In late July 2024, we detected a series of ongoing targeted cyberattacks on dozens of computers at Russian government organizations and IT companies. The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the Dropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, in particular tools used by the APT31 group and an updated CloudSorcerer backdoor. We dubbed this campaign EastWind.

Below are the most interesting facts about the implants used in this campaign:

• The malware downloaded by the attackers from Dropbox has been used by APT31 since at least 2021. We named it GrewApacha.
• The attackers updated the The CloudSorcerer backdoor (described by us in early July 2024) ) after we published our blogpost. It currently uses LiveJournal (a social network popular in Russia) and Quora profiles as initial C2 servers.
• The attacks additionally deploy a previously unknown implant with a classic backdoor functionality, which we dubbed PlugY. It is loaded via the CloudSorcerer backdoor, and its command set is quite extensive. It supports three different protocols for communicating with C2, and what’s more, its code resembles that of the DRBControl backdoor (aka Clambling), which several companies attribute to the APT27 group.

Technical information

As mentioned above, the attackers used spear phishing to gain an initial foothold into the organizations. They sent malicious emails with attached RAR archives to target organizational email addresses. These archives had the following names:

• инициативная группа из Черниговского района Приморского края.rar (translates as advocacy group from Chernigov district of Primorsky Krai.rar)
• вх.rar

They contained the following files:

• .con folder, which contained:
  
  • 1.docx, a legitimate decoy document
  • desktop.exe, a legitimate file
  • VERSION.dll, a malicious file

  
  

• A malicious shortcut with a name similar to that of the archive.

When clicked on, the shortcut executed the following command:
C:\Windows\System32\cmd.exe /c .con\1.docx & echo F | move .con\doc %public%\Downloads\desktop.exe & move .con\docs %public%\Downloads\VERSION.dll & start /b %public%\Downloads\desktop.exe && exit
This command opens the document contained in the archive, copies the files desktop.exe and VERSION.dll to the C:\Users\Public\Downloads folder, and then launches the desktop.exe file.

Note the use of a similar infection method in an attack on a US organization that involved use of the CloudSorcerer backdoor, reported by Proofpoint in July 2024:

Contents of the malicious archive used in the attack on a US organization

VERSION.dll – a backdoor that uses Dropbox

The attackers use classic DLL sideloading to load the malicious library VERSION.dll into the desktop.exe process:

This library is a backdoor packed using the VMProtect tool. When started, it attempts to contact Dropbox using a hardcoded authentication token. Once connected to the Dropbox cloud, the backdoor reads commands to be executed from the file <computer name>/a.psd contained in the storage. The backdoor supports a total of five commands, named as follows:

• DIR
• EXEC
• SLEEP
• UPLOAD
• DOWNLOAD

The results of running these commands are uploaded to the file <computer name>/b.psd that is stored in the cloud..

GrewApacha: a RAT used by APT31 since 2021

The threat actors used the above backdoor to collect information about infected computers and install additional malware on them. On one of these computers, we observed the download of the following files to the directory C:\ProgramData\USOShared\Logs\User:

• msedgeupdate.exe, a legitimate executable file signed by Microsoft
• msedgeupdate.dll, a malicious library
• wd, a file with an encrypted payload

When the attackers launched msedgeupdate.exe, the malicious library msedgeupdate.dll was loaded into its process by means of DLL sideloading:

While this set of three files resembles the “sideloading triad” that is typical of attacks involving PlugXanalysis of these files revealed that the malware inside them is a RAT of the APT31 group, already described in 2021 and 2023. We dubbed this RAT ‘GrewApacha’.

The behavior of the loader (msedgeupdate.dll) hasn’t changed since the 2023 post was published. As before, it decrypts the payload stored on the drive using the XOR key 13 18 4F 29 0F, and loads it into the dllhost.exe process.

While the GrewApacha loader has not changed since last year, there have been minor differences introduced to the RAT itself. Specifically, the new version now uses two C2 servers instead of one. Through network communications, the cybercriminals first retrieve a webpage with a profile bio on GitHub. This profile contains a string encoded with the Base64 algorithm:

Profile of a user created by the attackers on GitHub

The malware first decodes the string extracted from the GitHub profile, then decrypts it using a single-byte XOR algorithm with the key 0x09, thereby obtaining the address of the main C2 server (for the screenshot above – update.studiokaspersky[.]com).

New version of the CloudSorcerer backdoor

Besides launching the GrewApacha Trojan described above, we found that the attackers also downloaded the CloudSorcerer backdoor onto infected computers. To do that, they downloaded and launched a tool named GetKey.exe that is packed with the VMProtect obfuscator.

The utility receives a four-byte number (the value of the GetTickCount() function at runtime), encrypts it using the CryptProtectData function, and then outputs the number with its ciphertext. The screenshot below shows the code of the tool’s main function:

The attackers used the tool output on their side as a unique key to encrypt the payload file. By handling the encryption with the CryptProtect function, the attackers made it possible to decrypt the payload only on the infected machine.

