Making a microcontroller speak to a VGA monitor has been a consistent project in our sphere for years, doing the job for which an IBM PC of yore required a plug-in ISA card. Couldn’t a microcontroller talk to a VGA card too? Of course it can, and [0xmarcin] is here to show how it can be done with an Arduino Mega.

The project builds on the work of another similar one which couldn’t be made to work, and the Trident card used couldn’t be driven in 8-bit ISA mode. The web of PC backwards compatibility saves the day though, because many 16-bit ISA cards also supported the original 8-bit slots from the earliest PCs. The Arduino is fast enough to support the ISA bus speed, but the card also needs the PC’s clock line to operate, and it only supports three modes: 80 x 25, 16 colour text, 320 x 200, 256 colour graphics, and 640 x 480, 16 colour graphics.

Looking at this project, it serves as a reminder of the march of technology. Perhaps fifteen years or more ago we’d have been able to lay our hands on any number of ISA cards to try it for ourselves, but now eight years after we called the end of the standard, we’d be hard placed to find one even at our hackerspace. Perhaps your best bet if you want one is a piece of over-the-top emulation.

hackaday.com/2024/11/30/arduin…

The U.S. Department of Energy’s (DOE) Advanced Research Projects Agency-Energy (ARPA-E) was founded to support moonshot projects in the realm of energy, with a portfolio that ranges from the edge of current capabilities to some pretty far out stuff. We’re not sure exactly where their newest “Notice of Funding Opportunity (NOFO)” falls, but they’re looking for critical materials from the wastewater treatment process. [via CleanTechnica]

As a refresher, critical materials are those things that are bottlenecks in a supply chain that you don’t want to be sourcing from unfriendly regions. For the electrification of transportation and industrial processes required to lower carbon emissions, lithium, cobalt, and other rare earth elements are pretty high on the list.

ARPA-E also has an interest in ammonia-based products which is particularly interesting as industrial fertilizers can wreak havoc on natural ecosystems when they become run off instead of making it into the soil. As any farmer knows, inputs cost money, so finding an economical way to recover those products from wastewater would be a win-win. “For all categories, the final recovered products will need to include at least two targeted high energy-value materials, have greater than 90% recovery efficiency, and be commercially viable in the U.S. market.” If that sounds like the sort of thing you’d like to try hacking on, consider filling out an Applicant Profile.

If you’re curious about where we’re getting some of these materials from right now, checkout our series on Mining and Refining, including the lithium and cobalt ARPA-E wants more of.

hackaday.com/2024/11/30/uncle-…

Back when CD-Rs were the thing, there were CD burner drives which would etch images in the unoccupied areas of a CD-R. These so-called LightScribe drives were a novelty of which most users soon tired, but they’re what’s brought to our mind by [dbalsom]’s project. It’s called PNG2disk, and it does the same job as LightScribe, but for floppies. There’s one snag though; the images are encoded in magnetic flux and thus invisible to the naked eye. Instead, they can be enjoyed through a disk copying program that shows a sector map.

The linked GitHub repository has an example, and goes in depth through the various options it supports, and how to view images in several disk analysis programs. This program creates fully readable disks, and can even leave space for a filesystem. We have to admit to being curious as to whether such an image could be made physically visible using for example ferrofluid, but we’d be the first t admit to not being magnetic flux experts.

PNG2disk is part of the Fluxfox project, a library for working with floppy disk images. Meanwhile LightScribe my have gone the way of the dodo, but if you have one you could try making your own supercaps.

hackaday.com/2024/11/30/its-li…

Sui giornali e nei media è tutto un privacy di qui e privacy di là. Il guaio è che il problema oggi non è la privacy, è la protezione dei dati personali. Il GDPR non protegge la privacy, ma i dati personali. Privacy è assicurare che le persone non autorizzate non accedano ai nostri dati. Protezione dei dati personali è assicurare che anche le persone autorizzate non possano eccedere limiti molto severi in quello che fanno con i nostri dati.

spreaker.com/episode/dk-9x10-f…

[eigma] had a difficult problem. After pulling a TV out of the trash and bringing it home, it turned out it was suffering from a troubling boot loop issue that basically made it useless. As so many of us do, they decided to fix it…which ended up being a far bigger task than initially expected.

The TV in question was a Samsung UN40H5003AF. Powering it up would net a red standby light which would stay on for about eight seconds. Then it would flicker off, come back on, and repeat the cycle. So far, so bad. Investigation began with the usual—checking the power supplies and investigating the basics. No easy wins were found. A debug UART provided precious little information, and schematics proved hard to come by.

Eventually, though, investigation dialed in on a 4 MB SPI flash chip on the board. Dumping the chip revealed the firmware onboard was damaged and corrupt. Upon further tinkering, [eigma] figured that most of the dump looked valid. On a hunch, suspecting that maybe just a single bit was wrong, they came up with a crazy plan: use a script to brute-force flipping every single bit until the firmware’s CRC check came back valid. It took eighteen hours, but the script found a valid solution. Lo and behold, burning the fixed firmware to the TV brought it back to life.

It feels weird for a single bit flip to kill an entire TV, but this kind of failure isn’t unheard of. We’ve seen other dedicated hackers perform similar restorations previously. If you’re out there valiantly rescuing e-waste with these techniques, do tell us your story, won’t you?

hackaday.com/2024/11/30/saving…

It’s that time of year again, when the turkey roasts and we think of the important things that we’re thankful for. Here at Hackaday, we’re simply thankful for all of you out there. The readers who make Hackaday worth writing for, and the hackers out there who give us something to write about.

It’s no exaggeration to say that we have one of the most bizarrely creative communities out there, and we’re thankful to still be chronicling all of the inventive madness, all of the engineering feats, and all of the projects that succeed and those that fail. It’s truly a pleasure, day in and day out, to read and to write about.

So thank you all for being Hackaday, for sticking with us through our 20th year now, and for continuing to share your hacks and sending in the tips when you see one that you’d like us to share. Keep on hacking, and we can’t wait to see what you’re up to in 2025.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

hackaday.com/2024/11/30/thanks…

If a tree falls in a forest with nobody around, does it make a noise? In the case of the rainforests equipped with the Rainforest Connection’s Guardian system someone most assuredly will.
Rainforest Connection’s Guardian system up close, with microphone visible. (Credit: RFCx)
Originally created by the people behind the US nonprofit Rainforest Connection (RFCx) using upcycled smartphones to detect the sounds of illegal logging, their project now has grown into something much larger, keeping not only tabs on sounds of illegal activity, but also performing bioacoustic monitoring for scientific purposes.

Currently active in ten countries, the so-called Guardian Platform no longer features smartphones, but custom hardware inside an IP66 weatherproof enclosure and a whole range of communication options, ranging from cellular bands to satellite communications. The petal-shaped solar panels provide the module with up to 30 watts of power, and double as a shield to help protect it from the elements.

Not only is the real-time microphone data incredibly useful for rangers trying to stop illegal logging, it also provides researchers access to countless hours of audio data, which will require detailed, automated analysis. Even better is that if the audio data is available to the general public as well, via their Android & iOS apps (bottom of page), just in case you wanted to hear what that sneaky wildlife in the jungle of Peru is up to right now.

hackaday.com/2024/11/30/the-ma…

Sure is coarse and rough and irritating, and it gets everywhere. But it can also be beautiful — drag a small ball through it in a controlled manner you can make some really pretty patterns. That’s precisely what this compact build from [Printerforge] does.

The build relies on an ESP32 as the brains of the operation. It employs small 28BYJ-48 motors to run the motion platform. These were chosen as they operate on 5 V, simplifying the build by allowing everything to run off a single power supply. Along with a bunch of 3D printed parts, the motors are assembled into motion system with linear rods and belts in a CoreXY layout, chosen for speed and precision. It’s charged with moving a small magnet to drag a ball bearing through the sand to draw patterns under the command of G-code generated with the Sandify tool.

We’ve seen some great sand table builds over the years. Some use polar coordinate systems, while others repurpose bits of 3D printers. If you’ve got a creative new way of doing it, don’t hesitate to let us know!

hackaday.com/2024/11/30/buildi…

Back in the day the Apple iPod was the personal music player (PMP) to get even if mostly because everyone and their dogs had one. These days most people just use their smartphone as a PMP, but what if you were to take, say, a 5th generation iPod and modernized it? That was the basic idea that [Zac Builds] picked up and ran with, with the results as shown in the video he made about it.

The 5th gen iPod was the first one capable of playing video, and was released in October of 2005. Powering it is a Broadcom BCM2722 for video playback, and came with a 30 or 60 GB HDD. First thing that [Zac] tosses is the old (3.7V, 650 mAh) battery, which appears to be already a replacement for the original, followed by the 60 GB 1.8″ HDD. Next tossed is the 2.5″ 320×240 QVGA screen, which gets replaced by a compatible modern LCD. The case is replaced with a transparent case, along with a transparent touch wheel, and the HDD is replaced with a 256 GB SD card in an iFlash Solo SD card adapter for iPods.

Next up was the installation of more off-the-shelf mods, such as a ‘taptic mod’ – which adds a rumble motor – and replacing the iPod’s 30-pin connector with a USB-C connector, requiring some fiddly soldering and desoldering. Following this a Bluetooth audio transmitter was added, extreme PCB mods performed with a cut-off wheel to make everything fit with a custom midframe and rear case.

Ultimately, the parts left of the original iPod were most of the mainboard and some flex cable, which raises the question of whether it might not have been faster and easier to start off with designing a custom PCB. Perhaps the true value is in the modding journey and not the destination?

Thanks to [Keith Olson] for the tip.

youtube.com/embed/0SerEuqAlAA?…

hackaday.com/2024/11/29/modern…

“Chestnuts Roasting on an Open Fire” is playing on the radio now in the Northern Hemisphere which begs the question, “What happened to the American chestnut?” Would you be surprised to hear there’s a group dedicated to bringing it back from “functional extinction?” [via Inhabitat]

Between logging and the introduction of chestnut blight, the once prevalent American chestnut became increasingly uncommon throughout its traditional range in the Appalachians. While many trees in the southern range were killed by Phytophthora root rot (PRR), the chestnut blight leaves roots intact, so many chestnuts have been surviving by growing back from the roots only to succumb to the blight and be reborn again. Now, scientists are using a combination of techniques to develop blight-resistant trees from this remaining population.

The American Chestnut Foundation recognizes you can’t improve what you can’t measure and uses a combination of “small stem assays (SSAs) performed on potted seedlings, improved phenotype scoring methods for field-grown trees, and the use of genomic prediction models for scoring resistance based on genotype.” This allows them to more rapidly screen varieties for blight resistance to further their efforts. One approach is based on conventional plant breeding techniques and has been crossing blight and PRR-resistant Chinese chestnuts with the American type. PRR resistance has been found to be less genetically complicated, so progress has been faster on resistance to that particular problem.

Research is also ongoing on transgenic solutions to both the blight and PRR. Initial experiments using a wheat gene had mixed results, but researchers hope to develop a version that can be expressed in more nuanced conditions like when a tree is more susceptible to infection. This could prevent or reduce some of the negative affects of the transgenic hack like increased tree mortality and metabolic costs with always producing the oxalate oxidase enzyme that interferes with the blight toxin.

If we’re tinkering with genomes anyway, maybe boosting the American chestnut’s photosynthetic efficiency isn’t out of the question? If you’re more interested in making insulin or combating mosquito-borne diseases, there’s a biohack for that too.

hackaday.com/2024/11/29/hackin…

We don’t know much more than what we see with [Kounotori_DIY]’s battery loader design (video embedded below) but it just looks so cool we had to share. Watch it in action, it’ll explain itself.
Before 3D printers made it onto hobbyist workbenches, prototyping something like this would have been much more work.
[Kounotori_DIY] uses a small plastic linear guide as an interface for an 18650 battery holder and as you can see, it’s pretty slick. A little cylindrical container slides out of the assembly, allowing a spent cell to drop out. Loading a freshly charged cell consists of just popping a new one into the cylinder, then snapping it closed. The electrical connection is made by two springy metal tabs on either end that fit into guides in the cylindrical holder.

It’s just a prototype right now, and [Kounotori_DIY] admits that the assembly is still a bit big and there’s no solid retention — a good bump will pop the battery out — but we think this is onto something. We can’t help but imagine how swapping batteries in such style with a nice solid click would go very nicely on a cyberdeck build.

It’s not every day that someone tries to re-imagine a battery holder, let alone with such style. Any ideas how it could be improved? Have your own ideas about reimagining how batteries are handled? Let us know in the comments!

hackaday.com/wp-content/upload…

hackaday.com/2024/11/29/swappi…

Pen plotters are popular builds amongst DIY CNC enthusiasts. They’re a great way to learn the fundamentals of motion control and make something useful along the way. In that vein, [Maker101] has created a neat barebones plotter for tabletop use.

The basic design relies on familiar components. It uses a pair of MGN15 linear rails as the basis of the motion platform, along with NEMA 17 stepper motors to run the X and Y axes. These are assembled with the aid of 3D-printed parts that bring the whole frame together, along with a pen lifter operated with a hobby servo.

The neat thing about the design is that the barebones machine is designed to sit upon an existing tabletop. This eliminates the need to integrate a large flat work surface into the plotter itself. Instead, the X axis just runs along whatever surface you place it on, rolling on a small wheel. It’s likely not ideal for accuracy or performance; we could see the machine itself skating around if run too fast. For a lightweight barebones plotter, though, it works well enough.

