When you think of a scope probe, you usually think of what is basically a wire with a spring hook and an attenuator. Those are passive probes. [Kerry Wong] shows off a pre-release active probe that sidesteps some problems with those ordinary passive probes.

The trick is that passive probes have input capacitance that interferes with very high-frequency signals. They also tend to have less noise. Although the probe isn’t on the market yet, it is set to debut at a price lower than competitive probes. Still, be warned. The reason you don’t see them more often is that $1,000 is relatively inexpensive for an active probe.

Because the probe is pretty hefty, it comes with a tripod that can hold it while you use it. [Kerry] connects some probe adapters to a PCB with two square wave oscillators. Square waves are a good test waveform because they have odd-numbered harmonics that rise well above the target frequency.

The probe adapters are a little longer than you might like, which causes some ringing on the input signal. However, if you compare the results to a standard passive probe, you’ll quickly see the value of the active probe setup.

You can save some money if you roll your own, of course. Most of the ones we’ve seen don’t quite make 3 GHz, though.

youtube.com/embed/pN8wHRxeny4?…

hackaday.com/2025/09/26/active…

These days, surveillance cameras are all around us, and they’re smarter than ever. In particular, many of them are running advanced algorithms to recognize faces and scan license plates, compiling ever-greater databases on the movements and lives of individuals. Flock You is a project that aims to, at the very least, catalogue this part of the surveillance state, by detecting these cameras out in the wild.

The system is most specifically set up to detect surveillance cameras from Flock Safety, though it’s worth noting a wide range of companies produce plate-reading cameras and associated surveillance systems these days. The device uses an ESP32 microcontroller to detect these devices, relying on the in-built wireless hardware to do the job. The project can be built on a Oui-Spy device from Colonel Panic, or just by using a standard Xiao ESP32 S3 if so desired. By looking at Wi-Fi probe requests and beacon frames, as well as Bluetooth advertisements, it’s possible for the device to pick up telltale transmissions from a range of these cameras, with various pattern-matching techniques and MAC addresses used to filter results in this regard. When the device finds a camera, it sounds a buzzer notifying the user of this fact.

Meanwhile, if you’re interested in just how prevalent plate-reading cameras really are, you might also find deflock.me interesting. It’s a map of ALPR camera locations all over the world, and you can submit your own findings if so desired. The techniques used by in the Flock You project are based on learnings from the DeFlock project. Meanwhile, if you want to join the surveillance state on your own terms, you can always build your own license plate reader instead!

[Thanks to Eric for the tip!]

hackaday.com/2025/09/26/detect…

As the old saying goes, when the only tool you have is a 6 DOF industrial robotic arm, every problem looks like an opportunity to make it serve up adult beverages. [benkokes] found himself in this familiar predicament and did what any of us would do, but his process wasn’t without a few party fouls as well as a few head-scratchers.

One of the common problems that people who suddenly find themselves with an old industrial robot have is that there’s usually no documentation or instructions. This was true here with the added hiccup of the robot’s UI being set to Chinese. Luckily no one had changed the root password, and eventually he was able to get the robot up and working.

Getting it to make drinks was a different matter altogether. [benkokes] needed a custom tool to hold the cup as well as shake it, and 3D printed a claw-style end effector with a lid. Out of his multi-colored pack of party cups, however, the orange cups were different enough in dimension to cause problems for the shaking lid which was discovered when the robot spilled a drink all over the table.

Eventually, though, the robot was successfully serving drinks at a party. One of [benkokes]’s friends happened to be a puppet maker and was able to outfit it with a tailored tuxedo for the party as well, and he also programmed it to dance in between serving drinks, completing the AI revolution we have all been hoping for. Perhaps unsurprisingly, this is a common project for people who suddenly come to posses a large general-purpose industrial robot, while others build robots specifically for this task alone.

youtube.com/embed/gczwmDvI31E?…

hackaday.com/2025/09/26/robot-…

When ABC suspended “Jimmy Kimmel Live!” last week following a shakedown from the Trump administration, celebrities, free speech advocates, and ordinary Americans voiced their outrage. They were right to sound the alarm — and it (mostly) worked. Kimmel’s back on the air.

But where is that same outrage against the government’s effort to deport Mario Guevara, an Atlanta-area journalist with a work visa who has lawfully resided in the U.S. for 20-plus years? His only “offense” is informing the public of protests against the government.

This week, a final removal order was issued against Guevara, who was arrested (with the baseless criminal charges since dropped) while livestreaming a July “No Kings” protest in Georgia. He might not have a late-night comedy show, but his right to report news is every bit as important as Kimmel’s right to tell jokes.

