Friendica Social Network

🇺🇦 🇷🇺 A unit from #Ukraine's Special Operations Forces, in cooperation with the resistance movement Chornaya Iskra (Black Spark), has carried out a special operation that resulted in the striking of two Russian vessels transporting weapons and military equipment.

pravda.com.ua/eng/news/2025/12…

Ukrainian special forces and underground resistance movement hit two Russian vessels in Caspian Sea

A unit from Ukraine's Special Operations Forces, in cooperation with the resistance movement Chornaya Iskra (Black Spark), has carried out a special operation that resulted in the striking of two Russian vessels transporting weapons and military equi…

^{VALENTYNA ROMANENKO (Ukrainska Pravda)}

#ukraine

Russia-Ukraine Daily News

2 mesi fa • •

Russia-Ukraine Daily News
2 mesi fa • •

🇷🇺🛢️📉 Russian state oil and gas revenue is likely to almost halve in December compared with a year ago to 410 billion roubles ($5.17 billion) as a result of lower crude prices and a stronger rouble, Reuters calculations showed on Friday.

reuters.com/business/energy/ru…

#russia

kravietz 🦇

2 mesi fa • •

kravietz 🦇
2 mesi fa • •

#Italy #renewables

Italy awarded more than 1.1 gigawatts of capacity to 88 projects in its first auction exclusively for solar projects built without equipment manufactured in #China, setting an average price of 66.38 euros per megawatt hour.
The tariff is 17% higher than the average price for a renewable auction earlier this year that had no restrictions on equipment origin, according to data from Italy’s electricity services agency (GSE).

Also, this is also a great case study for all the “#CBAM will kill EU industry” horror stories…

reuters.com/sustainability/boa…

#italy #china #renewables

stefania maurizi

2 mesi fa • •

stefania maurizi
2 mesi fa • •

personalmente, non ricordo di aver mai visto in tempi recenti un attacco sguaiato e imbarazzante agli #studenti italiani come quello di ieri della ministra #AnnaMariaBernini:

ilfattoquotidiano.it/2025/12/1…

“Siete sempre dei poveri comunisti”, la ministra Bernini contro gli studenti di Medicina che la…

I democratici parlano di comportamento “grave e sconcertante” per chi ricopre un ruolo istituzionale, mentre i Cinque Stelle denunciano “l’uso di slogan d’altri tempi per eludere le criticità” e accusano il governo di smantellare l’università pubblic…

^{Redazione Cronaca (Il Fatto Quotidiano)}

#studenti #annamariabernini

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

🇺🇦 Ukraine’s Special Operations Forces, in coordination with the insurgent group “Black Spark,” conducted a targeted operation in the Caspian Sea, striking two Russian vessels, Kompozitor Rakhmaninov and Askar-Saridja, allegedly used for military logistics. Rebel intel enabled the precision strike.

stefania maurizi

2 mesi fa • •

stefania maurizi
2 mesi fa • •

totalmente condivisibile l'editoriale di #MarcoTravaglio su famiglia #Berlusconi, #FI e ministro #Tajani

Da leggere:

ilfattoquotidiano.it/in-edicol…

Taja’, nun ce lassà

Leggi su Il Fatto Quotidiano l'articolo in edicola "Taja’, nun ce lassà" pubblicato il 12 Dicembre 2025 a firma di Marco Travaglio

^{Marco Travaglio (Il Fatto Quotidiano)}

#Berlusconi #marcotravaglio #tajani #fi

воля

2 mesi fa • •

воля
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

The AFU has successfully blocked Russian forces in Kupyansk and cleared the entire northwest outskirts of the city following a sustained operation. After establishing a blocking line, Ukrainian units quickly secured Radkivka and Kindrashivka and brought Holubivka under fire control before clearing Mirne and the northwest approaches to Kupyansk, Deepstate confirms. We were also already quite positive. but a bit more conservative on the outcome, but this now seems to be confirmed.