After running the tool, the attackers downloaded the following files to the infected machine:

• The renamed legitimate application dbgsrv.exe (example name: WinDRMs.exe), signed by Microsoft
• The malicious library dll
• A file with the .ini extension, containing the encrypted payload. The name of this file varied across infected machines.

As in the above case of GrewApacha, this set resembles the “sideloading triad” used in attacks involving PlugX.

IIn most cases, the attackers uploaded files inside a subdirectory of C:\ProgramData, such as C:\ProgramData\Microsoft\DRM. Afterwards, they used the task scheduler to configure the renamed dbgsrv.exe application to launch at OS startup. This involved the schtasks utility (usage example:
schtasks /create /RL HIGHEST /F /tn \Microsoft\Windows\DRM\DRMserver /tr "C:\ProgramData\Microsoft\DRM\WinDRMs.exe -t run" /sc onstart /RU SYSTEM").
Upon startup of the renamed application, the malicious dbgeng.dll library is loaded into its process, again using DLL sideloading.

This library was programmed to read the previously mentioned .ini file, which contains:

• The ciphertext of a four-byte number generated and encrypted by the GetKey.exe utility
• A PE file compressed with the LZNT1 algorithm and XOR-encrypted using the four-byte number as a key.

Accordingly, the library proceeded to decrypt the four-byte number using the CryptUnprotectData function, use it to decrypt the .ini file, and then load the decrypted file into the memory of the current process.

Analysis of the decrypted .ini files revealed them to be updated versions of the CloudSorcerer backdoor. After we publicly described this backdoor in early July 2024, the attackers modified it: the new version of CloudSorcerer uses profile pages on the Russian-language social network LiveJournal and the Q&A site Quora as the initial C2 servers:

As with past versions of CloudSorcerer, the profile bios contain an encrypted authentication token for interaction with the cloud service.

PlugY: an implant that overlaps with APT27 tools

Having analyzed the behavior of the newly found CloudSorcerer samples, we found that the attackers used it to download a previously unknown implant. This implant connects to the C2 server by one of three methods:

• TCP protocol
• UDP protocol
• Named pipes

The set of commands this implant can handle is quite extensive, and implemented commands range from manipulating files and executing shell commands to logging keystrokes and monitoring the screen or the clipboard.

Analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the DRBControl (aka Clambling) backdoor was used to develop it. This backdoor was described in 2020 by Trend Micro and Talent-Jump Technologies. Later, Security Joes and Profero linked it to the APT27 group. The backdoor also has similarities to PlugX.

Our comparison of samples of the PlugY implant (MD5 example: faf1f7a32e3f7b08017a9150dccf511d) and the DRBControl backdoor (MD5: 67cfecf2d777f3a3ff1a09752f06a7f5) revealed that these two samples have the exact same architecture. Additionally, many commands in them are implemented almost identically, as evidenced by the screenshots below:

Command code for retrieving information about connected disks in the DRBControl backdoor (left) and the implant (right)

Command code for retrieving information about the active window in the DRBControl backdoor (left) and the implant (right)

Command code for taking screenshots in the DRBControl backdoor (left) and the implant (right)

Thus, the code previously observed in attacks by APT27 was likely used in developing the implant.

While analyzing the PlugY implant we also noticed that it uses a unique malicious library to communicate with the C2 server via UDP. We found the very same library in the DRBControl backdoor, as well as several samples of the PlugX backdoor, which is popular among Chinese-speaking groups. Apart from DRBControl and PlugX, this library has not been detected in any other malware.

Screenshot of the library communicating with the C2 server via UDP

Tips for attack detection

The implants identified during the attack significantly differ from each other. As such, it’s necessary to use a separate set of IoCs for each malware used in any compromise.

The backdoor that uses Dropbox and is delivered via email can be found by looking for relatively large DLL files (> 5 MB) located in the directory C:\Users\Public. Regular access to the Dropbox cloud in network traffic can serve as an additional indicator of this backdoor’s operation.

The GrewApacha Trojan can be detected by searching for an unsigned file named msedgeupdate.dll in the file system. This file also reaches several megabytes in size.
The PlugY implant that is delivered using the CloudSorcerer backdoor launches a process named msiexec.exe for each user signed to the OS, and also creates named pipes with the name template \.\PIPE\Y. The presence of these two indicators in the system is strong evidence of an infection.

Conclusion

In attacks on government organizations, threat actors often use toolkits that implement a wide variety of techniques and tactics. In developing these tools, they go to the greatest lengths possible to hide malicious activity in network traffic. For instance, the attackers behind the EastWind campaign, for instance, used popular network services (GitHub, Dropbox, Quora, LiveJournal and Yandex.Disk) as C2 servers.