The stakes in Guevara’s case — both for him and for the country — are even higher than in the Kimmel fiasco that has dominated headlines. Guevara could be deported at any moment, likely to his birthplace, El Salvador, which he fled decades ago to escape political persecution.

Despite the extremely serious constitutional implications of Kimmel’s case, his worst-case scenario was moving from prime time to a podcast. There is no telling what fate might await Guevara if he’s thrown out of the country.

And if that happens, the chilling effect on journalists — particularly noncitizen ones, even those like Guevara with legal status — will be impossible to measure. After all, we only know what news we hear. We don’t know what news we don’t hear because journalists didn’t report it out of fear for their safety or freedom.

Kimmel‘s worst-case scenario was moving from prime time to a podcast. There is no telling what fate might await Guevara.

Kimmel’s professional peers — famous comedians and other celebrities — might feel relieved that Kimmel ultimately got his show back. But most journalists (or comedians, for that matter) aren’t famous and don’t have a Rolodex of Hollywood A-listers ready to come to their defense. Kimmel’s win offers them little comfort.

Independent journalists like Guevara also don’t have money for lawyers, lobbyists, or PR firms to make their case to judges, politicians, or the public (although fortunately, organizations like the ACLU, Free Press, the Committee to Protect Journalists, and others have stepped up).

Federal Communications Commission Chair Brendan Carr tried to manufacture plausible deniability in Kimmel’s case, arguing that it wasn’t his public ultimatum but pressure from local audiences that led ABC and its affiliates to pull Kimmel. That’s nonsense, but in Guevara’s case — much like the case against Rümeysa Öztürk, the Tufts University student facing removal for co-writing an op-ed critical of Israel — the government is hardly attempting to hide its agenda.

The federal government seeks to deport Guevara — despite his work visa and despite local prosecutors dropping their case against him for livestreaming in public — because, to them, his reporting makes him an “undesirable.” How did journalism, the only career protected by the Constitution, become a disfavored profession in America?

Guevara’s reporting often focused on immigration enforcement abuses. That earns him no friends in a government that considers U.S. Immigration and Customs Enforcement agents to be secret police. From seeking to punish social media users who identify ICE agents to investigating radio stations that report on ICE raids to threatening whistleblowers who undermine the official narrative, the administration has made every effort to intimidate those who speak the truth about its immigration policy.

The secrecy is by no means limited to ICE — while Kimmel’s show was in limbo and Guevara wrote letters from his cramped jail cell, the Pentagon announced it would force reporters to pledge to only report authorized information.

What this administration cannot seem to comprehend is that the First Amendment exists for the sole purpose of protecting the right to publish information the government does not want published. There would be no need for a constitutional right to publish what the government wants. Everyone loves free speech when the speaker is on their side.

Guevara is exactly who the constitution was intended to protect — and his retaliatory deportation is exactly the kind of authoritarian censorship it was intended to prevent.

Kimmel will be all right with or without ABC, and with or without you. That doesn’t mean not to protest efforts to censor him — the FCC’s antics are unconstitutional, un-American, and fully deserving of contempt. Carr should be fired and disbarred, and the corporations that caved to him should be ashamed.

But free speech is not only for celebrities. The real battles for our rights are not fought in television studios and theme parks but at protests and in citizen journalists’ home newsrooms. And these days, in detention centers and immigration courts.

freedom.press/issues/americans…

Dear Friend of Press Freedom,

It’s now been over 100 days since journalist Mario Guevara has been imprisoned for covering a protest, and Rümeysa Öztürk has faced deportation for nearly 200 days over an op-ed the government didn’t like. Read on for why cases like these deserve as much outrage as the Federal Communications Commission’s latest attempt at silencing free speech.

Journalist facing deportation deserves same energy as Kimmel

When ABC suspended Jimmy Kimmel Live! last week following a shakedown from the Trump administration, celebrities, free speech advocates, and ordinary Americans voiced their outrage. They were right to sound the alarm — and it (mostly) worked. Kimmel’s back on the air.

But where is that same outrage against the government’s effort to deport Mario Guevara, an Atlanta-area journalist who has lawfully resided in the U.S. for 20-plus years? His only “offense” is informing the public of protests against the government, but he faces imminent deportation.

Speaking of Kimmel, our advocacy director, Seth Stern, went on the “Legal AF” podcast on the MeidasTouch network to talk about our supplement to our July attorney disciplinary complaint against FCC Chair Brendan Carr. Read more about Guevera’s case here.

How noncitizen journalists can prepare for ICE

The immediate priority is getting Guevara’s case dropped, but we also don’t want there to be any more baseless deportation cases against journalists. Many newsrooms — not to mention freelancers — have little experience dealing with immigration authorities, though. Luckily, we know people who do.

