s shorter than 8 bytes. The resulting 8-byte output serves as the key for the second stage: hashing. This stage employs a proprietary IBM algorithm built upon PBKDF2-SHA256-HMAC. A randomly generated 16-byte string (salt) is fed into this algorithm along with the 8-byte key from the first stage. This data is then iteratively hashed using PBKDF2-SHA256-HMAC. The number of iterations is determined by two parameters set in RACF: the memory factor and the repetition factor. The output of the second stage is a 32-byte hash, which is then used as the key for AES encryption of the username in the third stage.

The final output is 16 bytes of encrypted data. The first 8 bytes are appended to the end of the PWDX field in the user profile BASE segment, while the other 8 bytes are placed in the PASSWORD field within the same segment.

The PWDX field in the BASE segment has the following structure:

You can use the dedicated module in the John the Ripper utility for offline password cracking. While an IBM KDFAES module for an older version of hashcat exists publicly, it was never integrated into the main branch. Therefore, we developed our own RACF KDFAES module compatible with the current hashcat version.

The time required to crack an RACF KDFAES hash has significantly increased compared to RACF DES, largely due to the integration of PBKDF2. For instance, if the memory factor and repetition factor are set to 0x08 and 0x32 respectively, the hashing stage can reach 40,000 iterations. This can extend the password cracking time to several months or even years.

PASSPHRASE

KDFAES encryption of a password phrase

Encrypting a password phrase hash with KDFAES shares many similarities with encrypting a password hash. According to public sources, the primary difference lies in the key used during the second stage. For passwords, data derived from DES-encrypting the username was used, while for a password phrase, its SHA256 hash is used. During our analysis, we could not determine the exact password phrase hashing process – specifically, whether padding is involved, if a secret key is used, and so on.

Additionally, when using a password phrase, the PHRASE and PHRASEX fields instead of PASSWORD and PWDX, respectively, store the final hash, with the PHRASEX value having a similar structure.

Conclusion

In this article, we have explored the internal workings of the RACF security package, developed an approach to extracting information, and presented our own tool developed for the purpose. We also outlined several potential misconfigurations that could lead to mainframe compromise and described methods for detecting them. Furthermore, we examined the algorithms used for storing user credentials (passwords and password phrases) and highlighted their strengths and weaknesses.

We hope that the information presented in this article helps mainframe owners better understand and assess the potential risks associated with incorrect RACF security suite configurations and take appropriate mitigation steps. Transitioning to the KDFAES algorithm and password phrases, controlling UACC values, verifying access to APF libraries, regularly tracking user relationship chains, and other steps mentioned in the article can significantly enhance your infrastructure security posture with minimal effort.

In conclusion, it is worth noting that only a small percentage of the RACF database structure has been thoroughly studied. Comprehensive research would involve uncovering additional relationships between database entities, further investigating privileges and their capabilities, and developing tools to exploit excessive privileges. The topic of password recovery is also not fully covered because the encryption algorithms have not been fully studied. IBM z/OS mainframe researchers have immense opportunities for analysis. As for us, we will continue to shed light on the obscure, unexplored aspects of these devices, to help prevent potential vulnerabilities in mainframe infrastructure and associated security incidents.

securelist.com/zos-mainframe-p…

Gli scienziati dell’Università del Queensland hanno presentato un’invenzione insolita che può accelerare significativamente le operazioni di ricerca e soccorso. Hanno trasformato i comuni coleotteri (Zophobas morio) in veri e propri insetti cibernetici, dotandoli di microchip miniaturizzati e di un sistema di controllo remoto.

Questi “super soccorritori” sono dotati di zaini rimovibili dotati di componenti elettronici che permettono di indirizzare gli insetti nella giusta direzione. Il controllo avviene tramite joystick simili a quelli utilizzati nei videogiochi. Grazie a questo, è possibile controllare con precisione i movimenti dei coleotteri senza danneggiarli o comprometterne la durata di vita.