If you dig building plotters, you might like to step up to something more laser-y in future. Video after the break.

youtube.com/embed/JngVMtJxDCo?…

hackaday.com/2024/11/29/simple…

[Paul Junkin] bought a curious product off the Internet. It was supposed to generate electricity when hooked up to a running hose. Only, it didn’t do a very good job. His solution was straightforward—he built his own hose-powered generator that actually worked.

The design uses a turbine hooked up to a small motor acting as a generator. To maximize the transfer of energy from the stream of water to the blades of the turbine, the hose is hooked up to a convergent nozzle. [Paul] does a great job explaining the simple physics at play, as well as the iterative design process he used to get to the final product. He calculates the best-case power coming out of his hose around 50 watts, so for his turbine to collect 22 watts is a win, and it’s good enough to charge a phone or run some LED lighting.

Of course, this isn’t a practical generator if you have to pay for the water, and there are other solutions that will get you less wet. Still, credit where it’s due—this thing does make power when you hook it up to a hose. We’ve seen some slightly less ridiculous concepts in this space before, though.

youtube.com/embed/ITiFiauNOXQ?…

hackaday.com/2024/11/29/buildi…

This week’s Hackaday podcast has a European feel, as Elliot Williams is joined by Jenny List for a look at the week’s happenings in the world of cool hardware hacks. Starting with the week’s news, those Redbox vending machines continue to capture the attention of hackers everywhere, and in the race to snag one before they’re carted off for recycling someone has provided the missing hardware manual in the form of a wiki. Europeans can only look on wistfully. Then there’s the curious case of life on the asteroid sample, despite the best efforts of modern science those pesky earth bacteria managed to breach all their anti-contamination measures. Anyone who’s had a batch of homebrew go bad feels their pain.

The week provided plenty of hacks, with the team being wowed by [Bitluni]’s CRT-like laser projector, then the many ingenious ways to 3D-print a hinge, and perhaps one of the most unforgiving environments in the home for a piece of robotics. Meanwhile our appetite for cool stuff was sated by an entire family of Japanese games consoles we’d never heard of, and the little voltage reference whose data sheet also had an audio amplifier circuit. Finishing up, our colleague Arya has many unorthodox uses for a USB-C cable, and we have a frank exchange of views about Linux audio.

Give it a listen below and check out all the links, and by all means, give us a roasting in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

html5-player.libsyn.com/embed/…

Download it your own self!

Episode 298 Show Notes:

News:

• Life Found On Ryugu Asteroid Sample, But It Looks Very Familiar
• There’s Now A Wiki For Hacking Redbox Machines

What’s that Sound?

• Last weeks’ sound was Eurosignal, an old pager protocol on FM radio. Congrats [Niklas]!

Interesting Hacks of the Week:

• Would An Indexing Feature Benefit Your Next Hinge Design?
• The Japanese Console You Maybe Haven’t Heard Of
• A Laser With Mirrors Makes A CRT-like Display
• Flyback, Done Right
• DIY Pipe Inspector Goes Where No Bot Has Gone Before
• Programmable Zener Is Really An IC
• [Ken Shirriff] Explains The TL431
• Ode To The TL431, And A LiFePO4 Battery Charger

Quick Hacks:

• Elliot’s Picks:
  
  • Homebrew Phosphorescence Detector Looks For The Glow In Everyday Objects
  • Your Undocumented Project May Also Baffle People Someday
  • E-Ink Screen Combined With Analog Dial Is Epic Win

  
  

• Jenny’s Picks:
  
  • Getting Started In Laser Cutting
  • Even Apple Get Their Parts Wrong Sometimes
  • OLED Screen Mounting, Without The Pain

  
  

Can’t-Miss Articles:

• USB-C For Hackers: Reusing Cables
• Linux Fu: Audio Network Pipes
• PipeWire, The Newest Audio Kid On The Linux Block

hackaday.com/2024/11/29/hackad…

Due notiziole da picchi di cristomadonio, META e le pubblicità "meno personalizzate" e la chiesa con il Gesù digitale; e una terza da far saltare le valvole: Anthropic paga un tizio per occuparsi di "AI welfare".
È ancora possibile vivere in questi tempi e rimanere sani di mente? E a quale punto è lecito spaccare tutto e ritirarsi a preparare la parnigiana di melanzane?

spreaker.com/episode/dk-9x09-q…

There’s a school of thought that says you shouldn’t mess around with a solution that’s already working, but that’s never seemed to stop anyone in this community. When [Skye] was looking at the current state of connected pH meters they realized there was incredible room for improvement.

Called the Nectar Monitor, this pH meter is a more modern take on what is currently offered in this space. Open source and based on the ESP32, it’s accessible to most people with a soldering iron, fits into a standard project box, and includes other modern features like USB and WiFi connectivity. It can even measure conductivity and temperature. But the main improvement here is that unlike other monitors that can only be submerged temporarily, this one is designed to be under water for long time periods thanks to a specially designed probe and electrical isolation.

This design makes it an appealing choice for people with aquariums, hydroponic farms, or any other situation where constant monitoring of pH is extremely important to maintaining a balanced system. We’ve seen some unique takes on hydroponics before especially, including this build that moves the plants instead of the nutrient solution and this fully automated indoor garden.

hackaday.com/2024/11/29/fully-…

If you’ve got a nice mechanical keyboard, typing on anything else can often become an unpleasant experience. Unfortunately, full-sized versions are bulky and not ideal when you’re travelling or for certain portable applications. [Applepie1928] decided to create a small travel keyboard to solve these problems.

Meet the Micro Planck. It’s a simple ortholinear mechanical keyboard in a decidedly compact form factor—measuring just 23 cm wide, 9.5 cm tall, and 2 cm deep. You could probably stuff it in your pocket if you wear baggy jeans. Oh, and if you don’t know what ortholinear means, it just means that the keys are in a straight grid instead of staggered. Kind of like those “keyboards” at the bowling alley.

The build relies on Gateron KS-33 switches installed on a custom PCB, with a ATmega32U4 microcontroller running the popular open source QMK firmware. The keyboard has a USB-C port because it’s 2024, and all the components are wrapped up in a neat 3D printed shell.

Overall, it’s a tasteful design that packs in a lot of functionality. It’s also neat to see a mechanical design used which offers more tactile feedback than the rubber dome designs more typical at this scale. Meanwhile, if you’re cooking up your own nifty keyboard designs, don’t hesitate to let us know what you’re up to!

hackaday.com/2024/11/29/low-pr…

IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics

The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

In Q3 2024:

• Kaspersky solutions successfully blocked more than 652 million cyberattacks originating from various online resources.
• Web Anti-Virus detected 109 million unique links.
• File Anti-Virus blocked more than 23 million malicious and potentially unwanted objects.
• More than 90,000 users experienced ransomware attacks.
• Nearly 18% of all victims published on ransomware gangs’ data leak sites (DLSs) had been hit by RansomHub.
• More than 297,000 users experienced miner attacks.

Ransomware

Quarterly trends and highlights

Progress in law enforcement

In August, Spain arrested a cybercriminal who founded Ransom Cartel in 2021 and set up a malvertizing campaign. According to the UK’s National Crime Agency (NCA), this individual also was behind the infamous Reveton ransomware Trojan spread in 2012 — 2014. Reveton was among the most notorious PC screen lockers. This type of cyberextortion predated Trojans, which encrypt the victim’s files.

Two other cybercriminals, arrested earlier and suspected of spreading LockBit, pleaded guilty. In 2020 — 2023, one of them was an active cyberextortionist who attacked organizations in several countries, causing a total of at least $1.9 million in damage. The other one, according to the source, had caused damage estimated at roughly $500,000.

Vulnerability exploitation attacks

Ransomware gangs continue to exploit software vulnerabilities, mostly to penetrate networks and escalate their privileges.

• In September the Akira ransomware attacked SonicWall devices powered by SonicOS to exploit the CVE-2024-40766 vulnerability in the operating system, patched in August.
• Akira and Black Basta launched ransomware attacks on VMware ESXi by exploiting the CVE-2024-37085 vulnerability in the hypervizor, which allowed escalating privileges.

High-profile incidents

Dark Angels, which operates a DLS known as “Dunghill Leak”, extracted what was probably the largest ransom payment ever: $75 million. Researchers who reported the incident did not mention the organization that paid up. Before that, the highest known ransom paid was $40 million, received by Phoenix ransomware operators from CNA Financial in 2021.

The most prolific groups

The statistics on the most prolific ransomware gangs draw on the number of victims added by attackers to their DLSs during the period under review. The third quarter’s most prolific ransomware gang was RansomHub, which accounted for 17.75% of all victims.

The group’s victims according to its DLS as a percentage of all groups’ published victims during the period under review (download)

Number of new modifications

In Q3 2024, we detected three new ransomware families and 2109 new variants, or half of what we discovered in the previous reporting period.

New ransomware modifications, Q3 2023 — Q3 2024 (download)

Number of users attacked by ransomware Trojans

Despite the decrease in new variants, the number of users encountering ransomware has increased compared to the second quarter. Kaspersky security solutions successfully defended 90,423 individual users from ransomware attacks from July through September 2024.

Unique users attacked by ransomware Trojans, Q3 2024 (download)

Geography of attacked users

TOP 10 countries attacked by ransomware Trojans

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of all users attacked by ransomware Trojans.

Miners

Number of new modifications

In Q3 2024, Kaspersky solutions detected 15,472 new miner variants, or twice fewer than in Q2.

New miner modifications, Q3 2024 (download)

Users attacked by miners

We observed a 12% decline in miner-related attacks during the third quarter. Kaspersky solutions worldwide detected this type of malware on 297,485 unique user devices.

Unique users attacked by miners, Q3 2024 (download)

Geography of miner attacks

TOP 10 countries attacked by miners

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

Password stealers were the third quarter’s most noteworthy findings associated with attacks on macOS users. Security researchers discovered two new subscription-based stealers, Banshee Stealer and Ctulhu Stealer, which were being distributed via Telegram channels and dark web forums. These bore a strong similarity to the previously known AMOS Trojan, but they were written in C++ and Go, respectively. Furthermore, an independent security researcher released an analysis of a new version of BeaverTail, another type of information stealer designed to exfiltrate data from web browsers and cryptocurrency wallets. This malware also possessed the capability to install a backdoor on compromised systems.

In addition to the new stealers, the third quarter saw the discovery of a new macOS backdoor. HZ Rat is the macOS-compatible version of a similarly named Windows backdoor. It targets the users of the Chinese messaging services WeChat and DingTalk.

TOP 20 threats to macOS

Unique users* who encountered the threat as a percentage of all users of Kaspersky security solutions for macOS who were attacked (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Adware and other potentially unwanted applications were as usual the most widespread threats for macOS. For example, AdWare.OSX.Angent.ap (9%) adds advertising links as browser bookmarks without the user’s knowledge.

Additionally, a variety of malicious applications were among the most active threats. These included MalChat (5.08%), a modified Telegram client that stole user data, and Amos, a stealer often bundled with cracked software.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

** Unique users who encountered threats targeting macOS as a percentage of all unique users of Kaspersky products in the country/territory.

There was a noticeable increase in the percentage of users who encountered macOS threats in mainland China (1.47%) and Hong Kong (1.36%). The metric also increased in Spain (1.21%), France (1.16%), Germany (0.95%), Brazil (0.61%), Russia (0.37%), and Japan (0.36%). Conversely, India (0.46%) and Mexico (0.75%) both experienced a slight decrease. Both the United Kingdom and Italy fell out of the TOP 10 most vulnerable countries.

IoT threat statistics

The distribution of devices that targeted Kaspersky honeypots across protocols went through only minor shifts in Q3 2024. Following a decline in the previous quarter, Telnet attacks witnessed a slight uptick, while SSH-based attacks decreased.

Attacked services by number of unique attacking device IP addresses, Q2 — Q3 2024 (download)

When analyzing the distribution of attacks across different protocols, we observed a slight increase in the share of Telnet, which accounted for 98.69% of all attacks.

Distribution of attackers’ sessions in Kaspersky honeypots, Q2 — Q3 2024 (download)

TOP 10 threats downloaded to IoT devices:

Share of each threat uploaded to an infected device as a result of a successful attack in the total number of uploaded threats (download)

Attacks on IoT honeypots

There was a slight decrease in the percentage of SSH attacks originating in mainland China (22.72%), the United States (11.31%), Singapore (5.97%) and South Korea (4.28%). The freed percentage was distributed across other countries and territories.

The percentage of Telnet attacks originating in India (32.17%) increased, surpassing other countries and territories.

Attacks via web resources

The statistics in this section are based on data provided by Web Anti-Virus, which protects users when malicious objects are downloaded from malicious or infected web pages. Cybercriminals set up malicious pages on purpose. User-generated content platforms, such as forums, and compromised legitimate websites are both susceptible to malware infection.

Countries that serve as sources of web-based attacks: the TOP 10

The following statistics show the geographic distribution of sources of online attacks on user computers that were blocked by Kaspersky products. These attacks included web pages redirecting to exploits, websites hosting exploits and other malware, botnet command and control centers, and so on. Any unique host could be the source of one or more web-based attacks.

To determine the geographical origin of web-based attacks, we mapped the domain names to the domain IP addresses and determined the geographical location of the IP address (GEOIP).