We hosted a panel discussion featuring immigration lawyers, civil rights advocates, and journalists to talk about what to do when a journalist is detained by Immigration and Customs Enforcement — and what must happen before that day ever comes. Read about it and watch it here.

Pentagon seeks to control the press

The Pentagon faced bipartisan backlash for its ridiculous policy requiring journalists to agree not to obtain or report “unauthorized” information. We called them out in The New York Times, CNN, The Intercept, and elsewhere. Stern also discussed the disturbing move on NPR’s Los Angeles affiliate, KCRW, and FPF’s Lauren Harper discussed this and other threats to press freedom on NPR’s 1A.

First, President Donald Trump tried to downplay the policy. Now, in a letter responding to an inquiry from the Reporters Committee for Freedom of the Press, officials are trying to walk it back. Unfortunately, the response offers little reassurance that the Pentagon’s intentions are anything but censorial, and doubles down on restricting routine constitutionally protected newsgathering. Read more here.

Drop charges against Cincinnati journalists

Jury trials of journalists arrested while reporting news are exceedingly rare in the United States, but the next two are coming next week unless prosecutors come to their senses.

Journalists Madeline Fening and Lucas Griffith, both of whom were arrested while covering a protest on July 17 for Cincinnati-based CityBeat, are set to be tried Sept. 30 and Oct. 2, respectively. In an unfortunate irony, the protest was in opposition to the recently dropped immigration case against Ayman Soliman, who himself fled Egypt to escape persecution for his journalism. We led a letter to prosecutors from rights organizations and local journalism professors urging them to drop the baseless charges. Read more here.

Proposed ‘safety’ bill would undermine accountability for lawmakers

FPF’s Caitlin Vogus writes for The Minnesota Star Tribune that a bill sponsored by Sens. Amy Klobuchar and Ted Cruz to protect lawmakers won’t fully stop data brokers from trafficking their personal information but will stop journalists and watchdogs from holding them accountable.

Use our action center tool to tell Congress to reject this bill.

Police records must stay public in California

A searchable public database known as the Police Records Access Project has made public for the first time more than 1.5 million pages of previously secret records about the use of force and misconduct by California police officers.

The California legislature, however, is trying to put police misconduct back under wraps. This month, it passed AB 1178, a new bill that would make it harder for the public to access these records. The bill is awaiting Gov. Gavin Newsom’s signature or veto. Read more here.

What we’re reading

Urgent ideas for defending press freedom in Gaza (Columbia Journalism School). Columbia followed up on last month’s important article in Columbia Journalism Review with a discussion about finding creative ways to help journalists in Gaza despite anti-press regimes both here and in Israel. FPF Executive Director Trevor Timm and board member and Pulitzer Prize-winning journalist Azmat Khan were both on the panel.

Israel killed 31 journalists in Yemen strike, press freedom group says (The Washington Post). It’s not just Gaza. The Committee to Protect Journalists says the strike in Yemen was “the deadliest strike on journalists in the Middle East” it has documented to date.

Letter from ICE detention facility (The Bitter Southerner). Guevara recounts the harrowing details of his detention in an Atlanta federal prison. You can also read his son’s plea for his release.

Investors rejoice over looming TikTok deal despite political concerns (Al Jazeera). Days after Trump said frequent criticism of his administration should be illegal, he is finalizing plans to steer control of TikTok to his billionaire friends. “It would be naive to think they won’t censor Trump’s critics while boosting content that pleases him,” Stern said.

It’s 2025. Do you know how secure your newsroom is? (Neiman Lab). “What’s really important is that sources know where to reach you in a way that helps them stay secure,” FPF’s Davis Erin Anderson said.

Trump signs order labeling antifa ‘domestic terrorist organization’ (The Hill). Trump’s executive orders on domestic terrorism and threats to use racketeering laws against protest movements can and will be used to threaten journalists and sources. Journalists who cover “antifa” or report on ICE must now risk being accused of terrorism.

Judge strikes down Trump’s $15 billion suit against The New York Times (The Washington Post). We’re glad a judge tossed this ridiculous lawsuit, but the attorneys behind it should have been sanctioned.

freedom.press/issues/mobilize-…

Hackaday Editors Elliot Williams and Tom Nardi start this week’s episode off with an update on the rapidly approaching 2025 Supercon in Pasadena, California. From there they’ll talk about the surprisingly high-tech world of vapes, a flying DeLorean several years in the making, non-contact pulse monitoring, and the potential of backyard radio telescopes to do real astronomy. You’ll hear about a dodecahedron speaker, a page turning peripheral, and 3D printed tools for unfolding boxes. They’ll wrap things up by taking a look at the latest generation of wearable smart glasses, and wonder if putting a bank of batteries in your home is really with the hassle.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Direct download in DRM-free MP3.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 339 Show Notes:

News:

• 2025 Hackaday Superconference: Announcing Our Workshops And Tickets

What’s that Sound?