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

Членство Украины в Евросоюзе неизбежно, заявила комиссар ЕС по вопросам расширения

воля

2 mesi fa • •

воля
2 mesi fa • •

"Два лиходії, одна мета": німецький Spiegel присвятив обкладинку "альянсу" Путіна і Трампа

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

ЗСУ ліквідували ще 1400 окупантів.

воля

2 mesi fa • •

воля
2 mesi fa • •

у Ярославлі, ймовірно, горить НПЗ.

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

воля

2 mesi fa • •

воля
2 mesi fa • •

Anja Wachsmuth 🇺🇦 🇮🇱

2 mesi fa • •

Anja Wachsmuth 🇺🇦 🇮🇱
2 mesi fa • •

Die Wölfin

Bis nächsten Sonntag.

Winkende Hände.

Bis nächsten Sonntag.

Winkende Hände im Schnee.

Schneeflöckchen

Sarah schlägt den Kragen hoch

Schneeflöckchen

Und macht sich auf den Weg nach Hause.

Mehr hier:

medium.com/@anwa_57537/die-w%C…

#berlin #winter #kurzgeschichte #gedicht #gedichte #lyrik #poesie

#berlin #poesie #Winter #gedicht #lyrik #Kurzgeschichte #gedichte

Unknown parent

Anja Wachsmuth 🇺🇦 🇮🇱

Unknown parent • 2 mesi fa • •

Enthält ja einen Wintersong: Schneeflöckchen, Weißröckchen wann kommst du geschneit... Alles schon gelesen? Geht auf Medium weiter. Ist zu lang für Mastodon.

Questa voce è stata modificata (2 mesi fa)

Kristie

2 mesi fa • •

Kristie
2 mesi fa • •

As I have been fully focused on the book, I’ve let photography fade a little into the background, but it was my first great love and I can’t wait to get back to it.

Here’s is a 35mm film image that captures some of the magic in the Tomnah’a polytunnels.

#Photography #FilmPhotography #35mm #Scotland #FilmIsNotDead #BelieveInFilm #Flowers

A 35mm film photograph of pale pink roses in bloom, growing in neat rows in a garden. The rose bushes are dense with flowers and buds, their dark green leaves contrasting with the soft pink petals. Behind them, tall, airy plants with delicate yellow-green seed heads and slender stems rise against a hazy blue sky. Thin garden wires and posts are visible, giving the scene a cultivated but gentle, almost dreamlike quality typical of film photography.

#photography #scotland #flowers #believeinfilm #filmphotography #35mm #filmisnotdead

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

UK Defense Minister Al Carns warns: “The shadow of war is knocking on Europe’s door.” At the launch of the new Military Intelligence Service, Carns stressed NATO must prepare for wars of necessity, not choice. Intelligence threats, mainly from Russia, Iran, and China, have surged 50% over the past year.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Exactly as expected: the Presidential Office clarified Podolyak was discussing theoretical models, not finalized decisions. French media misinterpreted his words. Territorial questions, as Zelensky affirmed, are resolved only at the highest political level, or by the Ukrainian people.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Analysis of the Yaroslavl refinery UAV strike footage confirms: Ukraine likely hit the AVT‑4 primary crude distillation unit, key to initial oil processing. The nearby VT‑6 vacuum unit was damaged earlier this year.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Russian Presidential aide Yuri Ushakov stated that Moscow has not yet seen the revised U.S. peace plan for Ukraine following Washington's consultations with Kyiv and European partners.

He emphasized that Russia may strongly oppose elements of the updated version, suggesting that the revisions could be unfavorable to Moscow.

Informa Pirata

2 mesi fa da Bleah • •

Informa Pirata
2 mesi fa da Bleah • •

VERSO LA SEMPLIFICAZIONE DI PRIVACY, CYBERSECURITY E INTELLIGENZA ARTIFICIALE

Per vedere altri post come questo, segui la comunità @Informatica (Italy e non Italy 😁)

Se a breve va in porto il cosiddetto “Omnibus Digitale”, smetteranno di lamentarsi tutti quelli che negli ultimi trent’anni non hanno digerito gli adempimenti in materia di riservatezza dei dati e più

@Informatica (Italy e non Italy)

Eugene McParland 🇺🇦

2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

President #Zelenskyy visited Kupiansk, praising soldiers for gains against russia.

