Microsoft Exchange nel mirino: la guida del CISA per sopravvivere agli attacchi!
Una risposta rapida alle minacce in aumento contro l’infrastruttura di posta elettronica è stata fornita dalla Cybersecurity and Infrastructure Security Agency (CISA), in collaborazione con la National Security Agency (NSA), l’Australian Cyber Security Centre (ACSC) e il Canadian Centre for Cyber Security.
Il documento, intitolato “Microsoft Exchange Server Security Best Practices“, sottolinea le misure di rafforzamento proattive in caso di attacchi persistenti a questi sistemi critici, che gestiscono comunicazioni aziendali sensibili.
È fondamentale dare priorità a una manutenzione scrupolosa degli aggiornamenti di sicurezza e delle patch per adottare un approccio che metta al centro la prevenzione, come evidenziato nella guida che enfatizza l’importanza di tale strategia.
Poche settimane dopo la sospensione del supporto da parte di Microsoft per le versioni obsolete di Exchange, prevista per il 14 ottobre 2025, è stato messo a punto questo documento con l’intento di ridurre i rischi che gravano sugli ambienti che non sono stati aggiornati.
Gli amministratori sono invitati a installare le patch di sicurezza e gli hotfix su base mensile nonché gli aggiornamenti cumulativi (CU) con cadenza biennale al fine di arginare la rapida creazione di exploit da parte dei responsabili delle minacce.
Questo perché, come hanno mostrato recenti exploit zero-day, risulta fondamentale che le organizzazioni operanti in settori critici, implementino tali misure per prevenire violazioni di sicurezza.
Si consigliano strumenti come Exchange Health Checker e SetupAssist di Microsoft per verificare la disponibilità e facilitare gli aggiornamenti, riducendo l’esposizione alle vulnerabilità nel tempo.
Per i server a fine vita (EOL), è fondamentale la migrazione immediata a Exchange Server Subscription Edition (SE), l’unica versione locale supportata, con isolamento temporaneo da Internet consigliato se gli aggiornamenti completi vengono ritardati.
È fondamentale anche garantire che il servizio Exchange Emergency Mitigation (EM) rimanga abilitato, poiché implementa protezioni automatiche come le regole di riscrittura degli URL contro le richieste HTTP dannose. Occorre inoltre pianificare la migrazione dai protocolli NTLM obsoleti a quelli Kerberos e SMB, nonché verificare l’utilizzo legacy e prepararsi all’eliminazione graduale di NTLM.
Oltre all’applicazione di patch, le linee guida promuovono l’applicazione di linee guida di sicurezza consolidate da provider come DISA, CIS e Microsoft per standardizzare le configurazioni su Exchange, Windows e client di posta.
Gli strumenti Endpoint Detection and Response (EDR) sono evidenziati per una protezione avanzata contro le minacce, mentre le funzionalità anti-spam e anti-malwaredi Exchange devono essere attivate per filtrare le email dannose.
Per migliorare l’autenticazione della posta elettronica, le organizzazioni devono implementare manualmente gli standard DMARC, SPF e DKIM, potenzialmente tramite componenti aggiuntivi o gateway di terze parti.
L’implementazione di un’autenticazione avanzata con sistema a più fattori (MFA) tramite Active Directory Federation Services, combinata con la firma basata su certificato, sostituisce la precedente autenticazione di base vulnerabile, garantendo così la protezione della serializzazione di PowerShell.
L'articolo Microsoft Exchange nel mirino: la guida del CISA per sopravvivere agli attacchi! proviene da Red Hot Cyber.
Arrestati i creatori del malware Medusa dai funzionari del Ministero degli interni Russo
Il gruppo di programmatori russi dietro il malware Medusa è stato arrestato da funzionari del Ministero degli Interni russo, con il supporto della polizia della regione di Astrakhan.
Secondo gli investigatori, tre giovani specialisti IT erano coinvolti nello sviluppo, nella distribuzione e nell’implementazione di virus progettati per rubare dati digitali e violare i sistemi di sicurezza. Lo ha riferito Irina Volk sul canale Telegram, che ha allegato un video degli arresti.