L’idea di utilizzare gli insetti in compiti complessi come la rimozione di detriti da edifici crollati o da miniere non è nata per caso. Secondo il responsabile del progetto, il Dott. Tang Vo-Doan, i coleotteri possiedono già di per sé straordinarie capacità naturali. Si muovono agilmente su superfici complesse, si insinuano nelle fessure più strette e si arrampicano con sicurezza su superfici verticali, laddove le attrezzature tradizionali e persino i robot in miniatura sono impotenti.

Gli zaini sono costruiti utilizzando elettrodi che inviano segnali alle antenne del coleottero o alle sue elitre, le placche protettive rigide che ricoprono le sue ali. In questo modo, il team riesce a far muovere gli insetti nella giusta direzione. Sono già stati condotti test con successo: i coleotteri si muovono con sicurezza sia orizzontalmente che verticalmente verso l’alto e sono persino in grado di sollevare un carico aggiuntivo pari al loro peso.
Uno Zophobas morio, o tenebrione, dotato di uno zaino con microchip rimovibile che i ricercatori possono utilizzare per sollecitare i movimenti.
Sebbene alcuni test siano attualmente in corso utilizzando una fonte di alimentazione esterna, gli sviluppatori stanno già preparando prototipi migliorati con batterie compatte e telecamere miniaturizzate. Ciò consentirà non solo di monitorare i movimenti dell’insetto, ma anche di ricevere immagini in tempo reale dalla scena, fondamentale per le operazioni di soccorso.

Il team prevede di testare la nuova tecnologia in situazioni di emergenza reali nei prossimi cinque anni. Se il progetto supererà con successo le fasi di implementazione, i cyber-bug saranno in grado di ispezionare rapidamente le macerie, trovare sopravvissuti e trasmettere informazioni ai soccorritori, il che accelererà significativamente l’erogazione dei soccorsi.

Il lavoro degli scienziati dell’Università del Queensland si inserisce in una tendenza globale volta a creare tecnologie bioibride. Sviluppi simili sono già in corso in diversi Paesi. Ad esempio, gli specialisti della Nanyang Technological University di Singapore trasformano gli scarafaggi in “robot” controllati in pochi minuti, e diversi anni fa i bioingegneri hanno creato una versione cibernetica della pianta di Venere acchiappamosche, in grado di afferrare con delicatezza piccoli oggetti.

L'articolo Altro che droni! Ora comandiamo i coleotteri con il joystick. Ecco a voi i Cyber-Coleotteri proviene da il blog della sicurezza informatica.

La Commissione europea ha presentato la sua strategia per la sicurezza interna ProtectEU, che definirà l’approccio dell’UE all’accesso delle forze dell’ordine ai dati digitali per gli anni a venire. Il programma è il risultato del lavoro di una task force istituita nel 2023 nell’ambito dell’iniziativa Going Dark per sviluppare un piano che consenta agli investigatori di accedere in modo più efficace alle informazioni nello spazio digitale.

Il rapporto finale, pubblicato a marzo 2025, ha evidenziato specificamente la crittografia end-to-end come la “più grande sfida tecnica” per le indagini e ha preso di mira i servizi VPN , le app di messaggistica sicura e altre tecnologie di anonimizzazione .

L’elemento centrale della strategia è un piano d’azione dettagliato per affrontare “l’accesso sempre più complesso alle prove digitali”. Copre sei aree: rafforzamento degli obblighi di conservazione dei dati, sviluppo di sistemi di analisi forense digitale, standardizzazione degli approcci, intercettazione legale delle informazioni, implementazione di soluzioni di intelligenza artificiale a fini investigativi ed esplorazione di tecnologie di decrittazione.

La Commissione europea dovrebbe presentare una tabella di marcia tecnica per la crittografia già il prossimo anno. Queste soluzioni dovrebbero essere integrate nell’arsenale di Europol entro il 2030. Parallelamente, si sta lavorando per istituire una cooperazione transfrontaliera in materia di intercettazione dei dati entro il 2027 e per implementare sistemi di intelligenza artificiale in grado di elaborare grandi volumi di dati sequestrati entro il 2028.