He stressed battlefield success strengthens Ukraine’s diplomatic position, thanking troops: 'Glory to #Ukraine!'

#ukraine #zelenskyy

reshared this

DOXA 🏳️‍🌈🏳️‍⚧️

2 mesi fa • •

DOXA 🏳️‍🌈🏳️‍⚧️
2 mesi fa • •

Осторожно, новости!

Sensitive content

Please open Telegram to view this post

VIEW IN TELEGRAM

В Ингушетии запретили показ фильма о депортации 1944 года

Министерство культурыИнгушетии запретило проведение премьерного показа художественного фильма «Письмо» режиссера Амура Амерханова, посвященного возвращению ингуше:к на родину после сталинской депортации 1944 года. Об этом сообщила источни:ца местного издания Фортанга.

Режиссер фильма ранее получила широкое признание благодаря фильму на ингушском языке «Сайти — сын Зоули», ставшему лауреатом шестнадцати российских и международных кинофестивалей.

Что известно?

▪️ «Письмо» было снято при поддержке Министерства культуры Российской Федерации: проект Ингушской национальной киностудии получил федеральный грант, а работа над картиной завершилась в 2021 году.

▪️ Несмотря на фактический запрет в самой республике, фильм уже показали в Петербурге, Татарстане, Саха и Казахстане. Кроме того, лента была отобрана для участия в международных фестивалях, например на фестивале фильмов о правах человека Karama в Иордании.

▪️ Как отмечают источни:цы издания «Фортанга», попытки дискредитировать картину предпринимались еще на этапе ее создания. Ряд телеграм-каналов, связанных с силовыми структурами и региональными властями, критиковал фильм за трактовку роли советского государства в депортации ингуше:к и чечен:ок.

Что думают местные журналист:ки?

▪️ Отвечая на вопросы DOXA, журналистка из Ингушетии подчеркнула, что

«попытки как-то заставить людей забыть про 23 февраля довольно давно начались. Ещё при предыдущем главе Ингушетии Юнус-Беке Евкурове были ситуации, когда его администрация пыталась объединить в один день и День защитника Отечества, и память о депортации».

▪️ Журналистка вспоминает, что подобные шаги вызывали живую и жесткую реакцию общества:

«Евкурова освистывали, когда он пришел выступать и начал свою речь с упоминания Дня защитника Отечества. Но со временем все стало только хуже, особенно после начала войны в Украине».

▪️ По словам журналистки, давление всё чаще принимает институциональные формы:

«Я готовила материал, и ингушская учительница рассказала мне, что в школы пришла разнарядка: на 23 февраля нужно говорить о подвигах ингушей на СВО».

Что известно о депортации 500 тысяч ингуше:к и чечен:ок при Сталине и как власти стирают память об этих событиях — читайте на сайте DOXA

Подписаться | Поддержать нашу работу | Написать нам

В Ингушетии власти запретили показ фильма о депортации 1944 года - DOXA
Министерство культуры Республики Ингушетия запретило премьерный показ фильма «Письмо» Амура Амерханова о возвращении ингуше:к после депортации 1944 года

src: t.me/doxajournal/44818

В Ингушетии власти запретили показ фильма о депортации 1944 года

^DOXA

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Eugene McParland 🇺🇦

2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

European Commission President Ursula Von der Leyen tells Trump Europe isn’t weak, stresses need for a just, lasting peace in #Ukraine with real security guarantees, warns russian threat extends beyond #Ukraine.

politico.com/news/magazine/202…

#ukraine

reshared this

Duckbilled Plattypus.

2 mesi fa • •

Duckbilled Plattypus.
2 mesi fa • •

I dreamed about cats last night. I didn't know them. They liked cat treats. I gave them treats.The tiny orange kitten was a heroic blanket thief, he dragged large blankets off to wherever one does. The only slightly larger grey striped tabby took over our cat's heated bed. We were all perplexed but not alarmed, because they were...cats.🐈

in reply to Duckbilled Plattypus.