Notably, the EastWind campaign bore traces of malware from two different Chinese-speaking groups: APT27 and APT31. This clearly shows that APT groups very often team up, actively sharing knowledge and tools. To successfully counter such collaborations, we closely monitor the techniques and tactics of APT groups operating around the world.

securelist.com/eastwind-apt-ca…

Sometimes a paper in a scientific journal pops up that makes you do a triple-take, case in point being a recent paper by [Aren Boyaci] and [Arindam Banerjee] in Physical Review E titled “Transition to plastic regime for Rayleigh-Taylor instability in soft solids”. The title doesn’t quite do their methodology justice — as the paper describes zipping a container filled with mayonnaise along a figure-eight track to look at the surface transitions. With the paper paywalled and no preprint available, we have to mostly rely the Lehigh University press releases pertaining to the original 2019 paper and this follow-up 2024 one.

Rayleigh-Taylor instability (RTI) is an instability of an interface between two fluids of different densities when the less dense fluid acts up on the more dense fluid. An example of this is water suspended above oil, as well as the expanding mushroom cloud during a explosion or eruption. It also plays a major role in plasma physics, especially as it pertains to nuclear fusion. In the case of inertial confinement fusion (ICF) the rapidly laser-heated pellet of deuterium-tritium fuel will expand, with the boundary interface with the expanding D-T fuel subject to RTI, negatively affecting the ignition efficiency and fusion rate. A simulation of this can be found in a January 2024 research paper by [Y. Y. Lei] et al.

As a fairly chaotic process, RTI is hard to simulate, making a physical model a more ideal research subject. Mayonnaise is definitely among the whackiest ideas here, with other researchers like [Samar Alqatari] et al. as published in Science Advances opting to use a Hele-Shaw cell with dyed glycerol-water mixtures for a less messy and mechanically convoluted experimental contraption.

What’s notable here is that the Lehigh University studies were funded by the Lawrence Livermore National Laboratory (LLNL), which explains the focus on ICF, as the National Ignition Facility (NIF) is based there.

This also makes the breathless hype about ‘mayo enabling fusion power’ somewhat silly, as ICF is even less likely to lead to net power production, far behind even Z-pinch fusion. That said, a better understanding of RTI is always welcome, even if one has to question the practical benefit of studying it in a container of mayonnaise.

Following the recent US court ruling on Google’s market dominance, Washington may be aligning more closely with the Brussels approach to tech competition regulation, hinting at possible enforcement measures.

euractiv.com/section/competiti…

“Le erbacce devono essere estirpate dalla radice altrimenti non faranno altro che rispuntare da un’altra parte“, questo è il cybercrime.

La prima metà del 2024 ha visto un costante aumento dell’attività dei gruppi di estorsione, nonostante gli sforzi significativi delle forze dell’ordine per reprimerli.

Secondo Unit 42, il numero di nuovi post di compromissione dei dati ha raggiunto 1.762, ovvero una media di 294 post al mese. Questo dato conferma che il livello di minaccia dei ransomware rimane elevato, nonostante le operazioni riuscite che non producono specifiche pubblicazioni

Si distinguono in particolare 6 gruppi, che rappresentano oltre la metà di tutti gli incidenti registrati. Sebbene gruppi BlackCat e LockBit abbiano ridotto la loro attività a causa dell’intervento delle forze dell’ordine, nuovi autori di minacce hanno preso il loro posto.

Tra questi spiccano RansomHub e DragonForce.
Confronto dei 6 principali gruppi di ransomware per (tutto il 2023 e la prima metà del 2024)
I settori più colpiti dagli attacchi sono stati il ​​manifatturiero, la sanità e l’edilizia. Il settore manifatturiero è risultato essere il più vulnerabile, con il 16,4% di tutti gli attacchi, confermando l’importanza del settore per il ransomware.

Anche il settore sanitario, pur essendo altamente suscettibile alle interruzioni, ha subito attacchi significativi, con il 9,6% di tutti gli incidenti segnalati. Al terzo posto si colloca invece il settore edile con il 9,4%
Settori colpiti dal ransomware nella prima metà del 2024
Gli Stati Uniti si sono rivelati il ​​Paese con il maggior numero di vittime di ransomware: il 52% di tutti gli incidenti. Tra i primi dieci paesi più colpiti figurano anche Canada, Regno Unito, Germania, Italia, Francia, Spagna, Brasile, Australia e Belgio.
Paesi in cui le organizzazioni sono state colpite dal ransomware nella prima metà del 2014
Gli analisti sottolineano che il motivo principale dell’aumento dell’attività ransomware nel 2024 è stato il rapido sfruttamento delle vulnerabilità recentemente identificate.

I criminali informatici sfruttano attivamente le opportunità per infiltrarsi nelle reti delle vittime, aumentare i privilegi e spostarsi lateralmente all’interno dei sistemi compromessi.

Nella prima metà del 2024 le forze dell’ordine hanno condotto con successo una serie di operazioni che hanno portato all’arresto di figure chiave e al sequestro delle infrastrutture di alcuni dei gruppi più noti. Tuttavia, nonostante questi sforzi, le minacce continuano ad evolversi.

Nuove fazioni stanno riempiendo il vuoto creato dalla chiusura dei player più anziani, evidenziando la necessità di un monitoraggio e un aggiornamento continui delle misure di difesa.