In Q3 2024, Kaspersky solutions blocked 652,004,741 attacks from online resources located around the world. A total of 109,240,722 unique URLs triggered a Web Anti-Virus detection.

Geographical distribution of web-based attack sources, Q3 2024 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online malware infection faced by users in various countries and territories, for each country or territory, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations do not include Web Anti-Virus detections of potentially dangerous or unwanted applications, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 7.46% of internet users’ computers worldwide were subjected to at least one Malware-category web attack.

Local threats

Statistics on local infections of user computers are an important indicator. Objects detected as local are those that infiltrated a computer through file or removable media infection or were initially introduced to the computer in a non-obvious form, for example as programs included in complex installers, encrypted files, and so on.

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from OAS (on-access scan) and ODS (on-demand scan) modules, which were consensually provided by users of Kaspersky products. The data includes detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones or external hard drives.

In Q3 2024, Kaspersky File Anti-Virus detected 23,196,497 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories worldwide.

These rankings only include attacks by malicious objects that belong in the Malware category. Our calculations exclude File Anti-Virus detections of potentially dangerous or unwanted applications, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers Malware local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

Overall, 13.53% of user computers globally faced at least one Malware-type local threat during Q3.

securelist.com/malware-report-…

IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics

Quarterly figures

According to Kaspersky Security Network, in Q3 2024:

• As many as 6.7 million attacks involving malware, adware or potentially unwanted mobile apps were prevented.
• Adware was the most common mobile threat, accounting for 36% of all detected threats.
• More than 222,000 malicious and potentially unwanted installation packages were detected, of which:
  
  • 17,822 were associated with mobile banking Trojans.
  • 1576 packages were mobile ransomware Trojans.

  
  

Quarterly highlights

Mobile attacks involving malware, adware or potentially unwanted apps dropped by 13% in Q3, to a total of 6,686,375. The figure is still above the early 2023 level.

Attacks on users of Kaspersky mobile solutions, Q1 2023 — Q3 2024 (download)

We attribute this drop to the ongoing decline in the activity of adware, primarily stealthware belonging to the AdWare.AndroidOS.HiddenAd family.

Meanwhile, threat actors had not abandoned their attempts to spread their creations through official app marketplaces. For instance, in the third quarter, we discovered the xHelper Trojan inside the Open Browser app on Google Play.

xHelper acts as a stealthy downloader, installing various apps on the device unbeknownst to the user. These downloaders can introduce both ads and malware onto your phone.

We also discovered many apps infected with the Necro Trojan, both in the Google Play store and outside of it. Necro is a multi-component Trojan with an extensive feature set. It can perform any action on a compromised device: from ad display and malware downloads to automatic subscriptions.

Mobile threat statistics

The number of detected Android malware and potentially unwanted app samples also decreased in the third quarter to 222,444.

Detected malicious and potentially unwanted installation packages, Q3 2023 — Q3 2024 (download)

Adware (36.28%) and riskware classified as RiskTool (23.90%) continued to dominate the landscape of installed software packages. The share of RiskTool decreased markedly from Q2. Conversely, there was a minor uptick in the proportion of detected adware.

Detected mobile apps by type, Q2* — Q3 2024 (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Compared to the previous quarter, there was a significant decrease in the number of installation packages for the BrowserAd and MobiDash adware. At the same time, there was an increase in the number of unique HiddenAd apps. The spike in new RiskTool.AndroidOS.Fakapp files, seen in the previous quarter, subsided, causing a decline in the overall RiskTool category.

Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q2 — Q3 2024 (download)

*The sum may exceed 100% if the same users encountered multiple attack types.

Although the number of installation packages for AdWare.AndroidOS.HiddenAd increased, still, as mentioned above, the overall number of attacks by this malware decreased, which was reflected in its incidence on actual devices. Put simply, while cybercriminals released a variety of unique malware types, they were unsuccessful in infecting a large number of users.

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware and potentially unwanted apps, such as adware and RiskTool.

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The list of the most prevalent malware did not see any significant changes compared to the previous quarter. The generalized cloud verdict of DangerousObject.Multi.Generic took its usual top spot, followed by WhatsApp mods with embedded Triada modules, the Fakemoney phishing app which tricked users into providing their personal data by promising easy earnings, the Mamont banking Trojan, and the Dwphon pre-installed malware.

Region-specific malware

This section describes malware types that mostly focused on specific countries.

* The country where the malware was most active.
** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.

The list of malware types that targeted specific countries was updated with new samples: SmsThief.fs which attacked Turkish users, and SmsThief.ya and SmsThief.xy which both were being spread in India. The first one was associated with an ongoing Coper banker campaign in Turkey, while the other two were SMS spies masquerading as government or banking apps.

In addition, the list includes familiar malware that continued to operate in certain countries: the Tambir backdoor, and the BrowBot and Hqwar Trojans in Turkey, FakePay in Brazil, members of the UgandaSteal family in Indonesia and India, and others.

Mobile banking Trojans

The third quarter saw detected mobile banking Trojans installation packages reach a total of 17,822.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2023 — Q3 2024 (download)

The majority of the installation packages belonged to the Mamont family, which also dominated real-life cyberattacks.

Top 10 mobile bankers

* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.

securelist.com/malware-report-…

IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics

Targeted attacks

New APT threat actor targets Russian government entities

In May 2024, we discovered a new APT targeting Russian government organizations. CloudSorcerer is a sophisticated cyber-espionage tool used for stealth monitoring, data collection and exfiltration via Microsoft, Yandex and Dropbox cloud infrastructures. The malware utilizes cloud resources for its C2 (command and control) servers, which it accesses via APIs using authentication tokens. CloudSorcerer also employs GitHub as its initial C2 server. CloudSorcerer functions as separate modules – for communication and data collection – depending on the process it’s running, but executes from a single executable. It leverages Microsoft COM object interfaces to perform its malicious operations.

While the modus operandi of the threat actor is reminiscent of the CloudWizard APT that we reported on in 2023, the malware code is completely different. Consequently, we believe CloudSorcerer is a new threat actor that has emulated a similar approach to interacting with public cloud services.

Two months later, in July 2024, CloudSorcerer launched further attacks against Russian government organizations and IT companies. The campaign, which we dubbed EastWind, used phishing emails with malicious shortcuts attached to deliver malware to target computers. The malware, which received commands via the Dropbox cloud service, was used to download additional payloads.

One of these was an implant called GrewApacha, used by APT31 since at least 2021. The other was an updated version of the backdoor used by CloudSorcerer in its earlier attacks. This one uses LiveJournal and Quora profiles as initial C2 servers.

The latest attacks also use a previously unknown implant with classic backdoor functionality called PlugY. This malware, which is loaded via the CloudSorcerer backdoor, has an extensive command set and is capable of supporting three different protocols for communicating with the C2. The code is similar to that of the DRBControl (aka Clambling) backdoor, which has been attributed to APT27 by several companies.

BlindEagle adds side-loading to its arsenal

In August, we reported a new campaign by Blind Eagle, a threat actor that has been targeting government, finance, energy, oil and gas and other sectors in Latin America since at least 2018. The campaign aligns with the TTPs (Tactics, Techniques and Procedures) and artifacts used by BlindEagle, although the attackers have introduced one new technique to their toolset – DLL side-loading.

The attack starts with phishing emails purporting to be a court order or summons from an institution in Colombia’s judicial system. The email contains a link in the body of the message that is also contained in the attached file, which appears to be a PDF or Word document. Victims are tricked into clicking the link to retrieve documents related to the lawsuit.

These documents are in fact password-protected ZIP or other archives. The archive files contain a clean executable file responsible for initiating the infection process through side-loading, alongside various malicious files used in the attack chain. One of these files carries an embedded loader named HijackLoader, which decrypts and loads the final payload. The final payload is a version of AsyncRAT, one of the Remote Access Trojans (RATs) used by BlindEagle in previous campaigns.

You can read more details about this campaign and the TTPs employed by this threat actor in general here.

Tropic Trooper spies on government entities in the Middle East

The threat actor Tropic Trooper, active since 2011, has historically targeted government, healthcare, transportation and high-tech sectors in Taiwan, the Philippines and Hong Kong. In June 2023, Tropic Trooper initiated a series of persistent campaigns targeting a government body in the Middle East.

We were alerted to the infection in June of this year when our telemetry indicated recurring alerts for a new China Chopper web shell variant discovered on a public web server. China Chopper is widely used by Chinese-speaking actors. The server was hosting a CMS (Content Management System) called Umbraco, an open source CMS platform for publishing content, written in C#. The observed web shell component was compiled as a .NET module of the Umbraco CMS.

Malicious module found inside Umbraco CMS on the compromised server

In the course of our subsequent investigation, we looked for other suspicious detections on this public server and identified several malware sets. These include post-exploitation tools that we have assessed with medium confidence to be related to this intrusion. We also identified new DLL search-order hijacking implants that are loaded from a legitimate vulnerable executable as it lacks the full path specification to the DLL it needs. This attack chain attempted to load the Crowdoor loader, named partly after the SparrowDoor backdoor described by ESET. During the attack, the security agent blocked the first Crowdoor loader, prompting the attackers to switch to a new, previously unreported variant with almost the same impact.

We attribute this activity with high confidence to the Chinese-speaking threat actor known as Tropic Trooper. Our findings show an overlap in the techniques reported in recent Tropic Trooper campaigns. The samples we found also demonstrate a high degree of overlap with samples previously attributed to Tropic Trooper.

The significance of this intrusion is that it involved a Chinese-speaking actor targeting a CMS platform that published studies on human rights in the Middle East, with a particular focus on the situation surrounding the Israel-Hamas conflict. Our analysis revealed that the entire system was the sole target during the attack, suggesting a deliberate focus on this specific content.

From 12 to 21: connections between Twelve and BlackJack groups

In the spring of 2024, posts containing personal data of real individuals began appearing on the -=TWELVE=- Telegram channel. This was soon blocked for violating Telegram’s terms of service, and the group remained inactive for several months. However, during our investigation of an attack in late June, we discovered techniques identical to Twelve’s and the use of C2 servers associated with this threat actor.

The Twelve group was established in April 2023 in the context of the Russian-Ukrainian conflict and has been attacking Russian government organizations ever since. The threat actor specializes in encrypting and then deleting its targets’ data, which suggests that the group’s primary objective is to cause as much damage as possible. Twelve also exfiltrates sensitive information from targeted systems and posts it on the group’s Telegram channel.

Interestingly, Twelve shares infrastructure, utilities and TTPs (Tactics, Techniques and Procedures) with the DARKSTAR ransomware group (formerly known as Shadow or COMET). This indicates that the two may belong to the same syndicate or activity cluster. At the same time, while Twelve’s actions are clearly hacktivist in nature, DARKSTAR adheres to the classic double extortion pattern. This variation in objectives within the syndicate highlights the complexity and diversity of modern cyberthreats.

In our September report on Twelve, we used the Unified Kill Chain methodology to analyze the group’s activities.

We also discovered overlapping TTPs with BlackJack, another hacktivist group that emerged in late 2023. This group’s stated aims, from its Telegram channel, is to find vulnerabilities in the networks of Russian organizations and government institutions. The threat actor has claimed responsibility for more than a dozen attacks, and our telemetry also contains information about other undisclosed attacks where indicators point to BlackJack’s involvement.

The group uses only freely available and open source software. This includes the use of the ngrok utility for tunneling, Radmin, AnyDesk and PuTTY for remote access, the Shamoon wiper and a leaked version of the LockBit ransomware. This confirms that this is a hacktivist group that lacks the resources typical of large APT threat actors.

Other malware

How “professional” ransomware groups boost the business of cybercriminals

Cybercriminals who want to get into the ransomware business don’t necessarily need to develop the software themselves. They can find a leaked ransomware variant online, buy ransomware on the dark web, or become an affiliate. In recent months, we have published several private reports detailing exactly this.

In April, IxMetro was hit by an attack that used a still-new ransomware variant dubbed “SEXi”, a group that focuses primarily on ESXi applications. In each of the cases we investigated, the targeted organizations were running unsupported versions of ESXi. This group deploys either LockBit or Babuk ransomware, depending on the platform – Windows or Linux, respectively.

In the majority of cases, the attackers leave a note containing an email address or URL for a leak site. In the case we looked at, the note included a user ID associated with the Session messaging app. The ID belonged to the attackers and was used across a number of different ransomware attacks on a variety of victims. This indicates a lack of professionalism and suggests that the attackers did not have a TOR leak site.

Key Group (aka keygroup777) has utilized no fewer than eight different ransomware families in its relatively short history (since April 2022):

Use of leaked ransomware builders by Key Group

Over the approximately two-year period that the group has been active, it has made minor adjustments to its TTPs with each new ransomware variant. For example, the persistence mechanism was consistently implemented via the registry, though the specific technique differed by family. In most cases, autorun was used, but we’ve also seen them using the startup folder. While Russian-speaking groups typically operate outside Russia, this is not the case with Key Group. Like SEXi’s, Key Group’s operations are not particularly professional. For example, the primary C2 channel is a GitHub repository, which makes the group easier to track, and communication is conducted over Telegram, as opposed to a dedicated server on the TOR network.