• Think you know that sound? Fill out this form for a chance to win!

Interesting Hacks of the Week:

• When Low SRAM Keeps The DOOM Off Your Vape
  
  • Hosting A Website On A Disposable Vape

  
  

• Full Scale Styrofoam DeLorean Finally Takes Flight
  
  • Full-Scale Flying DeLorean Gets Closer To Liftoff
  • Mega-CNC Router Carves Styrofoam Into A Full-Size Flying Delorean

  
  

• Heart Rate Measurement Via WiFi, The DIY Way
  
  • Heart Rate Monitoring Via WiFi
  • Hey Google, Is My Heart Still Beating?

  
  

• Low-Cost, High-Gain: A Smart Electronic Eyepiece For Capturing The Cosmos
• How A Failed Video Format Spawned A New Kind Of Microscope
• Listening For The Next Wow! Signal With Low-Cost SDR
  
  • The Wow! Signal And The Search For Extraterrestrial Intelligence
  • Damage To Arecibo Leaves Gaping Hole In Astronomy
  • Roofing Radio Telescope Sees The Galaxy

  
  

Quick Hacks:

• Elliot’s Picks:
  
  • Dodecahedron Speaker Is Biblically Accurate
  • Robot Balances Ball On A Plate
  • This Device Is A Real Page Turner

  
  

• Tom’s Picks:
  
  • Calculator Battery Mod Lets You Go The Distance
  • For A Robot Claw, The Eyes Have It
  • Mandrel Magic: Small Box Assembly With 3D Printing

  
  

Can’t-Miss Articles:

• Meta’s Ray-Ban Display Glasses And The New Glassholes
• How Regulations Are Trying To Keep Home Battery Installs Safe

hackaday.com/2025/09/26/hackad…

Enzo Bonesu e Monica Murgia a Cagliari – “Il testamento biologico quale atto d’amore”

Mercoledì 8 ottobre 2025
Ore 19:00
Hotel Villa Fanny, Viale Merello 83 – Cagliari

In occasione dell’incontro “Il testamento come ponte tra generazioni”, Enzo Bonesu e Monica Murgia, della Cellula Coscioni Cagliari, interverranno per l’Associazione Luca Coscioni con un intervento intitolato “Il testamento biologico quale atto d’amore”, dedicato a riflettere sul significato civile, personale e affettivo delle Disposizioni Anticipate di Trattamento (DAT).

L’iniziativa è promossa con il contributo di Fideuram ed è pensata come un’occasione di dialogo a più voci sul valore del testamento in tutte le sue forme: come eredità, come espressione di volontà e come strumento di autodeterminazione.

Intervengono anche:

• Giuseppe Werther Romagno, Notaio
• Francesca Frau e Gianbattista Cossu, Consulenti Patrimoniali Fideuram

A seguire, aperitivo e dibattito.

L'articolo La Cellula Cagliari – “Il testamento biologico quale atto d’amore” proviene da Associazione Luca Coscioni.

Rhadamanthys è uno stealer di informazioni avanzato comparso per la prima volta nel 2022. Caratterizzato da un ciclo di sviluppo rapido — con almeno dieci rilascio diversi dall’esordio — il malware viene promosso e commercializzato nei forum sotterranei.

Nonostante il divieto imposto per il suo uso contro soggetti russi e/o di ex repubbliche sovietiche, il prodotto è ancora disponibile sul mercato clandestino; il prezzo parte da 250 dollari per 30 giorni di accesso, cifra che ne favorisce la diffusione tra i criminali informatici.

Funzionalità e tecniche di evasione

Rhadamanthys è progettato per raccogliere una vasta gamma di dati: informazioni di sistema, credenziali, wallet di criptovalute, password memorizzate nei browser, cookie e dati provenienti da numerose applicazioni. Integra numerose contromisure anti-analisi che complicano l’osservazione del codice e ne ostacolano l’esecuzione in ambienti sandbox.

Insikt Group di Recorded Future, ha acquisito e analizzato l’ultima release, la 0.7.0, evidenziando diverse novità. L’innovazione più significativa riguarda l’uso dell’intelligenza artificiale: tramite riconoscimento ottico dei caratteri (OCR), Rhadamanthys è ora in grado di individuare e estrarre automaticamente le “seed phrase” dei portafogli di criptovalute presenti in immagini. La funzione è suddivisa in componenti client e server: il client individua potenziali immagini contenenti seed phrase e, una volta esfiltrate al server di comando e controllo, il back-end esegue l’estrazione completa.