L'articolo 6 Gruppi Criminali sono i responsabili del 50% degli Attacchi Ransomware proviene da il blog della sicurezza informatica.

Remember when dead batteries were something you’d just toss in the trash? Those days are long gone, thankfully, and rechargeable battery packs have put powerful cordless tools in the palms of our hands. But when those battery packs go bad, replacing them becomes an expensive proposition. And that’s a great excuse to pop a pack open and see what’s happening inside.

The battery pack in question found its way to [Don]’s bench by blinking some error codes and refusing to charge. Popping it open, he found a surprisingly packed PCB on top of the lithium cells, presumably the battery management system judging by the part numbers on some of the chips. There are a lot of test points along with some tempting headers, including one that gave up some serial data when the battery’s test button was pressed. The data isn’t encrypted, but it is somewhat cryptic, and didn’t give [Don] much help. Moving on to the test points, [Don] was able to measure the voltage of each battery in the series string. He also identified test pads that disable individual cells, at least judging by the serial output, which could be diagnostically interesting. [Don]’s reverse engineering work is now focused on the charge controller chip, which he’s looking at through its I2C port. He seems to have done quite a bit of work capturing output and trying to square it with the chip’s datasheet, but he’s having trouble decoding it.

This would be a great place for the Hackaday community to pitch in so he can perhaps get this battery unbricked. We have to admit feeling a wee bit responsible for this, since [Don] reports that it was our article on reverse engineering a cheap security camera that inspired him to dig into this, so we’d love to get him some help.

Nonostante lo scetticismo di alcuni analisti, l’intelligenza artificiale generativa comincia a portare benefici concreti alle imprese. Questa conclusione può essere tratta sulla base dei risultati di uno studio condotto dal Gruppo Nazionale di Ricerca commissionato da Google Cloud.

L’indagine ha coinvolto 2.508 dirigenti senior di varie aziende. I risultati hanno mostrato che il 61% degli intervistati ha già implementato strumenti di intelligenza artificiale generativa nei propri processi produttivi. Tra questi, l’86% ha notato una crescita dei ricavi superiore al 6%.

L’intelligenza artificiale generativa ha ottenuto risultati particolarmente impressionanti nel campo dell’aumento della produttività del lavoro. Il 43% degli intervistati ha riferito che l’intelligenza artificiale ha avuto un impatto significativo sulla produttività dei dipendenti. Quasi la metà stimava che la produttività fosse più che raddoppiata.

L’intelligenza artificiale generativa ha anche aiutato le aziende a espandere le proprie attività. Il 39% dei dirigenti intervistati ha notato un impatto positivo della tecnologia sulla crescita aziendale. Di questi, il 77% ritiene di essere riuscito a migliorare il processo di acquisizione di nuovi clienti.

Migliorare l’esperienza dell’utente è un’altra area in cui l’intelligenza artificiale generativa ha preso il sopravvento. Il 37% degli intervistati ha notato cambiamenti significativi in ​​questo ambito. L’85% di loro ha riscontrato un aumento del coinvolgimento degli utenti: un aumento del traffico, delle percentuali di clic e del tempo trascorso sul sito. Inoltre, l’80% ha notato un aumento della soddisfazione del cliente.

Anche la sicurezza non è stata lasciata incustodita, con l’intelligenza artificiale generativa che mostra risultati promettenti anche in questo settore. Il 56% dei dirigenti ha confermato che la tecnologia ha contribuito a rafforzare la sicurezza delle proprie organizzazioni. La maggior parte di loro (82%) ha notato che è diventato più facile individuare le minacce e il 71% ha segnalato una riduzione dei tempi per risolvere i problemi.

Tuttavia, vale la pena notare che i dati di questo studio differiscono significativamente dalle statistiche dell’US Census Bureau. Secondo l’Ufficio di presidenza, solo il 5,4% delle aziende statunitensi ha utilizzato l’intelligenza artificiale da febbraio. Anche nel settore dell’informazione, dove il tasso di adozione è più elevato, ha raggiunto solo il 18%.

Tuttavia, un sondaggio del National Research Group mostra un crescente interesse delle imprese per l’intelligenza artificiale generativa. Il 47% degli intervistati prevede di utilizzare le tecnologie intelligenti per sviluppare nuovi prodotti e servizi. E il 49% intende sfruttare i vantaggi delle reti neurali per aumentare i profitti.

Le grandi aziende tecnologiche stanno promuovendo attivamente l’intelligenza artificiale generativa, cercando di convincere i clienti del suo valore. Ad esempio, il CEO di Amazon Andy Jesse ha affermato che il loro assistente AI per lavorare con il codice chiamato “Q” ha permesso all’azienda di risparmiare 260 milioni di dollari. Tuttavia, questo importo rappresenta meno dell’1% dei guadagni di Amazon per l’anno fiscale 2023.

L'articolo AI Generativa e Business Oggi: Cosa stanno facendo le Aziende? I Numeri del Report di Google Cloud proviene da il blog della sicurezza informatica.