MadeInDex 📰🌎

in reply to Duckbilled Plattypus. • 2 mesi fa • •

what a... treat ;)

Cybersecurity & cyberwarfare

2 mesi fa da Open app • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

Trump e la guerra alle leggi AI statali: standard federale o deregulation mascherata?

@Informatica (Italy e non Italy 😁)
Trump annuncia un ordine esecutivo per limitare le leggi statali sull'IA, promettendo uno standard federale che non esiste. Stati come Florida e Minnesota si oppongono. Ecco che c’è da sapere, tra criticità costituzionali e sospetti di

@Informatica (Italy e non Italy)

Cybersecurity & cyberwarfare

2 mesi fa da Open app • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

Cisco fuga i dubbi sui vantaggi dell’autenticazione passwordless

@Informatica (Italy e non Italy 😁)
Cisco fa il punto sulla situazione e promuove a pieni voti l’autenticazione passwordless. Quali sono gli argomenti a favore e cosa è opportuno sapere per prendere una decisione consapevole, tenendo conto anche delle criticità
L'articolo Cisco fuga i dubbi sui vantaggi dell’autenticazione passwordless proviene da Cyber

@Informatica (Italy e non Italy)

MadeInDex 📰🌎

2 mesi fa • •

MadeInDex 📰🌎
2 mesi fa • •

📰 It's ironic when somebody starts selling the solution to a problem they were a major part of creating:

👁️ "World, the biometric ID verification project co-founded by Sam Altman...
in a world roiled by AI-generated digital fakery, it hopes to create digital “proof of human” tools that can help separate the humans from the bots."¹

¹ techcrunch.com/2025/12/11/worl…

#AI #News #Artificialintelligence #ChatGPT #Privacy #Fake #tech #it #technology #startup #samaltman #world #blockchain #article #ki #bot

World launches its 'super app,' including crypto pay and encrypted chat features | TechCrunch

Tools for Humanity, the company behind the app, is seeking to expand its "real human network."

^{Lucas Ropek (TechCrunch)}

#ai #privacy #it #technology #world #samAltman #News #tech #artificialintelligence #chatgpt #bot #blockchain #ki #startup #fake #article

in reply to MadeInDex 📰🌎

fedops 💙💛

in reply to MadeInDex 📰🌎 • 2 mesi fa • •

cuts out the middle men in the circular scam^Hbusiness model that is "ai".

in reply to MadeInDex 📰🌎

Boozy McTypo

in reply to MadeInDex 📰🌎 • 2 mesi fa • •

See Britain's justification for their digital ID scheme for another example

The Human Capybara

2 mesi fa • •

The Human Capybara
2 mesi fa • •

I finally cut the cord.

Now it's just internet and me and my bill went from $220 down to $95.
I rather use my money for donations to #PBS

#pbs

in reply to The Human Capybara

Hypolite Petovan

in reply to The Human Capybara • 2 mesi fa • •

@The Human Capybara We pay $45/month for Verizon fiOS in the city 🫣

@The Human Capybara

monumental-movement-records

2 mesi fa • •

monumental-movement-records
2 mesi fa • •

The Inorganic Heartbeat of German Techno
podbean.com/ew/pb-hud3r-19ebaa…

Cybersecurity & cyberwarfare

2 mesi fa da Open app • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

NanoRemote: il malware che trasforma il cloud in un centro di comando e controllo

Un nuovo trojan multifunzionale per Windows chiamato NANOREMOTE utilizza un servizio di archiviazione file su cloud come centro di comando, rendendo la minaccia più difficile da rilevare e offrendo agli aggressori un canale persistente per rubare dati e fornire download aggiuntivi.

La minaccia è stata segnalata da Elastic Security Labs, che ha confrontato il malware con il già noto impianto FINALDRAFT, noto anche come Squidoor, che si basa su Microsoft Graph per comunicare con gli operatori.