Ma gli esperti mettono in guardia contro gravi rischi. Robin Wilton dell’Internet Society ha affermato che lo sviluppo di metodi per violare la crittografia porta quasi inevitabilmente alla creazione di nuove vulnerabilità. Ciò va contro i principi fondamentali della sicurezza informatica e potrebbe favorire l’accumulo di falle nei sistemi.

Molti esperti e sostenitori della privacy hanno già espresso profonda preoccupazione in merito ai piani dell’UE, poiché tali iniziative indeboliscono le protezioni da cui dipende la sicurezza degli utenti.

È ironico che queste siano proprio le misure precedentemente raccomandate per proteggersi dalle minacce informatiche. Sullo sfondo di attacchi crescenti, persino agenzie americane, tra cui l’FBI e la CISA, hanno consigliato l’utilizzo di servizi di messaggistica con crittografia end-to-end. Anche la stessa Unione Europea ha definito la crittografia uno strumento chiave per la protezione dello spazio digitale.

Il disegno di legge sul controllo delle chat , che avrebbe creato una falla nei sistemi di crittografia, non è riuscito a ottenere un sostegno sufficiente dal 2022 proprio per questi motivi. Ora le autorità promettono di trovare un equilibrio tra un accesso efficace ai dati e il mantenimento di un elevato livello di privacy.

Secondo il Commissario europeo per gli Affari Interni, Magnus Brunner, l’obiettivo è garantire sia la sicurezza che i diritti umani. E l’esperto Robin Wilton ci ricorda che una crittografia avanzata non è il nemico della sicurezza, ma il suo fondamento.

L'articolo La Commissione Europea presenta ProtectEU. Per quanto tempo ancora esisterà l’anonimato online? proviene da il blog della sicurezza informatica.

EDRi has responded to the European Commission’s consultation on the GDPR ‘simplification’ proposal. The plan to remove documentation safeguards under Article 30(5) risks weakening security, legal certainty and rights enforcement, and opens the door to broader deregulation of the EU’s digital rulebook.

The post Undermining the GDPR through ‘simplification’: EDRi pushes back against dangerous deregulation appeared first on European Digital Rights (EDRi).

Commercial 3D printers keep getting faster and faster, but we can confidently say that none of them is nearly as fast as [Jan]’s Minuteman printer, so named for its goal of eventually printing a 3DBenchy in less than a minute. The Minuteman uses an air bearing as its print bed, feeds four streams of filament into one printhead for faster extrusion, and in [Jan]’s latest video, printed a Benchy in just over two minutes at much higher quality than previous two-minute Benchies.

[Jan] found that the biggest speed bottleneck was in cooling a layer quickly enough that it would solidify before the printer laid down the next layer. He was able to get his layer speed down to about 0.6-0.4 seconds per layer, but had trouble going beyond that. He was able to improve the quality of his prints, however, by varying the nozzle temperature throughout the print. For this he used [Salim BELAYEL]’s postprocessing script, which increases hotend temperature when volumetric flow rate is high, and decreases it when flow rate is low. This keeps the plastic coming out of the nozzle at an approximately constant temperature. With this, [Jan] could print quite good sub-four and sub-thee minute Benchies, with almost no print degradation from the five-minute version. [Jan] predicts that this will become a standard feature of slicers, and we have to agree that this could help even less speed-obsessed printers.

Now onto less generally-applicable optimizations: [Jan] still needed stronger cooling to get faster prints, so he designed a circular duct that directed a plane of compressed air horizontally toward the nozzle, in the manner of an air knife. This wasn’t quite enough, so he precooled his compressed air with dry ice. This made it both colder and denser, both of which made it a better coolant. The thermal gradient this produced in the print bed seemed to cause it to warp, making bed adhesion inconsistent. However, it did increase build quality, and [Jan]’s confident that he’s made the best two-minute Benchy yet.