Mallox is a relatively new ransomware variant that first came to light in 2021 and kicked off an affiliate program in 2022. It’s unclear how the authors obtained the source code: perhaps they wrote it from scratch, used a published or leaked version, or – as they claim – purchased it. Although it started as a private group running its own campaigns, it launched an affiliate program shortly after its inception. It is noteworthy that the group only engages with Russian-speaking affiliates and does not do business with novices. Affiliates are explicitly instructed to target organizations with a minimum revenue of $10 million and to avoid hospitals and educational institutions. Mallox uses affiliate IDs, making it possible to track affiliate activity over time. In 2023, there were 16 active partners. In 2024, only eight of the original affiliates were still active, with no newcomers. Other than that, Mallox has all the typical Big Game Hunting attributes that other groups have, such as a leak site and a server hosted on TOR.

You can read more about the above threats here. You can also read our full report on Mallox ransomware here. To learn more about our crimeware reporting service, contact us at crimewareintel@kaspersky.com.

HZ Rat backdoor for macOS

In June, we discovered a macOS version of the HZ Rat backdoor. The backdoor was being used to target users of the enterprise messenger DingTalk and the social networking and messaging platform WeChat. Although we do not know the original distribution point for the malware, we were able to locate an installation package for one of the backdoor samples – a file named OpenVPNConnect.pkg.

OpenVPNConnect.pkg on VirusTotal

The samples we discovered almost exactly replicate the functionality of the Windows version of the backdoor with the exception of the payload, which is received in the form of shell scripts from the attackers’ server. We noticed that some versions of the backdoor utilize local IP addresses to connect to the C2, leading us to believe the threat might be targeted. This also suggests that the attackers intend to use the backdoor for lateral movement through the target network.

The data collected about the targets’ companies and contact information could be used to spy on people of interest and lay the groundwork for future attacks. During the course of our investigation, we did not encounter the use of two of the backdoor’s commands (write file to disk and send file to server), so the full scope of the attacker’s intentions remains unclear.

Hacktivist group Head Mare targets Russia and Belarus

Since the start of the Russo-Ukrainian conflict, numerous hacktivist groups have emerged whose main goal is to cause damage to organizations on the opposing side of the conflict. One such group is Head Mare, which targets organizations in Russia and Belarus.

While such hacktivist groups tend to use similar TTPs, Head Mare uses more up-to-date methods to gain initial access. For example, the attackers leveraged a recently discovered vulnerability in WinRAR (CVE-2023-38831) that allowed them to execute arbitrary code on a compromised system via a specially crafted archive. This approach allows the group to more effectively deliver and disguise the malicious payload.

As is the case with most hacktivist groups, Head Mare maintains a public account on the X social network, which it uses to post information about some of its victims.

Head Mare post on X

Head Mare has targeted a variety of industries, including government, energy, transportation, manufacturing and entertainment. The group mainly uses publicly available software, which is typical of hacktivist groups. However, Head Mare’s toolkit also includes custom malware, PhantomDL and PhantomCore, delivered via phishing emails. In addition to its primary goal of causing damage to targeted organizations, Head Mare also deploys LockBit and Babuk ransomware, which demand a ransom for restoring encrypted data.

Loki: a new private agent for the popular Mythic framework

In July, we discovered a previously unknown backdoor called Loki, which was used in a series of targeted attacks against Russian companies in various industries, including engineering and healthcare. From our analysis and information gleaned from open sources, we determined that Loki is a private version of an agent for the open source Mythic framework. This has its origins in an open source framework for post-exploitation of compromised macOS systems, called Apfell. Two years later, several developers joined the project, the framework became cross-platform and was renamed Mythic. Mythic allows the use of agents in any language, for any platform, with the required functionality. Around two dozen agents have been published in the official Mythic repository, including Loki.

The Loki agent we discovered is a Mythic-compatible version of the agent for another framework, Havoc. The Loki modification inherited several techniques from Havoc to make it more difficult to analyze the agent, such as encrypting its memory image, indirectly calling system API functions, searching for API functions by hash and more. However, unlike the agent for Havoc, Loki was split into a loader and a DLL, where the main functionality of the malware is implemented.

Based on our telemetry, and the filenames of infected files, we believe that in several cases Loki was distributed via email, with unsuspecting victims launching the file themselves. More than a dozen companies have encountered this threat, although we believe the number of potential victims may be higher.

There is currently not enough data to attribute Loki to any known group. Rather than using standard email templates to distribute the agent, we think it’s likely that the attackers are approaching each target individually. We have also not found any unique tools on the infected machines that could help with attribution. The attackers seem to prefer using only publicly available traffic tunneling utilities such as gTunnel and ngrok, and the goReflect tool to modify them.

Tusk: unravelling a complex infostealer campaign

The Kaspersky Global Emergency Response Team (GERT) recently identified a complex campaign consisting of several sub-campaigns orchestrated by Russian-speaking cybercriminals. The sub-campaigns imitate legitimate projects, with slight modifications to names and branding, and using multiple social media accounts to enhance their credibility.

All the active sub-campaigns host the initial downloader on Dropbox. This downloader is responsible for delivering additional malware samples to the target’s machine, mostly infostealers (Danabot and StealC) and clippers (which monitor clipboard data). Additionally, the threat actors employ phishing tactics to entice individuals into revealing further sensitive information, such as credentials, which can then be sold on the dark web or used to gain unauthorized access to gaming accounts and cryptocurrency wallets, resulting in direct financial loss.

We identified three active sub-campaigns and 16 inactive sub-campaigns related to this activity, which we dubbed “Tusk”. In the three active sub-campaigns we analyzed, the threat actor uses the word “Mammoth” (a slang word used by Russian-speaking threat actors to refer to victims) in log messages of initial downloaders. Analysis of the inactive sub-campaigns suggests that they are either old campaigns or campaigns that haven’t started yet.

Our report includes our analysis of the three most recently active sub-campaigns – TidyMe, RuneOnlineWorld and Voico.

These campaigns underscore the persistent and evolving threat posed by cybercriminals who are adept at mimicking legitimate projects to deceive victims. By capitalizing on user trust in well-known platforms, these attackers effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately reap financial gain.

The use of social engineering techniques such as phishing, coupled with multi-stage malware delivery mechanisms, demonstrates the advanced capabilities of the threat actors involved. Their use of platforms like Dropbox to host initial downloaders, along with the deployment of infostealer and clipper malware, suggests a coordinated effort to evade detection and maximize the impact of their operations.

The similarities between different sub-campaigns and the shared infrastructure across them indicates a well-organized operation, potentially linked to a single actor or group with specific financial motives.

The discovery of 16 inactive sub-campaigns further illustrates the dynamic and adaptable nature of the threat actor’s operations.

You can read our report here.

SambaSpy

In May, we discovered a campaign exclusively targeting victims in Italy, which is quite unusual, as cybercriminals typically broaden their range of targets to maximize their profits. However, in this campaign, the attackers check at various stages of the infection chain to ensure that only people in Italy are infected.

The final payload of the infection is a new RAT (Remote Access Trojan) called SambaSpy, a full-featured RAT developed in Java and obfuscated using the Zelix KlassMaster protector. The malware includes an extensive list of functions, including file system management, process management, keylogging, screen grabbing and webcam control.

The attackers lure their targets with phishing emails disguised as messages from a real estate agency. If the target clicks the link in the message, they are redirected to a malicious website that checks the system language and browser. If the potential victim’s system is set to Italian and they open the link in Edge, Firefox or Chrome, they receive a malicious PDF file that infects their device with either a dropper or a downloader. The difference between the two is minimal: the dropper installs the Trojan immediately, while the downloader first downloads the necessary components from the attackers’ servers. Those who don’t meet these criteria are redirected to the website of an Italian cloud-based solution for storing and managing digital invoices.

SambaSpy infection chain 1

SambaSpy infection chain 2

While we don’t yet know which cybercriminal group is behind this sophisticated attack, circumstantial evidence indicates that the attackers speak Brazilian Portuguese. We also know that they’re already expanding their operations to Spain and Brazil, as evidenced by malicious domains used by the same group in other detected campaigns.

securelist.com/malware-report-…

Pumpkin spice, also known as allspice with better marketing, has found its way into a seemingly endless amount of products over the years. It goes beyond the obvious foodstuffs of pies and cakes; because there are plenty of candles, deodorants, and air fresheners ready to add a little more spice to your world. One such autumnal smell enthusiast, YouTube user [J-Knows], sought to automate the delivery mechanism with his 3D printed pumpkin spice aerosol sprayer.

The sprayer device uses an Arduino to rotate a small 3D printed arm that depresses the button on an air freshener cap. This design came as a result of multiple attempts to create a clip that would securely attach to a standard canister. When problems arose with the clip slipping out of place after the motor rotated, a pinch of sticky tack ended up being just the solution. With the proper amount of adhesion, the automated sprayer could now “pollute” any space it is in, as [J-Knows] described.

What took this project to another level is the addition of an Adafruit GPS module. It was coded to respond when it was within one mile of a Starbucks — arguably the organization responsible for the pumpkin spice craze. For some the company’s pumpkin spice latte (PSL) is synonymous with all things fall, and marks the beginning of the season when it is brought back to the coffee menu. Though not being a regular coffee drinker himself, [J-Knows] fully committed to the bit by taking his creation on a test trip to his local Starbucks for a PSL. Judging by the amount of pumpkin spice aerosol solution that ended up on his car dash, he is going to be smelling it into the next year.

youtube.com/embed/Rnx5D53qFy4?…

hackaday.com/2024/11/29/gps-en…

“The Nintendo DS isn’t wide enough!” said nobody, ever. Most players found Nintendo’s form factor to be perfectly acceptable for gaming on the go, after all. Still, that doesn’t mean a handheld gaming rig with a more… cinematic aspect ratio couldn’t be fun! [Marcin Plaza] built just that, with great results.

The initial plan was to build a Steam Deck-like device, but using laptop trackpads instead of joysticks. [Marcin] had a broken Lenovo Yoga 730-13 to use as the basis for the build. That caused the plan to diverge, as the only screen [Marcin] could find that was easily compatible with the laptop’s eDP interface was an ultrawide unit. From there, a clamshell enclosure was designed specifically to rehouse all the key components from the Lenovo laptop. The top half of the clamshell would hold the screen, while the base would feature a small custom keyboard, some buttons, and the aforementioned trackpad. This thing reminds us of the Nintendo DS for multiple reasons. It’s not just the clamshell design—it’s the fact it has a touch control on the lower deck, albeit without a screen.

It’s an original concept for a handheld gaming device, and it makes us wish there were more games built for the ultrawide aspect ratio. This is one project that has us browsing the usual websites to see just what other oddball screens are out there… round screens in a makeup compact clamshell, anyone? Video after the break.

youtube.com/embed/PJccc3qpPh0?…

hackaday.com/2024/11/28/ultra-…

Renewables let you have a more diverse set of energy inputs so you aren’t putting all your generation eggs in one basket. One type of renewable that doesn’t see a lot of love, despite 80% of the world’s population living within 100 km (~60 mi) of a coastline, is harnessing the energy of the tides. [via Electrek]

“The U.S. Department of Energy’s National Renewable Energy Laboratory estimates that wave energy has the potential to generate over 1,400 terawatt-hours per year,” so while this initial project won’t be huge, the overall possible power generation from tidal power is nothing to sneeze at. Known more for its role in shipping fossil fuels, the Port of Los Angeles will host the new wave power pilot being built by Eco Wave Power and Shell. Eco Wave’s system uses floaters to drive pistons that compress hydraulic fluid and turn a generator before the decompressed fluid is returned to the pistons in a nice, tidy loop.

Eco Wave plans to finish construction by early 2025 and already has the power conversion unit onsite at the Port of Los Angeles. While the press release is mum on the planned install capacity, Eco Wave claims they will soon have 404.7 MW of installed capacity through several different pilot projects around the world.

We covered another Swiss company trying to harness tidal power with underwater kites, and if wave power isn’t your thing but you still like mixing water and electricity, why not try offshore wind or a floating solar farm? Just make sure to keep the noise down!

hackaday.com/2024/11/28/us-is-…

They simply don’t make them like they used to, and in the case of this retro LX system build, they only make what never existed in the first place. Earlier this year the long awaited video game UFO 50 released to widespread critical acclaim. The conceit of the game is an interactive anthology of a faux 1980’s game console constructed by a large group of actual indie game developers. Leave it to [Luke], who admitted to UFO 50 to taking over his life, to bring the LX system from the digital screen to the real world.

Each piece of the LX System case was printed on a multi-color filament capable Bambu Labs P1S. Dual XLR jacks wired up as USB serve as controller ports, and the controller itself is a repurposed NES style USB controller fitted with a new housing printed with the same filament as the case. Both the prominent front mounted power and “sys” buttons are functional; the latter actually switches to a new game within UFO 50. The brains of this project is a mini Windows PC hooked up to a 9 inch 720p LCD screen which is plenty enough resolution for pixelated look of the games. As impressive as replicating the whole case look is, it’s really brought together by the addition of a 3.5 inch floppy drive. It could be an interesting way to backup save files, provided they fit within 1.44 MB.