Entrambi gli strumenti sono associati al cluster REF7707, segnalato come CL-STA-0049, Earth Alux e Jewelbug, e attribuiti ad

... mostra di più

NanoRemote: il malware che trasforma il cloud in un centro di comando e controllo

Entrambi gli strumenti sono associati al cluster REF7707, segnalato come CL-STA-0049, Earth Alux e Jewelbug, e attribuiti ad attività di spionaggio cinese contro agenzie governative, appaltatori della difesa, società di telecomunicazioni, istituti scolastici e organizzazioni aeronautiche nel Sud-est asiatico e in Sud America.

Secondo Symantec, questo gruppo sta conducendo campagne segrete a lungo termine almeno dal 2023, tra cui un’infiltrazione durata cinque mesi in un’azienda IT in Russia. Il metodo esatto dell’infiltrazione iniziale di NANOREMOTE non è ancora stato determinato. La catena di attacco documentata utilizza il downloader WMLOADER, mascherato da componente di gestione degli arresti anomali dell’antivirus Bitdefender “BDReinit.exe“. Questo modulo decrittografa lo shellcode e lancia il payload principale: il trojan stesso.

NANOREMOTE è scritto in C++ e può raccogliere informazioni di sistema, eseguire comandi e file e trasferire dati tra il dispositivo infetto e l’infrastruttura dell’operatore tramite Google Drive . È inoltre configurato per comunicare tramite HTTP con un indirizzo IP hardcoded e non instradabile, attraverso il quale riceve attività e invia risultati. Gli scambi vengono effettuati tramite richieste POST con dati JSON, compressi tramite Zlib e crittografati in modalità AES-CBC con una chiave a 16 byte. Le richieste utilizzano un singolo percorso, “/api/client”, e la stringa di identificazione del client, “NanoRemote/1.0”.

Le principali funzionalità del Trojan sono implementate tramite un set di 22 gestori di comandi. Questi gestori gli consentono di raccogliere e trasmettere informazioni sull’host, gestire file e directory, svuotare la cache, avviare file eseguibili PE già presenti sul disco, terminare la propria operazione e caricare e scaricare file sul cloud, con la possibilità di mettere in coda, mettere in pausa, riprendere o annullare i trasferimenti.

Elastic Security Labs ha anche scoperto l’artefatto “wmsetup.log”, caricato su VirusTotal dalle Filippine il 3 ottobre 2025 e decifrato con successo dal modulo WMLOADER utilizzando la stessa chiave di crittografia.

Conteneva un impianto FINALDRAFT, a indicare uno sviluppo comune. Secondo il ricercatore principale Daniel Stepanic, l’identico loader e l’approccio unificato alla protezione del traffico sono ulteriori indicazioni di una base di codice e di un processo di build unificati per FINALDRAFT e NANOREMOTE, progettati per gestire payload diversi.

L'articolo NanoRemote: il malware che trasforma il cloud in un centro di comando e controllo proviene da Red Hot Cyber.

Lou Plummer 💖

2 mesi fa • •

Lou Plummer 💖
2 mesi fa • •

Here is 2025 in a nutshell

A screenshot of a tweet by Rev. Nenê PhD (@NeneHilarious). It reads: “You may be deciding between insulin and groceries while the CEOs decide between Paris or Barcelona, but at least that one trans girl in your state can’t play badminton anymore,” followed by a thumbs-up emoji.

Max - Poliverso 🇪🇺🇮🇹

2 mesi fa • •

(43.7697955 11.2556404)

Max - Poliverso 🇪🇺🇮🇹
2 mesi fa — (43.7697955 11.2556404) • •

Firenze oggi.

#FIOM
#CGIL
#ScioperoGenerale

#cgil #scioperogenerale #fiom

Team KeePassXC

2 mesi fa • •

Team KeePassXC
2 mesi fa • •

Earlier this year, the German BSI together with the Consumer Advice Centre NRW performed a review of 10 popular password managers. What can we say? We're happy to be one of only few to receive a very positive review without major security concerns. 🥳 We're also mentioned explicitly for being particularly privacy-friendly.