If you’re curious about Minuteman’s motion system, we’ve previously looked at how that was built. Of course, it’s also possible to speed up prints by simply adding more extruders.

youtube.com/embed/EaORGjZbS-c?…

hackaday.com/2025/07/08/managi…

Il presidente della casa automobilistica americana Ford, Jim Farley, ha rilasciato una dichiarazione tagliente sul futuro del mercato del lavoro nell’era dell’intelligenza artificiale. Secondo lui, le nuove tecnologie sono in grado di privare letteralmente la metà dei colletti bianchi del proprio lavoro, ovvero i dipendenti che lavorano in ufficio e svolgono compiti intellettuali.

Al forum internazionale Aspen Ideas Festival, Farley ha osservato che l’intelligenza artificiale ha un impatto asimmetrico sull’economia. Ha sottolineato che, da un lato, le nuove tecnologie aiutano e facilitano molti processi, ma dall’altro infliggono un duro colpo ad alcune professioni. Questo vale soprattutto per coloro che lavorano nell’ambito dell’elaborazione delle informazioni, del flusso di documenti e di altre attività d’ufficio.

Farley ha osservato che i progressi nell’intelligenza artificiale lasceranno inevitabilmente indietro molti dipendenti che per decenni hanno rappresentato la spina dorsale del mondo aziendale. Ha osservato che la tecnologia migliora la vita di molti, ma pone anche un serio interrogativo per la società: cosa succederà a coloro che saranno lasciati indietro? Secondo lui, la comunità globale non ha ancora un piano chiaro su come supportare queste persone.

La conversazione ha toccato anche il futuro dei lavoratori del settore manifatturiero. Farley ha riconosciuto che l’automazione e la robotica stanno gradualmente sostituendo le persone, ma finora questo riguarda un numero limitato di operazioni. Ha specificato che circa il 10% dei processi negli stabilimenti Ford è già eseguito da macchine e, con l’avvento dei robot umanoidi, questa percentuale potrebbe salire al 20%. Tuttavia, non sarà possibile sostituire completamente le persone nella produzione nel prossimo futuro: secondo Farley, il lavoro umano rimane un’attività unica e richiesta.

Tuttavia, l’annuncio del taglio di metà degli impiegati suona particolarmente allarmante alla luce di altre previsioni. In precedenza, l’amministratore delegato di Anthropic, Dario Amodei, aveva accusato aziende e politici di aver esagerato le conseguenze dell’introduzione dell’intelligenza artificiale. È convinto che il quadro reale sia molto più fosco e che la disoccupazione negli Stati Uniti potrebbe raggiungere il 20%. Amodei ha sottolineato che i produttori di tecnologia sono tenuti a essere onesti e trasparenti sulle conseguenze future.

Non ci sono dubbi sulla gravità dei cambiamenti in atto. Anche il CEO di Amazon, Andy Jassy, ha ammesso che l’azienda si sta già preparando a ridurre il personale a causa dell’implementazione diffusa dell’intelligenza artificiale. Amazon ha già licenziato circa 30.000 dipendenti quest’anno e Jassy ha affermato che tali misure proseguiranno, poiché le nuove tecnologie garantiscono un’elevata efficienza.

Il CEO di Fiverr, Micha Kaufman, ha osservato nel suo discorso ai dipendenti che l’intelligenza artificiale minaccia i posti di lavoro di quasi tutte le categorie, dai programmatori agli avvocati e agli specialisti dell’assistenza. Kaufman ha definito quanto sta accadendo un segnale allarmante per tutti, indipendentemente dalla professione.

Anche la più grande banca americana, JPMorgan Chase, non si è fatta da parte. La direttrice della banca, Marianne Lake, ha affermato che nei prossimi anni l’azienda prevede di ridurre fino al 10% del personale, sostituendolo con algoritmi di intelligenza artificiale. Shopify ha modificato il suo approccio alle assunzioni in primavera. Ora, la dirigenza richiede ai manager di dimostrare che le attività non possono essere svolte utilizzando l’intelligenza artificiale prima di accettare di ampliare il team.