In addition to sharing the completed LX System, [Luke] has also made the print files available online along with a list of project materials used. It would be neat to see an alternate color scheme or remix for this working prototype of a console that never actually existed. In the meantime, there are plenty more games to play and discover in UFO 50…there’s 50 of them after all.

via Time Extension

hackaday.com/2024/11/28/ufo-50…

If you’re good at music theory, you can probably find all the chords and progressions you need just by using your fingers and a suitable instrument. For a lot of musicians, though, remembering huge banks of chords can be difficult, and experimenting with combinations can quickly become tedious and tiring. Enter the minichord, a tiny version of the Omnichord synth designed by [Benjamin] that offers to help out by putting all the chords you need a mere button press away.

The minichord is based around the Teensy 4.0, a capable microcontroller platform if ever there was one. It’s paired with a bunch of tactile buttons which are used to tell the Teensy which chord you desire to play. Various combinations of buttons can be used to play more advanced chords, too. There are potentiometers on board as well for volume control, as well as a touch pad for “strumming” arpeggios and other fine control tasks. An online interface allows modifying the presets onboard, too.

[Benjamin] hopes to get the minichord into production; it’s currently in a Seeedstudio competition that could see that happen, based on likes on the project video. The minichord isn’t the only player in this space, of course. The Orchard synth has been making similar waves this week. We’ve seen [Benjamin’s] work before, too. Video after the break.

youtube.com/embed/66Gu4NNnHgA?…

hackaday.com/2024/11/28/minich…

Gli scienziati dell’Università dell’Illinois hanno sviluppato un nanorobot, NanoGripper, creato da una singola molecola di DNA. Questa struttura in miniatura ricorda una mano con quattro dita flessibili in grado di catturare i virus, incluso il Covid-19, e impedire loro di entrare nelle cellule. Il dispositivo può essere utilizzato per la diagnosi, il blocco delle infezioni e la somministrazione di farmaci alle cellule bersaglio.

Il DNA è diventato la base del design grazie alla sua forza, flessibilità e capacità di essere programmato. Il nanorobot utilizza speciali aptameri del DNA che riconoscono bersagli molecolari, come la proteina spike del coronavirus.

Una volta rilevato il bersaglio, le dita si piegano per bloccare il virus . Il dispositivo può essere fissato a superfici o sistemi complessi per applicazioni biomediche, comprese la diagnostica e la terapia.

Per rilevare il COVID-19, NanoGripper è stato integrato con un cristallo fotonico, che ha permesso di sviluppare un test rapido paragonabile in termini di accuratezza ai metodi PCR. Il test dura circa 30 minuti ed è altamente sensibile grazie alla capacità del nanorobot di catturare singole particelle virali. Quando viene rilevato un virus nel sistema, viene attivato un segnale fluorescente che consente il conteggio delle particelle.

Inoltre, NanoGripper è in grado di bloccare i virus nella fase della loro interazione con le cellule. Negli esperimenti di laboratorio, i nanorobot hanno avvolto le braccia attorno ai virus, impedendo loro di legarsi ai recettori cellulari. Ciò apre la prospettiva di sviluppare agenti antivirali, come uno spray nasale, che potrebbero prevenire l’infezione da virus respiratori.

Il dispositivo viene preso in considerazione anche per altre applicazioni mediche, come la lotta al cancro. Il nanorobot può essere programmato per riconoscere marcatori tumorali specifici e somministrare farmaci direttamente alle cellule colpite. In futuro è prevista un’ulteriore ottimizzazione della progettazione e del test della tecnologia per un’ampia gamma di applicazioni biomediche.

L'articolo Addio Virus! Gli Scienziati Creano NanoGripper, il NanoRobot DNA che li “Cattura” proviene da il blog della sicurezza informatica.

Google ha introdotto una nuova funzionalità chiamata Ripristina credenziali. Tale funzionalità dovrebbe aiutare gli utenti a ripristinare in modo sicuro e rapido l’accesso alle applicazioni di terze parti. Questo ovviamente dopo il passaggio a un nuovo dispositivo Android.

Come funziona Ripristina Credenziali

La funzionalità fa parte dell’API Credential Manager ed è progettata per eliminare la necessità per gli utenti di reinserire più credenziali per ciascuna applicazione. “Con Ripristina credenziali, le app possono connettere facilmente gli utenti agli account su un nuovo dispositivo dopo aver ripristinato app e dati da un dispositivo precedente”, afferma Google.

Secondo l’azienda, questo processo avverrà automaticamente in background mentre l’utente ripristina applicazioni e dati dal vecchio dispositivo. Ciò utilizzerà una cosiddetta chiave di ripristino, che in realtà è una chiave pubblica conforme a FIDO2. Il ripristino della chiave verrà eseguito utilizzando il processo di backup e ripristino integrato di Android.

Pertanto, quando un utente accede a un’app che supporta questa funzionalità, la chiave di ripristino viene archiviata in Credential Manager (localmente sul dispositivo e crittografata).

L’Utilizzo della chiave di ripristino

Se lo si desidera, la chiave di ripristino crittografata può essere archiviata nel cloud se è configurato il backup nel cloud. Naturalmente è anche possibile trasferire manualmente le chiavi di ripristino direttamente da un dispositivo all’altro.

Di conseguenza, quando si passa a un nuovo dispositivo e si ripristinano le applicazioni, durante il processo verranno richieste le chiavi di ripristino. Queste ti consentiranno di accedere automaticamente agli account senza dover reinserire le credenziali.

“Se l’utente attualmente registrato è attendibile, puoi generare una chiave di ripristino in qualsiasi momento dopo che si è autenticato sulla tua app“, istruisce Google agli sviluppatori di app. “Ad esempio, immediatamente dopo l’accesso o durante un controllo di routine per una chiave di ripristino esistente.”

Si consiglia inoltre di eliminare la chiave di ripristino immediatamente dopo la disconnessione dell’utente per evitare un ciclo in cui l’utente si disconnette intenzionalmente e accede nuovamente automaticamente.
Metodi per trasferire la chiave di ripristino tra il vecchio e il nuovo dispositivo: backup su cloud o connessione diretta al dispositivo
Va notato che Apple ha implementato da tempo funzionalità simili in iOS, che utilizza l’attributo kSecAttrAccessible per controllare l’accesso delle app a determinate credenziali archiviate nel portachiavi iCloud.

L'articolo Ripristina Credenziali: la nuova funzione di Android per cambiare Telefono senza Stress! proviene da il blog della sicurezza informatica.

L’edizione 2024 del Digital Security Festival ha portato i racconti di più esperienze con il comune denominatore della sicurezza cyber in tutto il Nordest, parlando a cittadini, imprenditori e professionisti di come la tecnologia sia – o meglio: debba essere – comunque al servizio dell’uomo. Da qui il tema di “Umanocentrico per natura” che ha saputo caratterizzare 10 incontri in presenza e 4 online.

Marco Cozzi, Presidente del Digital Security Festival 2024, si è reso disponibile per un’intervista dopo la conclusione del Festival offrendoci un feedback ma soprattutto un’anteprima del prossimo futuro.

Com’è andata la sesta edizione del Digital Security Festival?

È stata un’edizione straordinaria, che ha superato ogni aspettativa. Dal 18 ottobre all’8 novembre, il Festival ha coinvolto un pubblico incredibilmente vasto, con oltre 1.000 partecipanti agli eventi fisici e online. Abbiamo avuto 10 tappe in presenza, toccando le Province di Udine, Trieste, Treviso, Padova e Vicenza, oltre a quattro eventi online, con la partecipazione di più di 50 relatori, tra esperti nazionali e internazionali. È stato emozionante vedere studenti, imprenditori e cittadini unirsi a noi per discutere temi cruciali come la sicurezza digitale e l’intelligenza artificiale.

Quali sono stati i momenti più significativi di questa edizione?

Uno dei momenti più emozionanti è stato sicuramente l’annuncio dell’onorevole Walter Rizzetto sull’approvazione della legge che introdurrà la sicurezza sul lavoro nelle scuole, fatto davanti a centinaia di studenti a Udine. È stato anche entusiasmante l’annuncio della collaborazione del Festival con le Olimpiadi Italiane di Informatica. Ogni incontro è stato unico: a Trieste abbiamo affrontato l’importanza delle normative europee come la NIS2, mentre a Padova abbiamo discusso degli impatti futuri dell’intelligenza artificiale e del computer quantistico. La chiusura a Vicenza, in una location storica, ha offerto un’esperienza speciale, con interventi di relatori di altissimo livello.
Marco Cozzi e l’on. Walter Rizzetto

Qual è stato il tema principale di questa edizione?

Il tema “Umanocentrico per natura” è stato il filo conduttore. Abbiamo voluto mettere al centro il ruolo dell’essere umano nell’evoluzione tecnologica, ispirandoci alla prima legge della robotica di Isaac Asimov. La tecnologia deve essere un mezzo per migliorare la vita delle persone, non un fine in sé. Questo approccio ha stimolato riflessioni profonde, puntando sull’importanza dell’etica e dell’equilibrio tra progresso tecnologico e necessità umane.

Quanto è stato importante il contributo del direttivo e dei partner del Festival?

Fondamentale. Voglio ringraziare il nostro direttivo, composto da Gabriele Gobbo, Sonia Gastaldi, Luigi Gregori e Davide Bazzan, per il loro impegno e la loro passione. Ogni membro ha dato un contributo essenziale per rendere il Festival quello che è oggi: un punto di riferimento per la cultura della sicurezza digitale. Inoltre, il supporto dei nostri partner e sponsor è stato determinante per il successo e il sostentamento dell’evento
Marco Cozzi, Presidente del Digital Security Festival

Quali sono i prossimi obiettivi per il Digital Security Festival?

Il futuro è entusiasmante. Con la trasformazione in Associazione di Promozione Sociale (APS), possiamo espandere le nostre attività e raggiungere tutta l’Italia e pensare anche all’estero. Inoltre abbiamo gettato le basi per studiare un protocollo con il Consiglio per la Parità di Genere, volto al contrasto al divario di genere nelle aree Stem. Il nostro obiettivo è continuare a diffondere la cultura digitale e rafforzare il legame tra tecnologia, etica e umanità, creando un ecosistema digitale più sicuro e inclusivo per tutti.
Siamo solo all’inizio di un percorso che mira a unire tecnologia e umanità in modo responsabile e sostenibile.

L'articolo Digital Security Festival 2024: l’esperienza del presente al servizio del futuro proviene da il blog della sicurezza informatica.

This holiday season, [Chaz] wanted to continue his family’s tradition of enrobing a little bit of everything in dark chocolate, and built an improved, rotating chocolate-coating machine.

You may remember last year’s offering, aka the conveyor belt version. Although that one worked, too much chocolate was ultimately lost to the surface of the kitchen table. [Chaz] once again started with a standard chocolate fountain and bought a round wire rack that fits the circumference of the bowl at the bottom. He snipped a hole in the center large enough to accommodate the business part of the fountain and printed a collar with holes that he cleverly zip-tied to the rack.

[Chaz] also printed a large gear to go around the bowl, a small gear to attach to a six RPM motor, a motor mount for the bowl, and an air blade attachment for a portable Ryobi fan. The air blade worked quite well, doing the double duty of distributing the chocolate and thinning out the coating. Plus, it gives things a neat rumpled look on the top.

Want to make some special chocolates this year, but don’t want to build an enrober? Get yourself a diffraction grating and make some rainbow goodies with melted chocolate.

youtube.com/embed/vCmFPCjinH8?…

hackaday.com/2024/11/28/chocol…

The games consoles which came out of Japan in the 1980s are the stuff of legend, with the offerings from Nintendo and Sega weaving themselves into global popular culture. Most of us can recite a list of the main players in the market, but how many of us would have Epoch and their Super Cassette Vision on that list? [Nicole Express] is here with a look at this forgotten machine which tried so hard and yet missed the target when competing with the NES or Master System.

Before the arrival of the Sega and Nintendo cartridge based systems, one of the better known Japanese consoles was the Epoch Cassette Vision. This was something of a hybrid between single-game TV games and an Atari 2600 style computing device for games, in that it used pre-programmed microcontrollers in its cartridges rather than the ROMs of the 2600. For the late-70s gamer this was still hot stuff, but by 1983 as the Master System and NES hove into view it was definitely past its best. Epoch’s response for 1984 was the Super Cassette Vision, a much more conventional 8-bit console with on the face of it some respectable graphics and sound hardware.

The article looks at the console’s capabilities in detail, highlighting the multi-colored sprites and smooth sprite movement, but also the tilemap limitations and the somewhat awful sound chip shared with handheld games and sounding very much like it. Coupled with its inferior controllers and TV game style aesthetic, it’s not difficult to see why it would be the last console from this manufacturer.

If forgotten consoles are your thing, have a read about the Fairchild Channel F, the machine that gave us console cartridges.

hackaday.com/2024/11/28/the-ja…

Le forze dell’ordine africane hanno annunciato l’operazione Serengeti, durante la quale sono state arrestate più di 1.000 persone sospettate di coinvolgimento in attività di criminalità informatica. L’importo totale del danno finanziario causato è stimato a 193 milioni di dollari.

L’operazione è stata coordinata da Interpol e Afripol ed è stata effettuata tra il 2 settembre e il 31 ottobre 2024. È stato riferito che il Serengeti “prendeva di mira principalmente i criminali associati a ransomware, attacchi BEC (compromissione della posta elettronica aziendale), estorsione digitale e frode online”.