The full report (in German) can be found at bsi.bund.de/SharedDocs/Downloa… and verbraucherzentrale.nrw/wissen…

Passwortmanager im Test: IT-Sicherheit und Datenschutz im Fokus

Im Rahmen einer Kooperation zwischen der Verbraucherzentrale Nordrhein-Westfalen e. V. (VZ NRW) und dem BSI wurde im ersten Halbjahr 2025 untersucht, wie sicher und datenschutzkonform ausgewählte Passwortmanager sind.

^{Bundesamt für Sicherheit in der Informationstechnik}

in reply to Team KeePassXC

Hypolite Petovan

in reply to Team KeePassXC • 2 mesi fa • •

@Team KeePassXC Was the review done before you started accepting AI-generated code pull requests?

@Team KeePassXC

monumental-movement-records

2 mesi fa • •

monumental-movement-records
2 mesi fa • •

Experimental Folk and Psych Folk are based on acoustic instruments, ・Dissonance ・Drone ・Storytelling/reading ・Ethnic musical elements ・Electronic sounds and tape operations It is a genre that has expanded the framework of folk music by incorporating such things as folk music.

monumental-movement.jp/en/colu…

[Column] What is Experimental Folk / Psych Folk?: The intersection of acoustic and experimental music

What is Experimental Folk / Psych Folk?

^mmr

Gabriele Marcosanti

2 mesi fa • •

Gabriele Marcosanti
2 mesi fa • •

- "Chiudi gli occhi ed esprimi un desiderio."
- "Fatto."
- "Ha funzionato?"
<Apre gli occhi> "No. Ci siete ancora tutti."

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Eugene McParland 🇺🇦

2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

A new mural has appeared on the grounds of Okhmatdyt Children's Hospital, symbolizing the protection of Ukrainian children during wartime.

It was created by Ukrainian artist Andrii Yermolenko, the author of many well-known social projects.

The central image is a boy with an IV drip and a cat with an umbrella, protecting the child from the threat of missiles.

This image has special significance for Okhmatdyt, as the hospital survived a rocket attack in July 2024.

reshared this

Eugene McParland 🇺🇦

2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

Ukraine’s Unmanned Systems Forces (SBS) say they destroyed russian infantry numbers equivalent to two battalions in just two days in Donetsk Oblast

The figures were reported by SBS commander Robert “Madyar” Brovdi in public posts on social media.

euromaidanpress.com/2025/12/12…

reshared this

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Redhotcyber

2 mesi fa • •

Redhotcyber
2 mesi fa • •

Ogni giorno parliamo di progresso, tecnologia e futuro. Ma sapete chi è il signore sulla destra?

Scopri di più su Claude Shannon nell'articolo di Carlo Denza: redhotcyber.com/post/shannon-p…

#redhotcyber #storia #informatica #it #web #ai #hacking #privacy #cybersecurity #Innovazione #Tecnologia #StoriaDellaTecnologia #Riconoscimento #Pionieri #Innovazione #Informatica #PionieriDigitali

Shannon: Padre della crittografia e fondatore dell’era dell’informazione

Chi ha come mission, occuparsi di sicurezza informatica e quindi anche di crittografia, deve necessariamente passare attraverso le figure di due giganti dello scorso secolo. Parliamo di: Alan Turing e Claude Elwood Shannon.

^{Carlo Denza (Red Hot Cyber)}

#ai #privacy #redhotcyber #it #hacking #cybersecurity #storia #web #informatica #tecnologia #innovazione #storiadellatecnologia #riconoscimento #pionieri #pionieridigitali

nilocram

2 mesi fa • •

nilocram
2 mesi fa • •

12 dicembre Una valigia piena di foto e documenti per ricordare la strage di piazza Fontana a Milano il 12 dicembre 1969 Installazione creata dall'ANPI di Cinisello Balsamo

#12dicembre1969 #PiazzaFontana #ANPI #antifascismo #CiniselloBalsamo #storia #memoria #Milano

@scuola
@wikimediaitalia
@Puntopanto
@lindasartini
@RFancio
@johannesBuckler

Un pannelo che raccoglie foto e documenti per ricordare la strage di piazza Fontana del 12 dicembre1969 in piazaa del Salto a Cinisello Balsamo