Anche Microsoft conferma la tendenza: l’azienda ha annunciato la riduzione di 9.000 dipendenti, pari al 4% del personale totale. Allo stesso tempo, l’azienda continua a investire attivamente decine di miliardi di dollari nello sviluppo di tecnologie di intelligenza artificiale. La minaccia di licenziamenti di massa non riguarda solo il settore privato. Il governo australiano, ad esempio, sta già implementando una politica sull’uso responsabile dell’intelligenza artificiale nelle agenzie governative. La Ministra delle Finanze australiana, Katy Gallagher, ha osservato che è importante considerare i diritti, gli interessi e il benessere delle persone quando si utilizza l’intelligenza artificiale nei servizi pubblici.

Tutti gli eventi confermano una tendenza in crescita: l’intelligenza artificiale sta influenzando sempre di più il mercato del lavoro, riducendo il fabbisogno di persone e costringendo aziende e governi a cercare nuove modalità per adattarsi agli inevitabili cambiamenti.

L'articolo Human Replatforming! L’intelligenza artificiale minaccia la metà dei posti di lavoro proviene da il blog della sicurezza informatica.

Milano, 2 luglio 2025 – Come si ferma un attacco informatico che, partendo da una semplice email di phishing, può mettere in ginocchio un’intera azienda in pochi minuti?

Non l’abbiamo solo raccontato: l’abbiamo fatto. Dal vivo!

Questo è stato “Hack the System”, l’evento esclusivo organizzato da Omnia Srl in collaborazione con la testata Red Hot Cyber ed HackerHood e il vendor di cybersecurity WithSecure, ospitato nell’avveniristico datacenter di STACK EMEA. Una giornata formativa, per un pubblico selezionato di addetti ai lavori, che ha trasformato la teoria del rischio in una realtà tangibile.

Dalla mail di phishing al disastro (sventato)

Il cuore dell’evento è stato un’impressionante simulazione di attacco in diretta. Davanti agli occhi dei partecipanti, un hacker etico ha dimostrato come, sfruttando una singola email, sia possibile penetrare una rete aziendale, scalare i privilegi e lanciare un attacco ransomware devastante.

La platea ha assistito a due scenari:

1. L’attacco senza difese adeguate: i file vengono criptati, i sistemi bloccati. Il business si ferma.

1. Lo stesso attacco, ma contro le tecnologie WithSecure: la soluzione di sicurezza ha intercettato e neutralizzato la minaccia in tempo reale, dimostrando come la velocità di risposta sia tutto.

Ma l’evento è stato anche un’occasione per approfondire temi normativi cruciali come NIS2 e DORA, e discutere di come i servizi gestiti di MDR (Managed Detection and Response) siano ormai essenziali per garantire resilienza e conformità.
Tratta dalla presentazione che ha guidato la demo live dell’attacco ransomware in diretta svolta dal team di HackerHood di Red Hot Cyber composto da Antonio Montillo e Alessandro Moccia di Framework Security.

Le voci dei protagonisti: “Un’esperienza che fa riflettere”

Il vero successo dell’evento, però, è nelle parole di chi c’era. I commenti sui social media e i commenti che abbiamo richiesto parlano chiaro:

Diego Sarnataro, CEO di 10punto10 ed esperto del settore, ha condiviso una riflessione potente:

“Vedere gli attacchi in azione dal vivo è sempre un’esperienza che ti fa riflettere. L’evoluzione è impressionante: quello che mi richiedeva settimane di preparazione ora si fa in minuti. La velocità di risposta è tutto.”

Gli fa eco Davide Rogai, CSMO & Co-fondatore di Comm.it s.r.l.:

“Una giornata veramente formativa… in un contesto tecnologico (a tratti fantascientifico) e veramente per addetti ai lavori!”

Federico Mariotti amministratore di Wi-Fi Communication S.r.l.:

“Un’esperienza davvero formativa e ricca di spunti concreti. Assistere a una simulazione così realistica ha reso ancora più evidente quanto siano tangibili le minacce informatiche e quanto sia fondamentale adottare un approccio di sicurezza attivo. Un plauso a Omnia e Red Hot Cyber per l’eccellente organizzazione.”