Gli investigatori hanno stabilito che le attività del gruppo sono iniziate circa due anni fa . All’epoca, i sospettati avevano creato e pubblicato sui forum degli hacker un programma chiamato Medusa, in grado di rubare account utente, wallet di criptovalute e altre informazioni riservate. Il virus si è diffuso rapidamente attraverso comunità chiuse, dove è stato utilizzato per attaccare reti private e aziendali.
Uno degli incidenti registrati è stato un attacco informatico nel maggio 2025 a un’agenzia governativa nella regione di Astrakhan. Utilizzando software proprietario, gli aggressori hanno ottenuto l’accesso non autorizzato a dati ufficiali e li hanno trasferiti su server sotto il loro controllo. È stato avviato un procedimento penale ai sensi della Parte 2 dell’Articolo 273 del Codice Penale russo, che prevede la responsabilità per la creazione e la distribuzione di malware.
Gli investigatori del Dipartimento per la criminalità informatica del Ministero degli Interni russo, con il supporto della Guardia Nazionale russa, hanno arrestato i sospettati nella regione di Mosca. Durante le perquisizioni, sono stati sequestrati computer, dispositivi mobili, carte di credito e altri oggetti, confermando il loro coinvolgimento in reati contro la sicurezza informatica.
L’indagine ha rivelato che gli sviluppatori di Medusa avevano creato anche un altro strumento dannoso. Questo software era progettato per aggirare le soluzioni antivirus, disattivare i meccanismi di difesa e creare botnet , ovvero reti di computer infetti utilizzate per lanciare attacchi informatici su larga scala.
Sono state imposte misure di custodia cautelare a tutti e tre gli indagati. Le indagini proseguono per individuare possibili complici e ulteriori casi di attività illecita.
L'articolo Arrestati i creatori del malware Medusa dai funzionari del Ministero degli interni Russo proviene da Red Hot Cyber.
HikvisionExploiter: il tool open source per gli attacchi alle telecamere IP
Un nuovo strumento open source, noto come HikvisionExploiter, è stato aggiornato recentemente. Questo strumento è stato concepito per automatizzare gli attacchi informatici contro le telecamere IP Hikvision che presentano vulnerabilità.
Creati per agevolare le operazioni di penetration test, questo strumento evidenzia come i dispositivi non protetti possano essere facilmente violati, favorendo così l’intercettazione della sorveglianza o il furto di informazioni d’accesso.
La scansione multithread di migliaia di obiettivi specificati in un file targets.txt di semplice lettura è supportata dal toolkit, che registra i risultati in directory contraddistinte da timestamp e codici colore per facilitarne l’analisi.
Avvia una serie di test automatizzati, cominciando con la verifica dell’accesso non autenticato per ottenere informazioni in tempo reale. Successivamente, attraverso metodi AES e XOR, decrittografa e recupera i file di configurazione, estraendo dalle XML outputs informazioni sensibili quali nomi utente, livelli di autorizzazione e ulteriori dati.
La sua pubblicazione su GitHub risale alla metà del 2024, ma è stato aggiornato a seguito della recente ondata di exploit che ha colpito le telecamere nel 2025. Lo strumento, basato su Python, si concentra sugli endpoint non autenticati presenti nelle telecamere che utilizzano firmware obsoleti.
Per una completa attività di testing delle difese di rete, sono incluse funzionalità avanzate che consentono l’esecuzione remota di comandi sfruttando specifiche vulnerabilità, grazie a tecniche di iniezione di comandi, unitamente ad una shell interattiva che permette un’analisi più dettagliata. Per il suo utilizzo è necessaria l’installazione di Python 3.6 o superiore, nonché di librerie esterne quali requests e pycrypto; inoltre, per la funzionalità di compilazione di snapshot in video, è richiesto FFmpeg.
Il cuore del toolkit è CVE-2021-36260, una falla critica nell’iniezione di comandi nel server web di Hikvision che consente ad aggressori non autenticati di eseguire comandi arbitrari del sistema operativo. Il bug è stato scoperto nel 2021. La vulnerabilità deriva da una convalida inadeguata degli input in endpoint come /SDK/webLanguage, consentendo l’esecuzione di codice remoto con privilegi elevati.