Tra le altre aggiunte, la versione 0.7.0 consente agli attori di minaccia di eseguire e installare pacchetti Microsoft Installer (MSI), un vettore che può eludere i controlli di sicurezza tradizionali perché i file MSI sono spesso associati a installazioni legittime. Inoltre, lo sviluppatore ha reso più resistente e “tamper-proof” la funzione che impedisce la riesecuzione del malware entro un intervallo di tempo configurabile, aggiornandola con meccanismi di cifratura e hashing.

Diffusione, autore e canali di vendita

Il malware è popolare nella comunità criminale; la sua rapida evoluzione e le funzionalità emergenti ne fanno una minaccia concreta per le organizzazioni. Il principale sviluppatore, noto con lo pseudonimo “kingcrete2022”, è stato bannato sia su XSS sia su Exploit Forums a causa delle accuse relative all’indirizzare soggetti russi e/o di ex repubbliche dell’URSS. Nonostante i divieti, l’autore continua a pubblicizzare nuove versioni attraverso messaggistica privata su TOX, Telegram e Jabber.

Nel rapporto di Insikt Group sono indicate strategie di mitigazione che le organizzazioni dovrebbero adottare. Sono inoltre disponibili rilevazioni per individuare Rhadamanthys e, come misura preventiva, è stato descritto un “killswitch” basato sull’impostazione di mutex noti sui sistemi non infetti per bloccarne l’esecuzione e proteggere macchine a rischio.

Rischi operativi

Gli infostealer rappresentano un pericolo significativo per la sicurezza aziendale: la pratica diffusa del riutilizzo delle password facilita l’escalation dall’ambito personale a quello professionale. Credenziali sottratte da account privati — ad esempio da un social network — possono consentire l’accesso non autorizzato a account lavorativi, soprattutto quando indirizzi e-mail professionali sono facilmente reperibili su piattaforme di networking. Inoltre, l’uso promiscuo di dispositivi per attività personali e professionali aumenta il rischio di infezione: l’apertura di link malevoli o la navigazione su siti compromessi da parte di dipendenti o familiari può esporre credenziali aziendali.

Per questi motivi il rapporto sottolinea l’importanza di politiche di password robuste, formazione continua del personale su pratiche di navigazione sicura e controlli di accesso rigorosi per ridurre l’impatto degli infostealer.

Questo articolo si basa su informazioni, integralmente o parzialmente tratte dalla piattaforma di intelligence di Recorded Future, partner strategico di Red Hot Cyber e punto di riferimento globale nell’intelligence sulle minacce informatiche. La piattaforma fornisce analisi avanzate utili a individuare e contrastare attività malevole nel cyberspazio.

L'articolo Rhadamanthys Stealer: introduce una funzione AI per estrarre seed phrase dalle immagini proviene da il blog della sicurezza informatica.

While our eyes are miraculous little devices, they aren’t very sensitive outside of the normal old red, green, and blue spectra. The camera in your phone is far more sensitive, and scientists want to use those sensors in place of expensive hyperspectral ones. Researchers at Purdue have a cunning plan: use a calibration card.

The idea is to take a snap of the special card and use it to understand the camera’s exact response to different colors in the current lighting conditions. Once calibrated to the card, they can detect differences as small as 1.6 nanometers in light wavelengths. That’s on par with commercial hyperspectral sensors, according to the post.

You may wonder why you would care. Sensors like this are useful for medical diagnostic equipment, analysis of artwork, monitoring air quality, and more. Apparently, high-end whisky has a distinctive color profile, so you can now use your phone to tell if you are getting the cheap stuff or not.

We also imagine you might find a use for this in phone-based spectrometers. There is plenty to see in the hyperspectral world.

hackaday.com/2025/09/26/set-ph…

Claudia Moretti per l’Associazione Luca Coscioni a Firenze – “La salute mentale è politica”

Firenze – Casa del Popolo di San Niccolò
Giovedì 10 ottobre 2025
Ore 18:00 – Presentazione del libro
Ore 20:00 – Aperitivo

In occasione della Giornata mondiale della salute mentale, la Cellula Coscioni di Firenze parteciperà all’incontro di presentazione del libro “La salute mentale è politica” di Piero Cipriano, psichiatra, psicoterapeuta e autore.

Con l’autore, interverranno:

• Rocco Canosa, psichiatra ed ex presidente di Psichiatria Democratica
• Claudia Moretti, avvocata e membro del Consiglio Generale dell’Associazione Luca Coscioni, che modererà l’incontro

L’evento è organizzato in collaborazione con Cirkoloco, Libreria Malaparte, Casa del Popolo di San Niccolò, e Bottega del Tempo.