Distrutte 134.089 infrastrutture informatiche

In totale, le autorità di 19 paesi africani hanno arrestato 1.006 sospetti e distrutto 134.089 infrastrutture e reti dannose, sulla base delle informazioni operative fornite loro da partner di società di sicurezza informatica come Cybercrime Atlas, Fortinet, Group-IB, Kaspersky Lab, Team Cymru, Trend Micro e la sicurezza di Uppsala.

Gli investigatori hanno scoperto che i sospettati e le loro infrastrutture erano collegati ad almeno 35.224 vittime identificate che hanno perso circa 193 milioni di dollari a causa di vari attacchi di hacking e frode. Durante l’operazione Serengeti, le vittime riuscirono a recuperare circa 44 milioni di dollari.

Una vasta operazione che copre tutta l’Africa

Le forze dell’ordine in regioni specifiche riferiscono che le seguenti azioni sono il risultato del Serengeti.

• Kenya : risolto un caso di frode con carta di credito che comportava perdite per 8,6 milioni di dollari. I fondi sono stati rubati utilizzando script fraudolenti e reindirizzati tramite il sistema SWIFT ad aziende negli Emirati Arabi Uniti, Nigeria e Cina. Sono state effettuate circa due dozzine di arresti.
• Senegal : Scoperto uno schema Ponzi che ha coinvolto 1.811 vittime che hanno perso circa sei milioni di dollari. Sono state sequestrate più di 900 carte SIM, 11.000 dollari in contanti, telefoni, computer portatili e carte d’identità delle vittime. Otto persone sono state arrestate (tra cui cinque cittadini cinesi).
• Nigeria : un uomo è stato arrestato per aver gestito una truffa sugli investimenti online e aver guadagnato 300.000 dollari con false promesse di criptovalute.
• Camerun: è stata smascherata una truffa di network marketing che ha coinvolto vittime provenienti da sette paesi. Alle vittime era stato promesso un lavoro, ma alla fine sono state tenute prigioniere e costrette a reclutare altre persone per essere rilasciate. Il gruppo ha raccolto almeno 150.000 dollari in quote associative.
• Angola: sono state interrotte le attività di un gruppo internazionale che gestisce un casinò virtuale a Luanda. Centinaia di persone sono state ingannate con promesse di vincite in cambio dell’attrazione di nuovi membri. Sono stati effettuati 150 arresti, sequestrati 200 computer e più di 100 telefoni cellulari.

All’operazione Serengeti hanno preso parte anche Algeria, Benin, Costa d’Avorio, RDC, Gabon, Ghana, Mauritius, Mozambico, Ruanda, Sud Africa, Tanzania, Tunisia, Zambia e Zimbabwe.

L'articolo Operazione Serengeti in Africa: 1.000 hacker criminali arrestati e 193 milioni di dollari di danni! proviene da il blog della sicurezza informatica.

Kaspersky’s Global Research and Analysis Team (GReAT) has been releasing quarterly summaries of advanced persistent threat (APT) activity for over seven years now. Based on our threat intelligence research, these summaries offer a representative overview of what we’ve published and discussed in more detail in our private APT reports. They are intended to highlight the significant events and findings that we think are important for people to know about. This is our latest roundup, covering activity we observed during Q3 2024.

If you’d like to learn more about our intelligence reports or request more information about a specific report, please contact intelreports@kaspersky.com.

The most remarkable findings

In the second half of 2022, a wave of attacks from an unknown threat actor targeted victims with a new type of attack framework that we dubbed P8. The campaign targeted Vietnamese victims, mostly from the financial sector, with some from the real estate sector. Later, in 2023, Elastic Lab published a report about an OceanLotus APT (aka APT32) attack that leveraged a new set of malicious tools called Spectral Viper. Although the campaigns are the same, we cannot conclusively attribute P8 to OceanLotus.

The P8 framework includes a loader and multiple plugins. Except for the first-stage loader and the PipeShell plugin, all plugins are downloaded from the C2 and then loaded into memory, leaving no trace on disk. After a thorough analysis of the framework and its modules, we believe P8 was developed based on the open source project C2Implant, which is a red teaming C2 framework. However, P8 contains many built-in functions and redesigns of the communication protocol and encryption algorithm, making it a well-designed and powerful espionage platform. Based on the implemented supported commands, we suspect the goal is to implement another Cobalt Strike-like post-exploitation platform. Methods to gain persistence on affected systems are not built in and depend on commands received from the C2.

Unfortunately, we were unable to obtain any bait files or initial infection vectors. Based on limited telemetry, we believe with medium to low confidence that some of the initial infections were spear-phishing emails. Notably, these attacks use an obsolete version of the Kaspersky Removal Tool to side-load the P8 beacon. We also observed SMB and printer driver vulnerabilities being used to move laterally through the network.

We published a follow-up report on P8 that describes the plugins used in the attacks. Each time the system restarts, or as required by the operation, P8 downloads additional plugins from the C2 or loads them from disk into memory. So far, we have collected 12 plugins or modules that are used to support the operation by adding functionality for lateral movement, exfiltration, file management, credential stealing, taking screenshots or custom loading capabilities. In particular, two plugins are used to upload files of interest; one plugin is used for small files, while a second is used to upload large files to another server, presumably to reduce the network load on the C2.

We subsequently detected new attacks from this threat actor. While carrying out these attacks, the actor changed its TTPs from those outlined in our previous reports. For example, new persistence mechanisms were detected and we found that the loading mechanism of the final payload, the P8 beacon, also changed. In terms of victimology, there was little change. Most of the infections were still at financial institutions in Vietnam, with one victim active in the manufacturing industry. The infection vector has still not been found, nor have we been able to link these attacks to OceanLotus (APT32).

Earlier in 2024, a secure USB drive was found to be compromised and malicious code was injected into the access management software installed on the USB drive. The secure USB drive was developed by a government entity in Southeast Asia to securely store and transfer files between machines in sensitive environments. The access management software facilitates access to the encrypted partition of the drive. A Trojanized version of the software module was found to be used in these attacks. The malicious code injected into it is designed to steal sensitive files saved on the secure partition of the drive, while also acting as a USB worm and spreading the infection to USB drives of the same type.

Last year we investigated attacks against another different type of secure USB drive. Similarly, the attacks were delivered via a Trojanized USB management software called UTetris. We are tracking the threat actor behind the UTetris software attack as TetrisPhantom. In addition to the Trojanized UTetris software, TetrisPhantom uses a number of other malicious tools that have been in use for a few years. TetrisPhantom is still active and new samples of its tools have recently been detected.

While both the tactic of targeting a secure USB drive by compromising the software module installed on the drive and the victim profile in the recent attacks are similar to TetrisPhantom attacks, the malicious code implanted in the drive bears little similarity to the code injected into the utetris.exe program.

Our report provided an initial analysis of the Trojanized USB management program.

Chinese-speaking activity

In July 2021, we detected a campaign called ExCone targeting government entities in Russia. The attackers leveraged the VLC media player to deploy the FourteenHi backdoor after exploiting MS Exchange vulnerabilities. We also found Cobalt Strike beacons and several traces tying this actor to the ShadowPad malware and UNC2643 activity, which is in turn associated with the HAFNIUM threat actor.

Later that year, we discovered a new set of activities. This time the victimology changed: victims were also found in Europe, Central Asia and Southeast Asia. We also found new samples that we linked to Microcin, a Trojan used exclusively by SixLittleMonkeys. Shortly after, another campaign called DexCone was discovered, with similar TTPs to the ExCone campaign. Several new backdoors such as Pangolin and Iguania were discovered, both of which have similarities to FourteenHi.

Then, in 2022, we discovered another campaign by the same threat actor targeting Russia, with a special interest in government institutions, using spear-phishing emails as an infection vector and deploying an updated version of the Pangolin Trojan.

After that, we did not observe any new activity related to this actor until mid-July 2024. In this most recent campaign, the actor uses spear-phishing emails, embedding a JavaScript loader as the initial infection vector. The JavaScript loader loads yet another loader from a ZIP file, which in turn downloads a BMP image containing shellcode and an embedded PE file, which is the final payload. This is a new backdoor with limited functionality, reading and writing to files and injecting code into the msiexec.exe process. In this campaign, the actor decided to attack Russian educational institutions instead of government entities as it had previously.

The Scieron backdoor, a tool commonly used in cyber-espionage campaigns by the Scarab group, was detected in a new campaign. This campaign introduces novel decoders and loaders that use machine-specific information to decode and decrypt the Scieron backdoor and run it in memory. The campaign has specifically targeted a government entity in an African country and a telecoms provider in Central Asia. Notably, the infections within the telecoms provider have been traced back to 2022.

More recently, in June 2024, an updated infection chain was identified, with an updated set of decoders and loaders designed to run the Scieron backdoor and make it persistent. Our private report also provides a detailed description of the attackers’ post-compromise activities.

Europe

Awaken Likho is an APT campaign, active since at least July 2021, primarily targeting government organizations and contractors. To date, we have detected more than 120 targets in Russia, but there are also targets in other countries and territories such as India, China, Vietnam, Taiwan, Turkey, Slovakia, the Philippines, Australia, Switzerland and the Czech Republic, among others. Based on our findings, we would like to highlight two specific features of this campaign: all attacks are well prepared, and the hackers rely on the use of the legitimate remote administration tool UltraVNC. While this approach is rather simplistic, the attackers have been using this technique successfully for years.

We discovered a new Awaken Likho campaign that emerged in May 2024, in which the threat actor adjusted its TTPs slightly. The threat actor cleaned up its Golang SFX-based archives by removing unused files and also switched to executing AutoIT scripts after file extraction. UltraVNC remained the final payload, but in this campaign it was made to look like a OneDrive update utility. The targeting remained the same as in the earlier campaign – mainly government organizations and their contractors located in Russia.

Awaken Likho then adjusted its TTPs again, in a campaign uncovered in June 2024 that is still ongoing. The threat actor continued to favor the use of AutoIT scripts and also began using protectors such as Themida to protect its samples. While most of the samples we found still deployed the UltraVNC module, the attackers changed the final payload from UltraVNC to MeshAgent in several samples. Unlike previous campaigns, we did not observe the Golang SFX droppers this time. The nature of the threat actor, leveraging open source and free tools, allows it to quickly change its arsenal during active campaigns.

Epeius is a commercial spyware tool developed by an Italian company that claims to provide intelligence solutions to law enforcement agencies and governments. In recent years, the malware attracted the attention of the community due to the publication of two articles. The first, published in 2021 by Motherboard and Citizen Lab, shared the first evidence and indicators related to the software. The second, an article published in 2024 by the Google Threat Analysis Group, described the business model of various companies that provide commercial surveillance solutions. Knowledge of this threat is sparse and the Epeius malware has never been publicly described in detail. Our own threat hunting efforts to obtain related samples started in 2021, and last year we discovered a DEX file that we attribute with medium to high confidence to Epeius. Our private report describes what we know about Epeius and provides a technical description of its main Android component.

Middle East

In September 2023, our colleagues at ESET published a report on a newly discovered and sophisticated backdoor used by the FruityArmor threat actor, which they named DeadGlyph. The same month, we released an APT report detailing the ShadowWhisperer and NightmareLoader tools used in conjunction with the DeadGlyph malware. More recently, we identified what appears to be the latest version of the native DeadGlyph Executor backdoor module, with changes to both its architecture and workflow components.

MuddyWater is an APT actor that surfaced in 2017 and has traditionally targeted countries in the Middle East, Europe and the USA. The actor typically uses multi-stage PowerShell execution in its attacks, probably to obfuscate the attacks, evade defenses and hinder analysis.

Recently we uncovered VBS/DLL-based implants used in intrusions by the MuddyWater APT group that are still active today. The implants were found at multiple government and telecoms entities in Egypt, Kazakhstan, Kuwait, Morocco, Oman, Syria and the UAE. The threat actor achieves persistence through scheduled tasks that execute a malicious VBS file with the wscript.exe utility.

The TTPs and infrastructure we analyzed for the current intrusions are similar to previously reported intrusions by the MuddyWater APT group.

Southeast Asia and Korean Peninsula

Gh0st RAT, an open source RAT created about 15 years ago, is used by various groups, including state-sponsored actors. One of them is Dragon Breath (aka APT-Q-27 and Golden Eye Dog), first discussed in 2020 in connection with a watering hole campaign aimed at tricking users into installing a Trojanized version of Telegram. By 2022, the group was still using Trojanized Telegram applications as an infection vector, but had changed the final payload to Gh0st RAT.

A year later, Sophos published a blog post describing the latest change in the group’s TTPs, which included double side-loading DLLs. Since then, the Gh0st RAT payload has remained the same, but the attackers have again slightly adjusted their TTPs. DLL side-loading was abandoned and replaced by leveraging a logical flaw in a version of the TrueUpdate application, while more recently the group began to run the malware via a Python-based infection chain executed by the installer package.

Historically, Dragon Breath has targeted the online gaming and gambling industry. Given the nature of the infection vector, we’re not yet able to determine the target audience for this campaign. The attack begins by tricking users into downloading a malicious MSI installer. Once the installer is started, the malware is installed alongside the legitimate application. We believe the victim is prompted to download and launch it from a fake site while searching for a Chinese version of the legitimate TrueUpdate MSI installer.