Stefano Torracca, IT Tarros SPA:

“Giornata estremamente formativa e concreta. La simulazione d’attacco ha mostrato senza filtri cosa significhi affrontare un incidente ransomware. Un’iniziativa di alto livello da parte di Omnia e Red Hot Cyber.”

Alessio Civita, IT – Network, Security & Support – Supervisor:

“Complimenti a Jacopo, Filippo e a tutta Omnia per l’idea e per essere riusciti a metterla in pratica! Vedere “il lato oscuro” in azione dal vivo e avere anche solo una minima dimostrazione di ciò a cui siamo esposti vale più di mille slide o video. Ci fa capire che il rischio cyber è reale, imminente, e non possiamo più permetterci di ignorarlo.

Ho apprezzato in particolar modo la scelta coraggiosa di affrontare in diretta gli eventuali – e immancabili – imprevisti: un esperimento riuscitissimo e assolutamente da ripetere.

Complimenti!

Simone Peroncini – WiFi Communication S.r.l.:

“Un evento di altissimo livello, capace di coniugare concretezza e impatto formativo in modo impeccabile. La simulazione dell’attacco hacker presentata durante la sessione è stata non solo tecnicamente ben costruita, ma anche estremamente realistica: vedere come attacco hacker basato su un classico ma ancora troppo efficace schema di phishing possa insinuarsi nei processi aziendali fino a compromettere interi sistemi è stato un vero campanello d’allarme.

A rendere ancora più interessante l’incontro è stata la presentazione, da parte di Omnia, del software, pensato per offrire una difesa proattiva contro questo tipo di attacchi. Un approccio moderno e intelligente alla cybersecurity, che punta non solo a rilevare e bloccare l’intrusione, ma anche a prevenirla agendo sui comportamenti, sulle configurazioni e sull’educazione continua degli utenti.

Complimenti anche a Red Hot Cyber, che insieme a Omnia ha saputo costruire un format di grande impatto, capace di coinvolgere e far riflettere anche i meno tecnici. Esperienze come questa dovrebbero essere la norma nelle strategie di aggiornamento delle aziende: concrete, attuali e orientate all’azione.”

La collaborazione vince sempre

“Hack the System” ha dimostrato un principio fondamentale, riassunto perfettamente da Diego Sarnataro: “La cybersecurity è un settore dove la collaborazione vince sempre sulla competizione.”

La partnership tra un system integrator come Omnia, un leader tecnologico come WithSecure e un punto di riferimento per l’informazione come Red Hot Cyber è la formula vincente per alzare il livello di consapevolezza e di difesa delle aziende italiane.

La tua azienda è pronta a reagire con la stessa velocità? Se la visione di questo live hacking ti ha fatto sorgere dei dubbi, è il momento giusto per agire.

Contatta Omnia Srl per un’analisi della tua postura di sicurezza e scopri come possiamo aiutarti a non diventare la prossima vittima.

L'articolo Hack the System: L’evento di OMNIA e WithSecure dove RHC ha mostrato un attacco ransomware in diretta proviene da il blog della sicurezza informatica.

Dopo estremo oriente e Iran, continuiamo la nostra serie di articoli su attori di tipo IAB con un attore che si pensa sia di base in Europa, in un paese NATO.

Origine e attribuzione

Secondo i ricercatori di KelaCyber (vendor di servizi di Cyber Threat Intelligence di Tel Aviv, Israele), l’attore Drumrlu, è uno IAB che presumibilmente ha base in Turchia.

Drumrlu è anche noto con il nome/moniker “3LV4N”.

Come visto nel primo articolo sull’access broker miyako, lo ricerca delle entrate delle vittime da parte dello IAB, è una pratica molto comune per questi attori, i cui post tendono appunto a menzionare le entrate delle vittime per invogliare i potenziali acquirenti. Si parte dal presupposto che organizzazioni con entrate più elevate abbiano il potenziale di garantire un riscatto multimilionario.