Un team internazionale di ricercatori dell’Università di Tohoku, dell’Università Nazionale di Singapore e dell’Università di Messina in Italia hanno sviluppato un metodo innovativo per convertire l’energia delle onde elettromagnetiche in corrente continua.

La nostra vita quotidiana è piena di onde elettromagnetiche. Gli edifici sono letteralmente pieni di segnali Wi-Fi , connessioni Bluetooth tra telefoni e cuffie wireless, laptop e stampanti. I router wireless emettono energia sotto forma di radiazione di radiofrequenza, che consente la trasmissione dei dati a vari dispositivi.

Gli scienziati hanno proposto di utilizzare l’energia in radiofrequenza in eccesso nell’ambiente per alimentare piccoli gadget. Questo approccio può ridurre significativamente la dipendenza dalle batterie, prolungarne la durata e ridurre l’impatto negativo sull’ambiente. Questa soluzione può essere particolarmente rilevante per le aree remote dove la sostituzione frequente delle batterie è difficile.

In un articolo pubblicato sulla rivista Nature Electronics, i ricercatori spiegano in dettaglio come sono riusciti a migliorare il raddrizzatore tradizionale, aumentando l’efficienza della conversione dell’energia. Un raddrizzatore converte la corrente alternata, in corrente continua, che scorre in una direzione. Questo processo viene eseguito utilizzando vari componenti, principalmente diodi e condensatori.

Le tecnologie esistenti, come il diodo Schottky, hanno avuto difficoltà a convertire l’energia in modo efficiente. Gli scienziati sono riusciti a superare questi problemi sviluppando un raddrizzatore di spin compatto su scala nanometrica (SR). Il dispositivo è in grado di convertire segnali RF wireless ambientali inferiori a -20 dBm in tensione CC.

La sorgente del segnale deve trovarsi nelle immediate vicinanze del dispositivo elettronico. Tuttavia, i ricercatori stanno lavorando attivamente per migliorare la tecnologia. Forse in futuro verrà integrata un’antenna sul chip per migliorare l’efficienza e la compattezza.

Inoltre, gli scienziati stanno sviluppando connessioni serie-parallele per ottimizzare l’impedenza in grandi schiere di raddrizzatori di spin. Per raggiungere questo obiettivo, i progettisti utilizzano interconnessioni su chip per connettere i singoli SR.

Secondo i ricercatori, la tecnologia dei raddrizzatori di spin può essere facilmente integrata nei moduli di raccolta di energia per alimentare dispositivi elettronici e sensori.

Lo studio della tecnologia apre la strada alla creazione di una soluzione energetica autosufficiente e pulita che può aiutare ad affrontare le sfide del futuro.

L'articolo Il tuo Smartphone domani verrà caricato tramite il Wi-Fi proviene da il blog della sicurezza informatica.

Before LCD and LED screens were ubiquitous, there was a time when the cathode ray tube (CRT) was essentially the only game in town. Even into the early 2000s, CRTs were everywhere and continuously getting upgrades, with the last consumer displays even having a semi-flat option. Their size and weight was still a major problem, though, but for a long time they were cutting edge. Wanting to go back to this time with their original Game Boy, [James Channel] went about replacing their Game Boy screen with a CRT.

The CRT itself is salvaged from an old video conferencing system and while it’s never been used before, it wasn’t recently made. To get the proper video inputs for this old display, the Game Boy needed to be converted to LCD first, as some of these modules have video output that can be fed to other displays. Providing the display with power was another challenge, requiring a separate boost converter to get 12V from the Game Boy’s 6V supply. After getting everything wired up a few adjustments needed to be made, and with that the CRT is up and running.

Unfortunately, there was a major speed bump in this process when [James Channel]’s method of automatically switching the display to the CRT let the magic smoke out of the Game Boy’s processor. But he was able to grab a replacement CPU from a Super Game Boy, hack together a case, and fix the problem with the automatic video switcher. Everything now is in working order for a near-perfect retro display upgrade. If you’d like to do this without harming any original hardware, we’ve seen a similar build based on the ESP32 instead.

youtube.com/embed/irHI_2WdQXc?…

Thanks to [Lurch] for the tip!

One of the most sought after substances in the Universe is water – especially in its liquid form – as its presence on a planet makes the presence of life (as we know it) significantly more likely. While there are potentially oceans worth of liquid water on e.g. Jupiter’s moon Europa, for now Mars is significantly easier to explore as evidenced by the many probes which we got onto its surface so far. One of these was the InSight probe, which was capable of a unique feat: looking inside the planet’s crust with its seismometer to perform geophysical measurements. These measurements have now led to the fascinating prospect that liquid water may in fact exist on Mars right now, according to a paper published by [Vashan Wright] and colleagues in PNAS (with easy-read BBC coverage).