Riguarda numerosi modelli di telecamere Hikvision, in particolare nelle serie DS-2CD e DS-2DF, che utilizzano versioni del firmware precedenti alle patch del fornitore. Questa falla è stata sfruttata attivamente dal 2021 e la CISA l’ha aggiunta al suo catalogo KEV delle vulnerabilità note sfruttate a causa di attacchi nel mondo reale.
Nel 2025, i ricercatori hanno notato nuove tecniche di abuso, come l’utilizzo del comando “mount” per installare malware sui dispositivi compromessi. Con migliaia di telecamere Hikvision ancora esposte online, gli aggressori possono rubare istantanee, dati degli utenti o ricorrere a violazioni della rete, alimentando operazioni ransomware o DDoS.
L'articolo HikvisionExploiter: il tool open source per gli attacchi alle telecamere IP proviene da Red Hot Cyber.
Gazzetta del Cadavere reshared this.
Hacking Together an Expensive-Sounding Microphone At Home
When it comes to microphones, [Roan] has expensive tastes. He fancies the famous Telefunken U-47, but doesn’t quite have the five-figure budget to afford a real one. Thus, he set about getting as close as he possibly could with a build of his own.
[Roan] was inspired by [Jim Lill], who is notable for demonstrating that the capsule used in a mic has probably the greatest effect on its sound overall compared to trivialities like the housing or the grille. Thus, [Roan’s] build is based around a 3U Audio M7 capsule. It’s a large diaphragm condenser capsule that is well regarded for its beautiful sound, and can be had for just a few hundred dollars. [Roan] then purchased a big metal lookalike mic housing that would hold the capsule and all the necessary electronics to make it work. The electronics itself would be harvested from an old ADK microphone, with some challenges faced due to its sturdy construction. When the tube-based amplifier circuit was zip-tied into its new housing along with the fancy mic capsule, everything worked! Things worked even better when [Roan] realized an error in wiring and got the backplate voltage going where it was supposed to go. Some further tweaks to the tube and capacitors further helped dial in the sound.
If you’ve got an old mic you can scrap for parts and a new capsule you’re dying to use, you might pursue a build like [Roan’s]. Or, you could go wilder and try building your own ribbon mic with a gum wrapper. Video after the break.
youtube.com/embed/hFXfJk1FC9E?…
[Thanks to Keith Olson for the tip!]
PhantomRaven Attack Exploits NPM’s Unchecked HTTP URL Dependency Feature
Having another security threat emanating from Node.js’ Node Package Manager (NPM) feels like a weekly event at this point, but this newly discovered one is among the more refined. It exploits not only the remote dynamic dependencies (RDD) ‘feature’ in NPM, but also uses the increased occurrence of LLM-generated non-existent package names to its advantage. Called ‘slopsquatting’, it’s only the first step in this attack that the researchers over at [Koi] stumbled over by accident.
Calling it the PhantomRaven attack for that cool vibe, they found that it had started in August of 2025, with some malicious packages detected and removed by NPM, but eighty subsequent packages evaded detection. A property of these packages is that in their dependencies list they use RDD to download malicious code from a HTTP URL. It was this traffic to the same HTTP domain that tipped off the researchers.
For some incomprehensible reason, allowing these HTTP URLs as package dependency is an integral part of the RDD feature. Since the malicious URL is not found in the code itself, it will slip by security scanners, nor is the download cached, giving the attackers significantly more control. This fake dependency is run automatically, without user interaction or notification that it has now begun to scan the filesystem for credentials and anything else of use.
The names of the fake packages were also chosen specifically to match incomplete package names that an LLM might spit out, such as unused-import instead of the full package name of eslint-plugin-unused-imports as example. This serves to highlight why you should not only strictly validate direct dependencies, but also their dependencies. As for why RDD is even a thing, this is something that NPM will hopefully explain soon.
Top image: North American Common Raven (Corvus corax principalis) in flight at Muir Beach in Northern California (Credit: Copetersen, Wikimedia)
100-Year Old Wagon Wheel Becomes Dynamometer
If you want to dyno test your tuner car, you can probably find a couple of good facilities in any nearby major city. If you want to do similar testing at a smaller scale, though, you might find it’s easier to build your own rig, like [Lou] did.