Bitter APT has been active for over a decade. Since late 2023, this threat actor has used and continues to use CHM (compiled HTML) files, LNK shortcuts and DOC files as the first stage of infection. These files carry malicious scripts to connect to a remote server and download the next stage of the attacks, and appear to be used as attachments to spear-phishing emails. The payloads delivered via these malicious scripts represent new samples of backdoor modules described in previous private reports. However, in several cases, the final payloads can only be downloaded by pre-selected system configurations authorized by the threat actor after the initial reconnaissance phase. In a recent report, we discussed the workflow of the initial LNK, DOC and CHM files, their progress through the next stages of the attack, as well as the updates to the final backdoor modules and corresponding infrastructure.

Tropic Trooper (aka KeyBoy and Pirate Panda) is an APT group operating since 2011. The group’s targets have traditionally been in government, as well as the healthcare, transportation and high-tech industries located in Taiwan, the Philippines, and Hong Kong. Our most recent investigation revealed that in 2024, the group conducted persistent campaigns against a government entity in Egypt, which began in June 2023.

We noticed the infection in June 2024, when our telemetry showed recurring alerts for a new China Chopper web shell variant (China Chopper is used by many Chinese-speaking actors) found on a public web server. The server hosted a Content Management System (CMS) called Umbraco, an open source CMS platform for publishing content written in C#. The observed web shell component was compiled as a .NET module of Umbraco CMS.

During our subsequent investigation, we looked for other suspicious detections on this public server and identified several related malware sets. These include post-exploitation tools that we believe with medium confidence are related and being used as part of this intrusion.

We also identified new DLL search-order hijacking implants that are loaded from a legitimate vulnerable executable because it lacks the full path to the required DLL. This attack chain attempted to load the Crowdoor loader, named after SparrowDoor described by ESET. During the attack, the security agent blocked the first Crowdoor loader, which prompted the attackers to switch to a new, as yet unreported variant, with almost the same effect.

We investigated the attribution of this activity to the Chinese-language threat actor known as Tropic Trooper. Our findings show an overlap in capabilities reported in recent Tropic Trooper campaigns. The samples we found also show a high degree of overlap with samples previously attributed to Tropic Trooper.

PhantomNet is a RAT first described by ESET in late 2020. In 2021, we released our analysis of the PhantomNet malware, which at the time was being used in attacks against the Vietnamese government sector. Our report discussed in detail the plugins we found and the commands it supported.

We rediscovered PhantomNet during a recent investigation into a cyberattack on the Brazilian education and government sectors that occurred in April. This time we were able to recover several scripts, commands executed by the attackers, and the PhantomNet builder tool. The threat actor has changed the persistence mechanism so that the payload is now stored in an encrypted manner in the Windows registry and with an associated loader to retrieve the payload from the registry. There are also some changes to the victimology. Previously, PhantomNet infections were found in Asia, but now the infections have been found in many regions around the world and affect a wide variety of industries.

We discussed these findings in our private report, filling in the gaps from our previous report.

We have observed that the Kimsuky group uses a strategy of registering malware as a service for reliable persistence. The so-called ServiceChanger malware drops a malicious DLL file and registers a service disguised as a legitimate service. In the case we analyzed, ServiceChanger installed the TOGREASE malware, which is an evolved version of GREASE that adds the ability to toggle RDP activation when necessary by the operator; and in another instance, it was observed installing the XMRig miner.

In addition, this year’s updated version of the GREASE malware creates backdoor accounts to use RDP connections under the names “Guest” and “IIS_USER”, respectively. They borrow code from the publicly available UACME, allowing them to bypass UAC and execute commands with escalated privileges. Uniquely, the resources section within the GREASE malware includes a Zoom Opener installer vulnerable to DLL hijacking, which has not been observed in use by Kimsuky. However, it is possible that they may create malware that exploits this vulnerability in the future.

The updated GREASE malware is thought to be connected to the RandomQuery malware also used by Kimsuky, as it communicates with the C2 in a similar manner. The similarity and the overlap between the TOGREASE and GREASE malware used by the Kimsuky group suggests that this group is behind the malware.

Hacktivism

In the course of our research on hacktivist groups targeting organizations based in Russia, we have identified similarities among several of these groups. This suggests either that these clusters of activity share at least a subset of the same individuals, or that the groups are working closely together in their attacks. Our report details the tools, malware, and procedures of the BlackJack group and links it to the previously known group Twelve. In addition, further examination of its preferred wiper and ransomware tools uncovered samples that cannot be definitively attributed to either group.

Other interesting discoveries

In June, we identified an active campaign called “PassiveNeuron”, targeting government entities in Latin America and East Asia using previously unknown malware. The servers were compromised before security products were installed, and the method of infection is still unknown. The implants used in this operation were dubbed “Neursite” and “NeuralExecutor”. They do not share any code similarities with known malware, so attribution to a known threat actor is not possible at this time. The campaign shows a high level of sophistication, with the threat actor using compromised internal servers as an intermediate C2 infrastructure. The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet. A plugin-based approach provides dynamic adaptation to the attacker’s needs.

In mid-April, we discovered a suspicious domain which, upon further investigation, revealed two backdoors written in Golang. During analysis, another backdoor was discovered that was used earlier in the attack timeline and protected using VMProtect. As well as the backdoors, an unknown keylogger and the use of the SOCAT tool were observed in this attack. The campaign exhibits a few peculiarities. First, the Golang backdoor uses Google Translate services as a proxy to communicate with the C2. Second, the threat actor tries to imitate Kaspersky software in terms of file names and names of scheduled tasks. Thirdly, we found only one infection, targeting a telecoms research center in India. We were unable to attribute this campaign to any known threat actor based on code similarity or TTPs.

In early April, we decided to take a closer look at the Windows Desktop Window Manager (DWM) Core Library Elevation of Privilege vulnerability (CVE-2023-36033), which was previously discovered as a zero-day and exploited in the wild. While searching for samples related to this exploit and attacks using it, we found a document of note that was uploaded to a multi-scanner service on April 1, 2024. This document had a rather descriptive file name, indicating that it contained information about a vulnerability in the Windows operating system. Inside the document we found a brief description of a Windows Desktop Window Manager vulnerability and how it could be exploited to gain system privileges.

The exploitation process described in the document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033. However, the vulnerability was different. Judging by the quality of the writing and the fact that the document was missing critical details about how to actually trigger the vulnerability, there was a high probability that the vulnerability described was made up or was present in code that could not be accessed or controlled by the attackers. The subsequent investigation revealed a zero-day vulnerability that can be used to escalate privileges. After reporting the findings to Microsoft, the vulnerability was designated CVE-2024-30051 and a patch was released as part of Patch Tuesday on May 14, 2024.

After closely monitoring our statistics for related exploits and attacks, it became clear that there were several exploits for this zero-day vulnerability. Our discoveries showed that it was being used in conjunction with QakBot and other malware such as NewBot, leading us to believe that multiple threat actors have access to it. While previous findings of in-the-wild exploitation of CVE-2024-30051 showed financial motivation, it is possible that it could be leveraged in future APT activity.

An updated set of intrusions, possibly related to the Deathstalker cyber-mercenary group, employs an updated DarkMe VB6 OCX/DLL implant and stealthier TTPs, such as a more sophisticated infection chain.

In the intrusions we reported previously, the threat actor typically delivered the initial dropper through instant messaging (IM) apps such as Skype. In more recent intrusions, the actor typically delivered the initial dropper through Telegram. We assess with medium confidence that the threat actor delivered the initial droppers via Telegram channels related to e-trading and fintech news.

Apart from the delivery method, the attackers also increased their level of OPSEC and post-compromise cleanup by deleting post-exploitation files, tools, and registry keys after the operators achieve their objectives. Such actions, in turn, make the infection harder to detect and complicate post-compromise investigation.

Final thoughts

While some threat actors’ TTPs remain consistent over time, such as a heavy reliance on social engineering as a means of gaining entry into a target organization or compromising an individual’s device, others have updated their toolsets and expanded the scope of their activities. Our regular quarterly reviews are designed to highlight the most significant developments related to APT groups.

Here are the key trends we observed in Q3 2024:

• This quarter, we saw threat actors broaden their targeting, both in terms of verticals and geography.
• The purpose of most APT activity is cyber-espionage, although hacktivist attacks remain a feature of the threat landscape this quarter, mirroring areas of real-world conflict.
• Even more open source tools have been employed by APT threat actors, mostly to manage network connectivity with C2s.
• We continue to see threat actors using LOTL (Living off the Land) techniques in their campaigns.

As always, we would like to point out that our reports are the product of our visibility into the threat landscape. However, it is important to remember that while we strive for continuous improvement, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: When we refer to APT groups as Russian-speaking, Chinese-speaking, etc., we are referring to various artifacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) that contain words in those languages, based on information we have obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relationship, but rather indicates the languages used by the developers behind these APT artifacts.

securelist.com/apt-report-q3-2…

Spoiler alert: almond butter isn’t phosphorescent. But powdered milk is, at least to the limit of detection of this homebrew phosphorescence detector.

Why spend a bunch of time and money on such a thing? The obvious answer is “Why not?”, but more specifically, when [lcamtuf]’s son took a shine (lol) to making phosphorescent compounds, it just seemed natural for dad to tag along in his own way. The basic concept of the detector is to build a light-tight test chamber that can be periodically and briefly flooded with UV light, charging up the putatively phosphorescent compounds within. A high-speed photodiode is then used to detect the afterglow, which can be quantified and displayed.

The analog end of the circuit was the far fussier end of the design, with a high-speed transimpedance amplifier to provide the needed current gain. Another scaling amp and a low-pass filter boosts and cleans up the signal for a 14-bit ADC. [lcamtuf] went to great lengths to make the front end as low-noise as possible, including ferrite beads and short leads to prevent picking up RF interference. The digital side has an AVR microcontroller that talks to the ADC and runs an LCD panel, plus switches the 340 nm LEDs on and off rapidly via a low gate capacitance MOSFET.

Unfortunately, not many things found randomly around the average home are all that phosphorescent. We’re not sure what [lcamtuf] tried other than the aforementioned foodstuffs, but we’d have thought something like table salt would do the trick, at least the iodized stuff. But no matter, the lessons learned along the way were worth the trip.

hackaday.com/2024/11/28/homebr…

There can be few among those of us who produce printed circuit boards, who have not at some point placed a component the wrong way round, or with the wrong footprint. Usually this can be rectified with a bit of rework and a fresh board spin, but just occasionally these mishaps make it into the wild undetected. It seems nobody is immune, as [Doug Brown] is here to tell us with a tale of an Apple product with a misplaced capacitor.

The LC series of Macs came out through the early 1990s, and their pizza-box style cases could be found slowly turning yellow in universities and schools throughout that decade. Of them there was a persistent rumor of the LCIII had a misplaced capacitor, so when he received an unmodified original machine he took a look. The investigation is quite simple, but revealing — there are three power supply rails and one of the capacitors does have a significant leak.

The explanation is simple enough, the designer had placed a capacitor on each rail, with its negative side to the ground plane, but one of the rails delivers -5 volts. Thus the capacitor is the wrong way round, and must have failed pretty early in the lifetime of each LCIII. We’re curious then since so many of them went through their lives without the component being replaced, how the circuit remained functional. We’re guessing that there were enough other capacitors in the -5 volt line to provide enough smoothing.

hackaday.com/2024/11/27/even-a…

Nelle ultime settimane, il panorama delle minacce è stato scosso dall’emergere di attacchi che sfruttano la combinazione letale di due vulnerabilità zero-day, CVE-2024-9680 e CVE-2024-49039, collegate rispettivamente a Firefox e a Windows. L’obiettivo è stato identificato in una campagna mirata guidata dal gruppo di cybercriminali dietro la backdoor RomCom. Questa operazione dimostra una sofisticazione crescente nei metodi di attacco e una pericolosa rapidità nello sfruttamento di vulnerabilità.

Le vulnerabilità e il meccanismo di attacco

CVE-2024-9680, una vulnerabilità use-after-free nelle timeline di animazione di Firefox, permette l’esecuzione di codice malevolo senza necessità di interazione da parte della vittima. Gli attacchi che sfruttano questa vulnerabilità sono stati confermati in-the-wild, con un punteggio di gravità pari a 9.8 su 10, evidenziando la sua pericolosità e criticità.

La seconda vulnerabilità, CVE-2024-49039, una falla di elevazione dei privilegi in Windows, consente agli attaccanti di compromettere il sistema sfruttando la combinazione con lo zero-day di Firefox, guadagnando accesso completo al dispositivo della vittima.

La catena di compromissione, scoperta da Damien Schaeffer di ESET, ha avuto inizio con un sito web malevolo progettato per reindirizzare gli utenti a un server che ospitava un exploit zero-click. Non è stata necessaria alcuna interazione da parte dell’utente: una volta attivato, l’exploit scaricava e installava RomCom Backdoor, un malware avanzato che consente agli attaccanti di eseguire comandi remoti, raccogliere informazioni sensibili e scaricare moduli aggiuntivi per ampliare le capacità del malware.

La campagna, attiva tra ottobre e novembre 2024, ha colpito principalmente utenti in Europa e Nord America, mirandoli in particolare nei settori governativo, energetico e sanitario. La scelta di questi settori strategici sottolinea l’interesse di RomCom per dati sensibili e operazioni di sabotaggio.