InSight’s mission lasted from November 2018 to December 2022 by which time too much dust had collected on its solar panels and communication was lost. During those active years it had used its seismometer (SEIS) to use the vibrations from natural marsquakes and similar to map the internals of the planet. Based on rock physics models and the data gathered by InSight, there is a distinct possibility that significant liquid water may exist in Mars’ mid-crust, meaning at a depth of about 11.5 to 20 km. Most tantalizing here is perhaps that at these depths, enough liquid water may exist today than may have filled Mars’ past oceans.

Since we’re talking about just a single lander with a single instrument in a single location, it would be highly presumptuous to draw strong conclusions, and at these depths we would have no means to access it. Even so, it would offer interesting ideas for future Mars missions, not to mention underground Mars bases.

As battery-to-grid and vehicle-to-home technologies become increasingly mainstream, the potential for repurposing electric vehicle (EV) batteries has grown significantly. No longer just a niche pursuit, using retired EV batteries for home energy storage has become more accessible and appealing, especially as advancements in DIY solutions continue to emerge. Last year, this project by [Dala] showcased how to repurpose Nissan Leaf and Tesla Model 3 battery packs for home energy storage using a LilyGO ESP32, simplifying the process by eliminating the need for battery disassembly.

In the past few months, this project has seen remarkable progress. It now supports over 20 different solar inverter brands and more than 25 EV battery models. The most exciting development, however, is the newly developed method for chaining two EV packs together to create a single large super-battery. This breakthrough enables the combination of, for example, two 100kWh Tesla packs into a massive 200kWh storage system. This new capability offers an accessible and affordable way to build large-scale DIY home powerwalls, providing performance that rivals commercial systems at a fraction of the cost.

With these advancements, the possibilities for creating powerful, cost-effective energy storage solutions have expanded significantly. We do however stress to put safety first at all times.

Hungry for more home powerbanks? We’ve been there before.

youtube.com/embed/skBhH_EwBUE?…

Microsoft Corporation ha riferito che l’Iran sta intensificando i suoi tentativi di interferire nelle prossime elezioni presidenziali americane. Il rapporto, pubblicato il 9 agosto, descrive come gli hacker di stato si stiano preparando a diffondere notizie false e cercando di accedere agli account dei candidati.

Uno degli episodi descritti nel rapporto è un attacco di phishing contro un collaboratore della campagna elettorale di uno dei partiti.

2 mesi fa gli è stata inviata una lettera per conto di un ex consulente il cui account era stato precedentemente compromesso. È stato effettuato anche un tentativo di hackerare l’account di uno degli ex candidati alla presidenza. Microsoft non rivela i nomi degli obiettivi.

In totale, il rapporto menziona le attività di quattro diversi gruppi di hacker, ognuno dei quali opera a modo autonomo. Una campagna di notizie false ha preso di mira entrambi i lati dello scacchiere politico.

Recentemente, uno dei gruppi ha violato le risorse interne della campagna di Trump e ha rubato documenti riservati, incluso un dossier su James David Vance. Inoltre si è verificato un caso di compromissione del conto di un dipendente a livello di governo distrettuale. Secondo gli esperti Microsoft, questo incidente faceva parte di un’operazione più ampia.

Gli analisti di Microsoft notano che la crescente attività degli hacker iraniani riflette la loro tattica caratteristica: iniziare a interferire nelle elezioni più tardi rispetto agli altri attori. Secondo il Microsoft Threat Intelligence Center, gli attacchi informatici dell’Iran sono più mirati a interferire con il processo elettorale stesso piuttosto che a cercare di influenzare le opinioni degli elettori.

Clint Watts, direttore generale del Centro, ha osservato che le azioni degli hacker iraniani possono essere divise in due tipologie. Il primo tipo prevede campagne che mirano a suscitare polemiche e influenzare gli elettori negli stati indecisi con questioni elettorali scottanti. Il secondo tipo di attività si concentra sulla raccolta di informazioni sulle campagne politiche, che possono poi essere utilizzate per affinare le strategie.

Il rapporto menziona che una delle piattaforme di notizie false scoperte da Microsoft si rivolgeva al pubblico liberale e chiamava Donald Trump un “elefante oppioide in un negozio di porcellane”. Un’altra piattaforma, rivolta ai conservatori, si è concentrata sulla riassegnazione di genere e su altre questioni LGBT. Entrambe le piattaforme sono state create da uno dei gruppi iraniani.

Watts ha inoltre sottolineato che un altro gruppo di hacker potrebbe prepararsi ad azioni più estreme. I personaggi politici o le comunità possono dover affrontare minacce e provocazioni. L’obiettivo finale di queste azioni sarà quello di creare caos, minare l’autorità e seminare dubbi sull’integrità delle elezioni.

In precedenza il governo americano aveva già accusato gli iraniani di aver tentato di interferire nelle elezioni. Uno dei più famosi è stato il caso del gruppo di estrema destra Proud Boys: per suo conto gli hacker iraniani hanno inviato lettere agli elettori democratici.

Altri rapporti Microsoft di quest’anno hanno evidenziato anche i tentativi della Cina di utilizzare l’intelligenza artificiale per influenzare le elezioni.