–

“drumrlu” (alias 3lv4n) è un broker di accesso iniziale e un venditore di database di credenziali attivo nei forum clandestini almeno dal maggio 2020. drumrlu ha venduto accessi a domini di varie organizzazioni in molti paesi del mondo (EMEA, APAC e AMER) nei settori dell’istruzione, dei servizi pubblici, delle assicurazioni, della sanità, delle criptovalute, dei giochi e del governo. Nell’ ottobre del 2020, l’attore ha iniziato a vendere accessi root al software VMware ESXi con prezzi compresi tra 250 e 500 dollari.

Gli analisti di Outpost24 hanno osservato che “Nosophoros”, l’attore dietro il Ransomware as a Service (RaaS) Thanos, probabilmente collabora con (è cliente di) drumrlu. Il 18 luglio 2020, Nosophoros ha postato sul forum “Exploit” il messaggio: “drumrlu è un buon fornitore, ho garantito per lui in passato e continuo a farlo. Sono contento che sia tornato”.

“drumrlu is a good vendor, I vouched for him before and I still do. Glad you are back”.

Simon Roe, ricercatore e product manager presso Outpost24, in un suo report evidenza come drumrlu/3LV4N abbia operato nella operazione RaaS Thanos.

drumrlu ha anche lasciato una recensione nel profilo di Nosophoros dicendo di lui: “Best RaaS, Best Programmer”. Un altro commento dell’attore “peterveliki” conferma la potenziale partnership tra drumrlu e Nosophoros: “Ho acquistato un accesso da questo venditore (drumrlu) – è andato tutto liscio. Un tipo molto disponibile. Mi ha anche consigliato di usare Thanos di Nosphorus, che si è rivelato essere molto utile in questo caso. Ottimo venditore, lo consiglio”.

“I bought access from this seller – everything went smoothly. A very helpful dude. He also recommended using Thanos from Nosphorus; which turned out to be very helpful in this case. Good seller, I recommend”

Ciclo di attacco

Secondo ProofPoint una catena di attacco su RaaS Thanos con accessi iniziali forniti dallo IAB drumrlu potrebbe essere questa:

1. Invio di e-mail contenenti un documento Office dannoso

2. Un utente vittima scarica il documento e attiva le macro che rilasciano un payload (un RAT e/o InfoStealer)

3. L’attore sfrutta l’accesso backdoor per esfiltrare informazioni di sistema/accessi

4. A questo punto, il broker di accesso iniziale può vendere l’accesso ad altri attori

5. Inoltre può distribuire Cobalt Strike tramite l’accesso backdoor del malware che consente il movimento laterale all’interno della rete

6. Ottiene quindi compromissione completa del dominio tramite Active Directory

7. L’attore affiliato al RaaS distribuisce il ransomware a tutte le stazioni di lavoro collegate al dominio.

Esempio di credential stealers tramite phish e-mail

Possibile phishing email per furto di credenziali con allegato documento Office dannoso da indirizzo email free GMX.COM.

File EXCEL XSLM con malware GuLoader (aka CloudEyE o vbdropper).

Fonte ProofPoint

Alcuni scenari in cui l’attore ha operato

• Compagnia energia elettrica ad Amman in Giordania.
• Ospedale tedesco in Arabia Saudita.
• Gruppo assicurativo in Tailandia.
• Gruppo assicurativo in Arabia Saudita.
• Entità governativa in Kuwait.

Paesi target

Australia, Stati Uniti, Thailandia, Pakistan, Francia, Italia, Svizzera, Emirati Arabi Uniti, Giordania, Israele, Egitto, Kuwait e Arabia Saudita.

Settori target

Istruzione, servizi pubblici, assicurazioni, sanità, criptovalute, giochi e entità governative.

NotaBene su Thanos: presunto creatore del RaaS … Un medico venezuelano!?!?