[Lou’s] dynamometer is every bit a DIY project, relying on a 100-year-old wagon wheel as the flywheel installed in a simple frame cobbled together from 6×6 timber beams. As you might imagine, a rusty old wagon wheel probably wouldn’t be in great condition, and that was entirely true here. [Lou] put in the work to balance it up with some added weights, before measuring its inertia with a simple falling weight test. The wheel is driven via a chain with a 7:1 gear reduction to avoid spinning it too quickly. Logging the data is a unit from BlackBoxDyno, which uses hall effect sensors to measure engine RPM and flywheel RPM. With this data and a simple calibration, it’s possible to calculate the torque and horsepower of a small engine hooked up to the flywheel.
Few of us are bench testing our lawnmowers for the ultimate performance, but if you are, a build like this could really come in handy. We’ve seen other dyno builds before, too. Video after the break.
youtube.com/embed/61-e-HK6HdU?…
Half-good new Danish Chat Control proposal
Denmark, currently presiding over the EU Council, proposes a major change to the much-criticised EU chat control proposal to search all private chats for suspicious content, even at the cost of destroying secure end-to-end encryption: Instead of mandating the general monitoring of private chats (“detection orders”), the searches would remain voluntary for providers to implement or not, as is the status quo. The presidency circulated a discussion paper with EU country representatives today, aiming to gather countries’ views on the updated (softened) proposal. The previous Chat Control proposal had even lost the support of Denmark’s own government.
“The new approach is a triumph for the digital freedom movement and a major leap forward when it comes to saving our fundamental right to confidentiality of our digital correspondence”, comments Patrick Breyer (Pirate Party), a former Member of the European Parliament and digital freedom fighter. “It would protect secure encryption and thus keep our smartphones safe. However, three fundamental problems remain unsolved:
1) Mass surveillance: Even where voluntarily implemented by communications service providers such as currently Meta, Microsoft or Google, chat control is still totally untargeted and results in indiscriminate mass surveillance of all private messages on these services. According to the EU Commission, about 75% of the millions of private chats, photos and videos leaked every year by the industry’s unreliable chat control algorithms are not criminally relevant and place our intimate communication in unsafe hands where it doesn’t belong. A former judge of the European Court of Justice, Ninon Colneric (p. 34-35), and the European Data Protection Supervisor (par. 11) have warned that this indiscriminate monitoring violates fundamental rights even when implemented at providers’ discretion, and a lawsuit against the practice is already pending in Germany.
The European Parliament proposes a different approach: allowing for court orders mandating the targeted scanning of communications, limited to persons or groups connected to child sexual abuse. The Danish proposal lacks this targeting of suspects.
2) Digital house arrest: According to Article 6, users under 16 would no longer be able to install commonplace apps from app stores to “protect them from grooming”, including messenger apps such as WhatsApp, Snapchat, Telegram or Twitter, social media apps such as Instagram, TikTok or Facebook, games such as FIFA, Minecraft, GTA, Call of Duty, and Roblox, dating apps, video conferencing apps such as Zoom, Skype, and FaceTime. This minimum age would be easy to circumvent and would disempower as well as isolate teens instead of making them stronger.
3) Anonymous communications ban: According to Article 4 (3), users would no longer be able to set up anonymous e-mail or messenger accounts or chat anonymously as they would need to present an ID or their face, making them identifiable and risking data leaks. This would inhibit, for instance, sensitive chats related to sexuality, anonymous media communications with sources (e.g. whistleblowers), and political activity.
All things considered, the new Danish proposal represents major progress in terms of keeping us safe online, but it requires substantially more work. However, the proposal likely already goes too far already for the hardliner majority of EU governments and the EU Commission, whose positions are so extreme that they will rather let down victims altogether than accept a proportionate, court-proof and politically viable approach.”
The Time Of Year For Things That Go Bump In The Night
Each year around the end of October we feature plenty of Halloween-related projects, usually involving plastic skeletons and LED lights, or other fun tech for decorations to amuse kids. It’s a highly commercialised festival of pretend horrors which our society is content to wallow in, but beyond the plastic ghosts and skeletons there’s both a history and a subculture of the supernatural and the paranormal which has its own technological quirks. We’re strictly in the realm of the science here at Hackaday so we’re not going to take you ghost hunting, but there’s still an interesting journey to be made through it all.