L'articolo Microsoft Avverte: L’Iran Intensifica gli Attacchi Hacker contro le Elezioni Presidenziali USA proviene da il blog della sicurezza informatica.

A StreamDeck is effectively a really cool box full of colorful buttons that activate various things on your PC. They’re fun and cool but they’re also something you can build yourself if you’re so inclined. [Jason] did just that for his sim racing setup, and he included some nifty old-school tech as well.

An ESP32 is at the core of the build, listening to button presses and communicating with the PC. However, the build doesn’t actually use regular buttons. Instead, it uses infrared sensors wired up in a matrix. This was an intentional choice, because [Jason] wanted the device to be reconfigurable with different paper card overlays. There are ways to do this with regular buttons too, but it works particularly well with the infrared technique. Plus, each button also gets a Neopixel allowing its color to be changed to suit different button maps.

What’s really neat is that the button maps change instantly when a different overlay card is inserted. [Jason] achieved this with an extra row of infrared sensors to detect punched holes in the bottom of the overlay cards.

Once upon a time, even building your own keyboard was an uphill battle. Today, it’s easier than ever to whip up fun and unique interface devices that suit your own exact needs. That’s a good thing! Video after the break.

youtube.com/embed/CaWsJdYNwyQ?…

Construction kit toys are cited by many adults as sparking great creativity and engineering talent in their youth. LEGO, Meccano, K’NEX, Lincoln Logs—these are all great commercial options. But what about printing your very own construction kit at home? Meet Stemfie.

Fundamentally, Stemfie isn’t that different from any other construction kit you might have seen before. It has various beams and flat plates that are full of holes so they can be assembled together in various ways. It also uses bolts, spacers, and small plastic nuts that can be tightened using a special hand tool. Think of a mixture between LEGO Technic and Meccano and that will get you in the ballpark. It includes neat motion components too, including gears, wheels, and even a large flat spring!

What can you build with it? Well, as every construction kit toy says, you’re only limited by your imagination! However, if your imagination is especially small, you can just use the Stemfie 3D YouTube channel for inspiration. It features everything from a ping pong ball catapult to a rubber-band driven car. Plus, since it’s all 3D printed, you can simply scale up the parts and build even bigger designs. Like a giant catapult that can hurl entire water jugs. Fun!

We’ve seen other projects in this vein before. One of our favorites is [Ivan Miranda]’s giant 3D printed assembly kit that he uses to build big monster toys.

youtube.com/embed/8AIVcwuRmV4?…

youtube.com/embed/FtJwLNqRd8E?…

I want to introduce you to a project of mine – a portable router build, and with its help, show you how you can build a purpose-built device. You might have seen portable routers for sale, but if you’ve been in the hacking spheres long enough, you might notice there are “coverage gaps”, so to speak. The Pi-hole project is a household staple that keeps being product-ized by shady Kickstarter campaigns, a “mobile hotspot” button is a staple in every self-respecting mobile and desktop OS, and “a reset device for the ISP router” is a whole genre of a hacker project. Sort the projects by “All Time” popularity on Hackaday.io, and near the very top, you will see an OpenVPN &Tor router project – it’s there for a reason, and it got into 2014 Hackaday Prize semifinals for a reason, too.

I own a bunch of devices benefitting from both an Internet connection and also point-to-point connections between them. My internet connection comes sometimes from an LTE uplink, sometimes from an Ethernet cable, and sometimes from an open WiFi network with a portal you need to click through before you can even ping anything. If I want to link my pocket devices into my home network for backups and home automation, I can put a VPN client on my laptop, but a VPN client on my phone kills its battery, and the reasonable way would be to VPN the Internet uplink – somehow, that is a feature I’m not supposed to have, and let’s not even talk about DNSSEC! Whenever I tried to use one of those portable LTE+WiFi[+Ethernet] routers and actively use it for a month or two, I’d encounter serious hardware or firmware bugs – which makes sense, they are a niche product that won’t get as much testing as phones.

I’ve come to hate these little boxes with a passion. By [www.digitalpush.net], CC BY 4.0Solving these problems and implementing my desired features is quite motivational for me – it’s not just that I need my devices to work for me, it’s also that every time I tackle a project like this, I push some cool tech boundaries, find out a number of fun things I can share with you all, and I end up creating yet another device I use to significantly improve my life. What’s more, routers are a sea of proprietary hardware coupled to proprietary software, and it shows. The Pi-hole project is about cutting profit margins, and the Tor network, so you won’t see them on a commercial device. Your Huawei portable router’s battery died? Good luck sourcing a replacement. Router randomly shutting down because of overheating? Either do something and lose your warranty, or send it away for repair for weeks with no guarantee of having it fixed, and stars help you if it’s made by Asus.