Un’occasione per riflettere su diritti, approcci terapeutici e dimensione politica della salute mentale, a partire da esperienze professionali e visioni critiche sul sistema attuale.

Via San Niccolò 33r, Firenze
Info: 3716408048

L'articolo A Firenze un incontro con Claudia Moretti e Piero Cipriano per l’Associazione Luca Coscioni a Firenze – “La salute mentale è politica” proviene da Associazione Luca Coscioni.

Active Directory (AD) contiene le chiavi digitali dell’organizzazione: l’accesso non autorizzato a questo servizio espone informazioni sensibili e credenziali che possono condurre a una compromissione totale del dominio.

Tra gli asset più critici c’è il file NTDS.dit, che memorizza l’insieme dei dati di dominio e gli hash delle password. Questo articolo ricostruisce un caso reale in cui attori ostili hanno ottenuto privilegi elevati, hanno estratto NTDS.dit e hanno tentato la sua esfiltrazione eludendo controlli comuni.

Il valore strategico di NTDS.dit

In un ambiente Windows dominato da Active Directory, il file NTDS.dit (NT Directory Services Directory Information Tree) rappresenta il database centrale del dominio: contiene account utente, policy di gruppo, oggetti computer e — elemento cruciale — gli hash delle password di tutti gli account, compresi quelli con privilegi di Domain Administrator.

Il furto di questo file permette ad un attaccante, una volta in possesso dell’hive di sistema (SYSTEM) per decrittare il contenuto, di estrarre gli hash, attaccarli offline e impersonare qualunque identità all’interno del dominio. In pratica si ottiene la “mappa” dell’identità digitale dell’organizzazione.

Gli aggressori, riporta la ricerca di Trellix, dopo aver acquisito privilegi amministrativi su un host, sfruttano spesso strumenti nativi (ad esempio vssadmin) per creare Volume Shadow Copy e aggirare i lock sui file, copiando così NTDS.dit senza interrompere i processi AD. Successivamente riparano il file con esentutl e ricavano credenziali con utilità come SecretsDump, Mimikatz o anche con semplici comandi di copia. Queste operazioni possono risultare sorprendentemente silenziose per molte difese tradizionali, motivo per cui il rilevamento basato sul comportamento di rete è fondamentale.

Sequenza dell’attacco: estrazione e esfiltrazione di NTDS.dit

L’analisi del caso mostra una catena di azioni tipica: accesso iniziale, raccolta di hash, uso di hash per autenticarsi, movimento laterale e quindi estrazione di NTDS.dit insieme all’hive di registro SYSTEM, indispensabile per ottenere la Boot Key necessaria alla decrittazione.
Kill Chain completa: dalla compromissione al rilevamento (Fonte Trellix)
Fasi principali illustrate:

1. Raccolta degli hash — Gli avversari ottengono hash delle password tramite metodi come DCSync o estraendoli dalla memoria del processo lsass.exe (ad esempio con Mimikatz), operazione che richiede privilegi elevati sull’host compromesso.
2. Autenticazione tramite hash rubati — Con la tecnica “Pass the Hash” (MITRE ID: T1550.002) è possibile autenticarsi come l’utente compromesso, sfruttando NTLM o algoritmi AES (es. /ntlm, /aes128, /aes256) per connettersi a risorse di rete o avviare processi remoti.
3. Espansione della compromissione — Le credenziali ottenute vengono usate per eseguire strumenti come PSExec e raggiungere altri sistemi, ampliando la superficie d’attacco e ripetendo il ciclo di furto credenziali e movimento laterale.
4. Dump ed esfiltrazione di NTDS.dit e SYSTEM — Per copiare NTDS.dit pur con AD attivo, gli aggressori possono:
   
   • creare una snapshot del volume tramite Volume Shadow Copy Service (VSS) e prelevare il file dalla copia;
   • utilizzare utility PowerShell (es. Invoke-NinjaCopy o simili) per copiare file in uso;
   • sfruttare strumenti di sistema come NTDSUtil.exe o DSDBUtil.exe per esportare dati.

   
   

Dalla snapshot gli attaccanti prelevano NTDS.dit e l’hive SYSTEM, li posizionano in una cartella di staging, li verificano con editor esadecimali o strumenti di parsing AD e quindi li archiviano per l’esfiltrazione verso server esterni.