Mappa delle potenziali vittime che riporta ESET

RomCom: Il gruppo dietro gli attacchi

RomCom (noto anche come Tropical Scorpius o UNC2596) è un gruppo di cybercriminali allineato con la Russia, coinvolto in numerose campagne di cybercrimine e spionaggio. Già nel 2023, aveva sfruttato un attacco zero-day tramite Microsoft Word, dimostrando la sua capacità di adattarsi alle nuove vulnerabilità. Nel 2024, RomCom ha espanso la sua attività colpendo settori critici in Ucraina, Europa e Stati Uniti, confermando l’intensificazione della sua operatività nel rubare dati strategici e danneggiare infrastrutture critiche.

Tempestività nelle Patch

La tempestività nella risposta alle vulnerabilità è stata cruciale per mitigare l’impatto di questa campagna. Mozilla, ad esempio, ha dimostrato una reattività eccezionale: entro 48 ore dalla segnalazione da parte di ESET, sono stati distribuiti aggiornamenti per Firefox e Thunderbird, garantendo protezione agli utenti contro CVE-2024-9680. Anche Microsoft ha seguito rapidamente con il rilascio della patch per CVE-2024-49039 il 12 novembre, chiudendo un’importante porta di accesso sfruttata dagli attaccanti. Questi interventi rapidi hanno dimostrato l’importanza di una collaborazione efficace tra ricercatori di sicurezza e aziende tecnologiche per contenere le minacce prima che possano espandersi su scala più ampia.

Raccomandazioni

1. Aggiornamenti immediati: Applicare prontamente le patch per i browser e i sistemi operativi è fondamentale per proteggere i propri dispositivi da vulnerabilità simili a quelle sfruttate in questa campagna.
2. Monitoraggio continuo: Implementare strumenti avanzati di rilevamento per identificare movimenti laterali e comandi malevoli è cruciale per evitare che gli attaccanti possano passare inosservati.
3. Consapevolezza del personale: Formare i dipendenti sui rischi legati a siti web fasulli e vulnerabilità zero-click può fare la differenza nella prevenzione degli attacchi.

Conclusione

La campagna RomCom evidenzia una crescente sofisticazione nelle operazioni dei gruppi di cybercriminali allineati a stati nazionali, con un utilizzo sempre più frequente di vulnerabilità zero-day per eseguire attacchi mirati e devastanti. La combinazione di falle in Firefox e Windows ha dimostrato come gli exploit possano aggirare le protezioni tradizionali, colpendo senza alcuna interazione da parte delle vittime. Tuttavia, la tempestività nella distribuzione delle patch da parte di Mozilla e Microsoft sottolinea l’importanza di una risposta rapida e coordinata per limitare i danni. Questa vicenda ci ricorda l’urgenza di mantenere sistemi aggiornati, monitorare attivamente le minacce e investire nella sicurezza informatica, poiché i rischi non solo evolvono, ma colpiscono con una velocità senza precedenti.

L'articolo Scoperto l’attacco zero-day più sofisticato del 2024 e RomCom e la Backdoor invisibile proviene da il blog della sicurezza informatica.

If you think your job sucks, be grateful you’re not this homebrew sewer inspection robot.

Before anyone gets upset, yes we know what [Stargate System] built here isn’t a robot at all; it’s more of a remotely operated vehicle. That doesn’t take away from the fact that this is a very cool build, especially since it has to work in one of the least hospitable and most unpleasant environments possible. The backstory of this project is that the sewer on a 50-year-old house kept backing up, and efforts to clear it only temporarily solved the problem. The cast iron lateral line was reconfigured at some point in its history to include a 120-degree bend, which left a blind spot for the camera used by a sewer inspection service. What’s worse, the bend was close to a joint where a line that once allowed gutters and foundation drains access to the sewer.

To better visualize the problem, [Stargate] turned to his experience building bots to whip up something for the job. The bot had to be able to fit into the pipe and short enough to make the turn, plus it needed to be — erm, waterproof. It also needed to carry a camera and a light, and to be powered and controlled from the other end of the line. Most of the body of the bot, including the hull and the driving gear, was 3D printed from ABS, which allowed the seams to be sealed with acetone later. The drive tracks were only added after the original wheels didn’t perform well in testing. Controlling the gear motors and camera was up to a Raspberry Pi Zero, chosen mostly due to space constraints. An Ethernet shield provided connectivity to the surface over a Cat5 cable, and a homebrew PoE system provided power.

As interesting as the construction details were, the real treat is the down-hole footage. It’s not too graphic, but the blockage is pretty gnarly. We also greatly appreciated the field-expedient chain flail [Stargate] whipped up to bust up the big chunks of yuck and get the pipe back in shape. He did a little bit of robo-spelunking, too, as you do.

And no, this isn’t the only sewer bot we’ve ever featured.

youtube.com/embed/adGp3PADKsk?…

hackaday.com/2024/11/27/diy-pi…

[Angus] of Maker’s Muse has a video with a roundup of different 3D-printable hinge designs, and he points out that a great thing about 3D printing objects is that adding printable features to them is essentially free.
These hinges have an indexing feature that allows them to lock into place, no additional parts needed.
A great example of this is his experimental print-in-place butt hinge with indexing feature, which is a hinge that can lock without adding any additional parts. The whole video is worth a watch, but he shows off the experimental design at the 7:47 mark. The hinge can swing normally but when positioned just right, the squared-off pin within slots into a tapered track, locking the part in place.

Inspired by a handheld shopping basket with a lockable handle, [Angus] worked out a design of his own and demonstrates it with a small GoPro tripod whose legs can fold and lock in place. He admits it’s a demonstration of the concept more than a genuinely useful tripod, but it does show what’s possible with some careful design. Being entirely 3D printed in a single piece and requiring no additional hardware is awfully nice.

3D printing is very well-suited to this sort of thing, and it’s worth playing to a printer’s strengths to do for pennies what one would otherwise need dollars to accomplish.

Want some tips on designing things in a way that take full advantage of what a 3D printer can achieve? Check out printing enclosures at an angle with minimal supports, leveraging the living hinge to print complex shapes flat (and fold them up for assembly), or even print a one-piece hinge that can actually withstand a serious load. All of those are full of tips, so keep them in mind the next time you design a part.

hackaday.com/2024/11/27/would-…

Le Ransomware Gang colpiscono anche le squadre del cuore. Il Bologna FC, uno dei club storici della Serie A, è stata rivendicata come vittima di un attacco ransomware presumibilmente condotto dal gruppo RansomHub.

Questo attacco evidenzia come i cybercriminali non risparmino neanche il mondo dello sport, utilizzando l’esfiltrazione di dati sensibili come leva per estorcere denaro. Secondo quanto riportato, sarebbero stati sottratti 200 GB di dati riservati, inclusi documenti aziendali, strategie di mercato e informazioni personali di tifosi, calciatori e staff.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

RansomHub e il modello RaaS

RansomHub opera con il modello di Ransomware-as-a-Service (RaaS), una struttura che consente agli affiliati di lanciare attacchi utilizzando strumenti forniti dal gruppo centrale. Questo sistema non si limita al blocco dei dati tramite crittografia, ma punta sull’esfiltrazione delle informazioni e sulla successiva minaccia di pubblicarle per aumentare la pressione sulle vittime.

Nel caso del Bologna FC, il gruppo avrebbe dichiarato che il club non dispone di misure di sicurezza adeguate, utilizzando il GDPR come ulteriore strumento di coercizione. Le sanzioni previste dal regolamento europeo per la mancata protezione dei dati possono raggiungere i 10 milioni di euro o il 2% del fatturato, un fattore che potrebbe spingere le vittime a considerare il pagamento del riscatto.

Dati sottratti

RansomHub afferma di aver trafugato una vasta quantità di informazioni, inclusi:

• Contratti di sponsorizzazione con dettagli economici.
• Strategie aziendali e commerciali del club.
• Dati personali di giocatori, tifosi e dipendenti.
• Documenti medici completi dei calciatori.
• Informazioni su trasferimenti e giovani talenti.
• Scansioni di passaporti e dettagli bancari, tra cui quello dell’allenatore Vincenzo Italiano.

Alcuni screenshot di questi documenti sarebbero stati già pubblicati nel dark web, dimostrando l’autenticità del furto e intensificando la pressione sul Bologna FC.

Conclusione

Se confermato, l’attacco al Bologna FC rappresenta un segnale d’allarme per tutte le organizzazioni, sportive e non. La combinazione ditecnologie avanzate e tattiche di pressionesta trasformando i ransomware in una delle minacce più insidiose del nostro tempo. Con un attacco simile, il mondo dello sport non può più ignorare la crescente minaccia cyber. È cruciale adottare strategie di sicurezza che comprendano monitoraggi costanti, l’implementazione di tecnologie avanzate e una cultura della cybersecurity condivisa tra tutte le figure aziendali. Solo così sarà possibile evitare che il prossimo club a essere colpito possa vedere i propri dati, e la propria reputazione, messi in pericolo.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Il Bologna FC nel mirino di RansomHub che rivendica 200 GB di dati! proviene da il blog della sicurezza informatica.

Un attore malevolo ha pubblicato su un forum nel dark web due annunci in cui afferma di aver ottenuto accesso non autorizzato alla piattaforma cloud di Oracle e ai server di un’importante azienda globale nel settore sanitario.

Le dichiarazioni del cybercriminale sollevano preoccupazioni significative riguardo alla sicurezza delle infrastrutture critiche e alla protezione dei dati personali a livello globale.

Attualmente, non possiamo confermare l’autenticità della notizia, poiché l’organizzazione non ha ancora pubblicato un comunicato ufficiale sul proprio sito web in merito all’incidente. Le informazioni riportate provengono da fonti pubbliche accessibili su siti underground, pertanto vanno interpretate come una fonte di intelligence e non come una conferma definitiva.

Primo Post: Vendita di Accesso API di Oracle Cloud

Nel primo post, il cybercriminale ha dichiarato di aver compromesso l’accesso alla piattaforma cloud di Oracle, offrendolo in vendita al miglior offerente per la cifra di 100.000 dollari in cripto.

Oracle, è un colosso globale nel campo del software aziendale e delle soluzioni cloud, rappresenta una colonna portante della tecnologia mondiale. La compromissione di un accesso API esclusivo alla sua piattaforma potrebbe avere ripercussioni devastanti, potenzialmente aprendo la porta a exploit su larga scala contro aziende clienti e interi ecosistemi digitali.

Secondo Post: Dati Sanitari Globali Esposti

Nel secondo annuncio, l’attore malevolo ha alzato ulteriormente la posta, dichiarando di aver violato i server di un’importante azienda sanitaria globale sfruttando le infrastrutture Oracle. Secondo quanto riportato, l’attacco avrebbe portato all’accesso e alla vendita di dati sensibili relativi a milioni di cittadini in tutto il mondo. Tra le informazioni compromesse si troverebbero:

• Dati identificativi personali
• Numeri di telefono
• Nomi completi
• Indirizzi email
• Dettagli sensibili aggiuntivi

L’attore sostiene inoltre di avere pieno controllo sui server cloud e sulle applicazioni utilizzate dall’azienda sanitaria, mettendo i dati rubati in vendita per una cifra di 15.000 dollari, accettando criptovalute come Bitcoin, Ethereum o Litecoin.

Per contattare direttamente il criminale, è stato persino fornito un indirizzo Tox, segnalando l’intento di negoziare o vendere informazioni senza lasciare tracce attraverso canali anonimi e criptati.

Le conseguenze potenziali di queste violazioni, se confermate, sono estremamente gravi. I dati personali di milioni di persone potrebbero finire nelle mani sbagliate, alimentando frodi finanziarie, furti d’identità e altre attività criminali. Inoltre, la vendita di accesso API alla piattaforma cloud di Oracle potrebbe dare a ulteriori attori malevoli la possibilità di perpetrare attacchi su scala ancora maggiore, danneggiando clienti aziendali e infrastrutture critiche.

Di fronte a queste minacce, è imperativo agire rapidamente e con decisione. Alcune misure chiave includono:

1. Monitorare i forum del dark web: Tracciare l’attività legata a queste dichiarazioni per rilevare sviluppi e rischi imminenti.
2. Verificare l’autenticità delle affermazioni: Collaborare con esperti di sicurezza per identificare le vulnerabilità e limitarne immediatamente l’impatto.
3. Proteggere clienti e utenti finali: Comunicare con trasparenza e offrire supporto a coloro che potrebbero essere stati colpiti.
4. Implementare audit approfonditi: Rafforzare la sicurezza dei sistemi Oracle e dei partner aziendali attraverso controlli e aggiornamenti rigorosi.

Le dichiarazioni di questo attore malevolo non sono solo un segnale d’allarme, ma un vero e proprio invito all’azione. Oracle e le aziende coinvolte devono reagire con urgenza, adottando misure preventive e correttive per proteggere i propri sistemi e la privacy degli utenti.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Attacco Hacker su Scala Globale: Oracle e Salute Pubblica nel Mirino proviene da il blog della sicurezza informatica.

This week, Jonathan Bennett and Lars Wikman chat about Elixir and Nerves — a modern language that’s a take on Erlang, and an embedded Linux approach for running Elixir code on devices.

• underjord.io/feed/
• elixir-lang.org/
• nerves-project.org/
• Introducing Elixir and the ecosystem from Oredev 2023
• Introducing Nerves from Oredev 2024 (just released)
• The Soul of Erlang & Elixir, by Sasa Juric

Subscribe to catch the show live, and come to Hackaday for the rest of the story!

youtube.com/embed/ZGKxutJVw_g?…

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2024/11/27/floss-…