Feature Plan

I need a router with an always-on WiFi AP, LTE, Ethernet and an optional WiFi station interface. As for software, I need it to run a lightweight VPN client like Wireguard and route my traffic through it, as well as run a bunch of quality-of-life features – from reasonable static IP allocation and DNS configurability, to captive portal auto-clicking and DNSSEC. The best part about building your hardware is that you can pick your batteries and can choose cells as large as you desire, so it shouldn’t be hard to make it last a day, either.

You also get to pick your own CPU, LTE modem, power management circuits. Thankfully, I have building blocks for most of these, and I’ve discussed them before – let’s talk CPUs first, and next time, go into LTE modem selection.

You might have seen fun boards throughout the last decade – a half-a-GHz CPU, from 64 to 512 MB of external RAM, WiFi and Ethernet interfaces done in hardware, an SPI flash for firmware, a bunch of GPIOs, OpenWRT shipped by default, and no video output interface in sight. You might have bought one for a generic Raspberry Pi grade project, misunderstanding its purpose. It’s a a router CPU board, put into a maker-friendly form-factor – tt will work wonders for routing packets, but it won’t work well for streaming video. I know, because I bought my first board ever with the intention of running mjpg-streamer on it, and as soon as I set it to a reasonable resolution, the CPU went to 100% consumption in a heartbeat.

Perhaps one of the most promising “router CPU” modules to this day. By [Pinguinguy], CC0 1.0There are plenty of boards like this around – the VoCore, the Carambola boards, the BlackSwift boards I keep nostalgically remembering, LinkIt boards, and the Onion Omega modules. Of these, to the best of my knowledge, the Onion Omega 2 is the most up-to-date of them all, so I got one for cheap locally with a breakout – despite their name, they have nothing to do with Tor routing, though I do aim to change that. The Omega-designed breakout is underwhelming in my eyes – they used a powerbank IC to add battery backup functionality, with all the inefficiency and bugs that entails. As you might already know, you literally don’t need to do that.

Still, it ships with OpenWRT, it’s reasonably open, and it’s got everything I need. I started this project in 2018, but thankfully, I picked well – the Onion Omega repositories are active to this day, which means that, to this day, I can resume my project by just reflashing OpenWRT to a newer version; if you don’t do this, you can’t use the repositories meaningfully, which is a large part of the fun!
Want to prototype a project that contains multiple components? Just tape them to a piece of board while you map it out and test things together!
Could you pick something more powerful? Yes, absolutely – a Raspberry Pi would have a beefier CPU for anything I’d want to hack – in fact, many boards today can boast a faster CPU and better peripherals. My hunch, however, is that native WiFi and Ethernet are an important thing to have – I don’t want to go full USB for everything I need, lest I get throttled by the 480 Mbps restriction. Also, I do want to make sure the module I pick is well-suited for the task in aspects I might not even foresee yet, and it just feels right to use a router CPU.

In short, I’m cool with throttling my Internet uplink in some ways, as long as this gives me a bunch of cool features in return; later on, I can do a market review and see if there’s a more suitable board I could integrate, but until then, I see no boards like this. Do you have better CPU board suggestions for a portable router? Drop them in the comments down below.

Choice Outcomes

So, this is what I set out to do – use an Onion Omega as my personal WiFi repeater, for now, without an LTE uplink integrated. I’ve used it as my portable router, in a half-complete configuration, and here’s what I found. First off, the WiFi adapter allows combined STA (station=client) and AP (access point=hotspot) mode – something that might feel like a pretty nifty feature to you, and it did to me. Initially, I thought this would allow me to do WiFi forwarding easily – and it did, but as soon as I leave the house with the router in my backpack and the STA mode goes inactive, things break.
Test setup, creating an access point with an Ethernet uplink. With two 18650 cells, no LTE enabled, it works for about 20 hours.
Here’s a bug – if you expect an always-on AP and an occasionally active STA, your AP will be regularly glitching out, at least on the Onion Omega, and this is a fundamental problem that might translate into other hardware too. This is because, whenever the STA interface is disconnected, it needs to periodically re-scan the network to see if it needs to reconnect to an AP. Your WiFi radio needs to stop and drop what it’s doing, including any ongoing transmissions, and listen to the aether for a while – switching between different channels while at it. This is very noticeable when doing live audio or video streaming; if you do a local file transfer over the AP’s network and the transfer speed is plotted, there will be visible gaps in the transmission speed.

First lesson – scrutinize cool features like the combined STA+AP modes if you’re actually building a network you want to rely on, especially if you don’t see them – you will notice that many devices don’t come with STA+AP simultaneous connection support out of the box. Sharing an antenna for two different purposes at once feels like an error-prone situation, and if you’re having a connectivity problem, you will want to look into that.

Is the hardware support ideal? No. Is this fun so far? Yes, absolutely, and it gives some cool insights into features you might consider worth building your project around. Does this router beat the performance of a Huawei battery-powered router I used to carry in my pocket? Yep, it already has quite a few important features I always wanted to have, like static IP assignments and an Ethernet port I can use for an uplink. Now, it doesn’t have LTE just yet – let’s talk about that in the next article, showing you how to pick an LTE modem, and what can you do to make the process significantly easier for you.