Today: Fun For Kids. Back Then: Serious Business
Halloween as we know it has its roots in All Hallows Eve, or the day before the remembrance festivals of All Saint’s Day and All Soul’s Day in European Christianity. Though it has adopted a Christian dressing, its many trappings are thought to have their origin in pagan traditions such as for those of us where this is being written, the Gaelic Samhain (pronounced something like “sow-ain”). The boundary between living and dead was thought to be particularly porous at this time of year, hence all the ghosts and other trappings of the season you’ll see today.
Growing up in a small English village as I did, is to be surrounded by the remnants of ancient belief. They survive from an earlier time hundreds of years ago when they were seen as very real indeed, as playground rhymes at the village school or hushed superstitions such as that it would be bad luck to walk around the churchyard in an anticlockwise manner.
As a small child they formed part of the thrills and mild terrors of discovering the world around me, but of course decades later when it was my job to mow the grass and trim the overhanging branches in the same churchyard it mattered little which direction I piloted the Billy Goat. I was definitely surrounded by the mortal remains of a millennium’s worth of my neighbours, but I never had any feeling that they were anything but at peace.
Some Unexplained Phenomena Are Just That
So as you might expect, nothing has persuaded me to believe in ghosts. I can and have walked through an ancient churchyard at night as I grew up next to it, and never had so much as a creepy feeling. I do however believe in unexplained phenomena, but before you throw a book at your computer I mean it in the exact terms given: observable phenomena we know occur, but can’t immediately explain.
To illustrate, a good example of a believable unexplained phenomenon was those moving rocks in an American desert; they moved but nobody could explain how they did it. It’s now thought to be due to the formation of ice underneath them in certain meteorological circumstances, so that’s one that’s no longer unexplained.
As another slightly less cut-and-dried example there are enough credible reports of marsh lights to believe that they could exist, but the best explanation we have, of spontaneous combustion of high concentrations of organic decomposition products, remains for now a theory. I hope one day a scientist researching fenland ecosystems captures one on their instruments by chance, and we can at last confirm or deny it.
The trouble is with unexplained phenomena, that there are folks who would prefer to explain them in their own way because that’s what they want to believe. “I want to believe” is the slogan from the X Files TV show for exactly that reason.
People who want a marsh light or the sounds made by an old house as it settles under thermal contraction at night to be made by a ghost, are going to look for ghosts, and will clutch at anything which helps them “prove” their theories. In this they have naturally enlisted the help of technology, and thus there are all manner of gizmos taken into cemeteries or decaying mansions in the service of the paranormal. And of course in this we have the chance for some fun searching the web for electronic devices.
All The Fun Of Scam Devices
In researching this it’s been fascinating to see a progression of paranormal detection equipment over the decades, following the technological trends of the day. From early 20th century kits that resembled those used by detectives, to remote film cameras like the underwater Kodak Instamatic from a 1970s Nessie hunt we featured earlier this year, to modern multispectral imaging devices, with so much equipment thrown at the problem you’d expect at least one of them to have found something!
I’ve found that these instruments can be broadly divided into two camps: “normal” devices pressed into ghost-hunting service such as thermal cameras or audio recorders, and “special” instruments produced for the purpose. The results from either source may be digitally processed to “reveal” information, much in the manner of the famous “dead salmon paper“, which used an MRI of a dead fish to make a sarcastic comment about some research methodologies.
I’ve even discovered that I may have inadvertently reviewed one a few years ago, a super-cheap electric field meter touted as helping prevent some medical conditions, which I found to be mostly useful for detecting cables in my walls. Surprisingly I found it to be well engineered and in principle doing what it was supposed to for such an instrument, but completely uncalibrated and fitted with an alarm that denounced the mildest of fields as lethal. At least it was a lot cheaper than an e-meter.
Tomorrow night, there will be those who put on vampire costumes to be shepherded around their neighbourhoods in search of candy, and somewhere in the quiet country churchyard of an Oxfordshire village, something will stir. Is it a spectre, taking advantage of their yearly opportunity for a sojourn in the land of the living? No, it’s a solitary fox, hoping to find some prey under the moonlight in the undergrowth dividing the churchyard from a neighbouring field.
Wherever you are, may your Halloween be a quiet and only moderately scary one.
Header: Godstone, Surrey: Gravestone with skull and bones by Dr Neil Clifton, CC BY-SA 2.0.