Raccomandazioni operative

Dall’analisi emergono indicazioni concrete per la mitigazione: monitorare e bloccare movimenti SMB e trasferimenti di file inconsueti, controllare e limitare l’uso di strumenti di amministrazione remota come PsExec, rafforzare la protezione degli account con privilegi elevati e abilitare controlli per rilevare creazioni di Volume Shadow Copy e altre tecniche note per aggirare i lock sui file.

L'articolo Active Directory nel mirino! Come i criminal hacker rubano NTDS.dit proviene da il blog della sicurezza informatica.

Randomness is hard. To be precise, without dedicated hardware, randomness is impossible for a computer. This is actually important to keep in mind when writing software. When there’s not hardware providing true randomness, most rnd implementations use a seed value and a pseudo random number generator (PRNG). A PRNG is a function that takes a seed value, and turns it into a seemingly random value, and also produces a new seed for the next time a random value is needed. This could be as simple as a SHA256 sum, where the hash output is split to become the next seed and the random value.

The PRNG approach does still have a challenge. Where does the initial seed come from? There are a few common, if flawed, approaches, and one of the most common is to use the system clock. It’s not a bulletproof solution, but using the microsecond counter since the last system boot is often good enough, because there are a lot of them to choose from — the entropy is high. With that brief background in mind, let’s talk about what happens in VBScript. The Randomize call is used to seed that initial value, but Randomize has some quirks.

The first is a great feature: calling Randomize a second time with the same seed doesn’t reset the PRNG engine back to the same initial state. And second, when called without a value, Randomize uses the number of system ticks since midnight as the PRNG seed. There are 64 ticks per second, giving five-and-a-half million possible seeds, or 22 bits of entropy. This isn’t great on its own, but Randomize internally typecasts that number of ticks into a narrower value, with a maximum possible of time-based seeds set at 65,536, which is a lot easier to brute-force.

We don’t know the exact application where the researchers at Doyensec found VBScript generating secure tokens, but in their Proof of Concept (PoC) test run, the generated token could be found in four guesses. It’s a terrible security fail for basically any use, and it’s a deceptively easy mistake to make.

GoAnywhere Exploit

The folks at WatchTowr have a report on a blistering 10.0 CVE in the GoAnywhere Managed File Transfer (MFT) product. This vulnerability was first published on September 18, and the WatchTowr crew took a look at it, and had questions. This bug is a deserialization attack that can land even without any authentication. It can result in command injection, and the latest update from GoAnywhere vendor Forta vaguely indicates that it is being used for attacks in the wild. But this is particularly odd: before the vulnerable interface deserializes, it first checks for a valid signature. And WatchTowr researchers couldn’t find a leak of a valid private key. So how was the vulnerability in use in the wild?

Lucky for us, there’s a part two to this story, but not all of the mysteries are explained. This CVE is indeed being exploited in the wild, with the earliest known exploit being September 10th. Since there was a full week between the earliest known compromise and the release of the patch, it seems unfortunate that it took WatchTowr this long to confirm that this vulnerability was actually exploited in the wild.

Cisco and Public SNMP

Two million Cisco systems are at risk from CVE-2025-20352. This is a remotely accessible flaw in the handling of Simple Network Management Protocol traffic. The attack does require valid credentials, but the attack works using SNMPv1, v2, or v3. While SNMPv3 has more secure user credentials, the earlier SNMP versions just used “community strings”, a text based password that was often set to “public”.

This vulnerability seems to lead to either a crash or a Remote Code Exploitation (RCE). It’s not entirely clear how difficult it is to achieve RCE, but it’s noteworthy that RCE here is run as root, a level of access not usually available even to administrators of Cisco equipment. So far there’s no indication that this was used in the wild, but now that some information and a patch is available, it’s likely not going to take long for someone to reverse-engineer the vulnerability and weaponize it.

More Spilled Tea

Remember the Tea Spilling from a couple months ago? The Tea app had an unsecured Firebase database. It turns out that wasn’t an isolated incident. [Mike Oude Reimer] has been working on OpenFirebase, an auditing tool for FireBase installs. And to prove the point, did an audit on 400 of the most popular Android apps from a trio of categories in the play store, and found 150 Firebase servers that granted unintended access of some sort. That’s a bit stunning, that over one in three Android apps have insecure Firebase servers associated with them.

Github Malware Delivery

There’s a malware campaign that has happened in the last couple weeks, based around Search Engine Optimization and GitHub repositories. The instructions peddle malicious commands to users looking for popular software on the Mac, like LastPass and others. I was prepared to write about how Ad Blocking is really a form of security protection, as these campaigns are often delivered via advertising, but this one seems to primarily be based on real search engine placement.