Il DoJ USA presume che un cardiologo sia lo sviluppatore che ha creato il ransomware Thanos: Moises Luis Zagala Gonzalez, 55 anni, cittadino francese e venezuelano residente a Ciudad Bolivar, Venezuela, è accurato di aver commesso tentativi di intrusione informatica e di associazione a delinquere finalizzata al commettere intrusioni informatiche, secondo una denuncia penale statunitense resa pubblica lunedì 16 maggio 2022.

Zagala avrebbe venduto e affittato pacchetti ransomware da lui sviluppati a criminali informatici. È inoltre accusato di aver addestrato gli aspiranti aggressori/gli affiliati sul come utilizzare i suoi prodotti per estorcere le vittime e di essersi successivamente vantato degli attacchi riusciti.

Una serie di errori di Zagala, avrebbe permesso agli investigatori di identificarlo come sospetto, ha dichiarato il DoJ. Nel settembre 2020, un agente dell’FBI sotto copertura avrebbe acquistato una licenza per Thanos da Zagala e scaricato il software. Inoltre, un informatore dell’FBI ha parlato con Zagala della possibilità di istituire un programma di affiliazione utilizzando Thanos, sempre secondo il documento del DoJ.

Zagala si sarebbe vantato pubblicamente nel DarkWeb del fatto che il RaaS Thanos, la sua creatura, era stato usato da parte di un gruppo di threat actors sponsorizzato dallo Stato iraniano per attaccare aziende israeliane.

Fonte: portswigger.net/daily-swig/med…

Fonte PDF (FBI.GOV)

fbi.gov/wanted/cyber/moises-lu…

Conclusione

In questo articolo della serie sugli initial access broker abbia visto come il furto di credenziali avvenga attraverso campagne di phishing con allegati Office contenenti malware/infostealer… Quindi ricordiamo alcune delle best practice menzionate in precedenza per essere pronti ad ogni evenienza

• Controlli di Accesso Forti/uso di Multi Factor Authentication
• Formazione e Consapevolezza dei Dipendenti
• Segmentazione/micro segmentazione della rete
• Monitoraggio Continuo e Rilevamento delle Minacce

–

Bibliografica

KelaCyber

kelacyber.com/blog/uncovering-…

kelacyber.com/blog/the-secret-…

Report di Outpost24

slideshare.net/slideshow/outpo…

RaaS THANOS su RecordedFuture

recordedfuture.com/research/th…

Bleeping Computer su Thanos

bleepingcomputer.com/news/secu…

PortSwigger su Thanos

portswigger.net/daily-swig/med…

ProffPoint su Thanos

proofpoint.com/us/blog/threat-…

Malpedia Fraunhofer su GuLoader/CluodEyE

malpedia.caad.fkie.fraunhofer.…

FBI

fbi.gov/wanted/cyber/moises-lu…

L'articolo Alla scoperta di Drumrlu. L’IaB che fa grossi affari tra Turchia e Venezuela proviene da il blog della sicurezza informatica.

Ever have one of those ideas that’s just so silly, you just need to run with it? [Chris] from Sound Workshop ran into that when he had the idea that became thePneumatone: a woodwind instrument that plays like a synth.

In its 3D printed case, it looks like a giant polyphonic analog synth, but under the plastic lies a pneumatic heart: the sound is actually being made by slide whistles. We always thought of the slide whistle as a bit of a gag instrument, but this might change our minds. The sliders on the synth-box obviously couple to the sliders in the whistles. The ‘volume knobs’ are actually speed controllers for computer fans that feed air into the whistles. The air path is possibly not ideal– there’s a bit of warbling in the whistles at some pitches– but the idea is certainly a fun one. Notes are played by not blocking the air path out the whistle, as you can see in the video embedded below.

Since the fans are always on, this is an example of a drone instrument,like bagpipes or the old hacker’s favourite,the hurdy gurdy. [Chris] actually says in his tip– for which we are very thankful– that this project takes inspiration not from those projects but from Indian instruments like the Shruthi Box and Tanpura. We haven’t seen those on Hackaday yet, but if you know of any hacks involving them,please leave a tip.

youtube.com/embed/oL1cb8jFiyI?…

hackaday.com/2025/07/07/when-i…