This isn’t the only malware campaign that takes advantage of GitHub’s reputation as a trusted source of software. A phishing campaign was also recently spotted, where spam messages were added as GitHub issues, with the spammers tagging their victims, and offering fake Y Combinator sponsorships. Since the messages were sent via GitHub, most spam blockers treated them as legitimate. This campaign was a bit more clever than most, making use of domain typo-squatting, with the y-comblnator.com domain used as part of the campaign. The goal here being draining the crypto accounts of people sufficiently fooled by the messages.

Bits and Bytes

Is nothing sacred? In addition to GitHub, malware appears to be distributed via Steam, in updates to games. The most recent example was the Block Blasters game, which was on Steam for nearly two months before shipping malicious code.

How can you figure out whether an image is AI, or has been manipulated with AI or other tools? There’s quite a few approaches, but one of the interesting ones is to look at the JPEG artifacting. If part of the image has ever been compressed via JPEG, this results in blocky artifacts that are hard for the human eye to spot, but easy to see with the right tools.

And finally, in a blast from the past, Supermicro has another pair of vulnerabilities that could allow malicious firmware on server Baseboard Management Controller (BMCs). The way these images are signed is slightly odd, with the various portions of the file signed independently. The attack is to treat these sections like cards in a deck, and shuffle malicious slices into the stack. The verification routine thinks all the important pieces are signed, but during a real boot, the malicious code runs instead. Patches coming soon.

hackaday.com/2025/09/26/this-w…

In un nuovo report, Zscaler ThreatLabz ha rivelato i dettagli di una nuova famiglia di malware chiamata YiBackdoor, osservata per la prima volta nel giugno 2025.

Fin dall’inizio, l’analisi ha evidenziato corrispondenze significative del codice sorgente con i downloader IcedID e Latrodectus, ed è proprio questa connessione che Zscaler indica come fondamentale per comprendere la possibile origine e il ruolo del nuovo campione negli attacchi.

Il malware è una libreria DLL modulare con un set base di funzioni di controllo remoto dell’host e un meccanismo di estensione basato su plugin. Di default, le funzionalità sono limitate, ma gli aggressori possono caricare moduli aggiuntivi per espanderne le capacità.

Il programma si copia in una cartella appena creata con un nome casuale, ottiene la persistenza tramite il tasto Esegui di Windows e avvia regsvr32.exe con un percorso dannoso.

Il nome della voce di registro viene generato utilizzando un algoritmo pseudo-casuale. Il modulo primario si autodistrugge, complicando le misure di risposta e l’analisi forense. La logica dannosa viene eseguita tramite una configurazione crittografata incorporata, da cui viene estratto l’indirizzo del server di comando e controllo, e la comunicazione con il C2 avviene tramite risposte HTTP contenenti comandi.

Le funzionalità di YiBackdoor includono la raccolta di metadati di sistema, l’acquisizione di screenshot e l’esecuzione di comandi shell tramite cmd.exe e PowerShell, nonché il caricamento e l’inizializzazione di plugin crittografati in Base64. I comandi chiave identificati nel meccanismo di controllo sono elencati di seguito: Systeminfo, screen, CMD, PWS, plugin e task. La tecnica di iniezione di codice prevede l’iniezione nel processo svchost.exe e le tecniche di anti-analisi integrate sono focalizzate sul rilevamento di macchine virtuali e sandbox, riducendo la probabilità di rilevamento durante l’analisi in un ambiente protetto.

Gli analisti di Zscaler notano diverse somiglianze con IcedID e Latrodectus: un metodo di iniezione simile, formato e lunghezza identici della chiave di decrittazione della configurazione e algoritmi simili per la decrittazione dei blocchi di configurazione e dei plugin. Date queste somiglianze e l’architettura osservata, i dipendenti dell’azienda valutano con un livello di sicurezza da moderato ad alto che YiBackdoor possa essere opera degli stessi sviluppatori responsabili dei precedenti downloader. Tuttavia, le implementazioni attuali sono limitate, il che indica una fase di sviluppo o test e il potenziale ruolo del campione come precursore di successive fasi di sfruttamento, inclusa la preparazione dell’accesso iniziale per il ransomware.

L’organizzazione sottolinea l’importanza di monitorare le richieste HTTP in uscita e le modifiche al registro, nonché di implementare regole di rilevamento incentrate su indicatori comportamentali di iniezioni di svchost.exe e anomalie associate all’avvio di regsvr32.exe da percorsi casuali. Questi indicatori consentono il rilevamento tempestivo dei tentativi di iniezione di YiBackdoor e la prevenzione di ulteriori attività da parte degli aggressori.

L'articolo Arriva YiBackdoor: cosa c’è da sapere e come difendere la rete proviene da il blog della sicurezza informatica.