#anpi #storia #memoria #antifascismo #milano #Piazzafontana #cinisellobalsamo #12dicembre1969 @Scuola - Gruppo Forum @Wikimedia Italia @RFanciola @Linda Sartini @Johannes Buckler @Puntopanto

securityaffairs

2 mesi fa • •

securityaffairs
2 mesi fa • •

Elastic detects stealthy #NANOREMOTE #malware using #Google #Drive as C2
securityaffairs.com/185613/mal…
#securityaffairs #hacking

Elastic detects stealthy NANOREMOTE malware using Google Drive as C2

Elastic found a new Windows backdoor, NANOREMOTE, similar to FINALDRAFT/REF7707, using the Google Drive API for C2.

^{Pierluigi Paganini (Security Affairs)}

#hacking #malware #google #drive #securityaffairs #nanoremote

Gabriele Marcosanti

2 mesi fa • •

Gabriele Marcosanti
2 mesi fa • •

Penso che questa cosa che gli alberi danno ossigeno proprio a tutti debba essere messa in discussione.

Andrea Bettini

2 mesi fa • •

Andrea Bettini
2 mesi fa • •

Si avvicina il picco delle Geminidi, le stelle cadenti di Dicembre. Culmine fra domani e dopodomani
sorvegliatispaziali.inaf.it/no…

Notti di meteore - dicembre 2025 | Sorvegliati Spaziali

Pronti a puntare gli occhi al cielo? Ecco gli sciami di meteore principali del mese con indicazioni della loro visibilità e qualche curiosità. Il principale ...

^{Daria (Sorvegliati Spaziali)}

Michael 🇺🇦

2 mesi fa • •

Michael 🇺🇦
2 mesi fa • •

Ein passendes Zitat zu den "hocheffiziente Verbrennern":

Jetzt können wir hocheffiziente Verbrenner versuchen, weiter zu entwickeln und zu verkaufen, ähnlich wie wir im Moment natürlich auch hocheffiziente Faxgeräte verkaufen könnten. Aber das hilft der Wettbewerbsfähigkeit natürlich nicht.

EU: Aus vom Verbrenner-Aus wird Autoindustrie nicht retten

^{Deutschlandfunk Nova}

Questa voce è stata modificata (2 mesi fa)

like this

in reply to Michael 🇺🇦

Susanne Lilith

in reply to Michael 🇺🇦 • 2 mesi fa • •

Und der Staat, also wir, darf nachher die Autoindustrie retten, deren Verluste zahlen ebenso wie Geld geben für neue Forschungen. Weil die selber ja keinen Cent besitzen.

in reply to Michael 🇺🇦

Elias Schwerdtfeger

in reply to Michael 🇺🇦 • 2 mesi fa • •

Immer, wenn ich »hocheffiziente Verbrenner« lese, muss ich unwillkürlich an diesen Hochleistungsgeldverbrenner Jens Spahn (CDU) denken, der gerade den Fraktionsvorsitz der C-Parteien innehat.

(Dass der nicht wegen Untreue in einem besonders schweren Fall vor Gericht steht! So schade, dass der Knast nur für Schwarzfahrer gedacht ist.)

M-J-Revenge ✮☮★━NOK 4 U 2━★☮✮ likes this.

Redhotcyber

2 mesi fa • •

Redhotcyber
2 mesi fa • •

NanoRemote: il malware che trasforma il cloud in un centro di comando e controllo

📌 Link all'articolo : redhotcyber.com/post/nanoremot…

#redhotcyber #news #cybersecurity #hacking #malware #trojan #nanoremote #ref7707 #spionaggiocinese

NanoRemote: il malware che trasforma il cloud in un centro di comando e controllo

Scopri il nuovo Trojan NANOREMOTE per Windows, che utilizza un servizio cloud come centro di comando nascosto per rubare dati e fornire download aggiuntivi.

^{Redazione RHC (Red Hot Cyber)}

#redhotcyber #hacking #cybersecurity #malware #News #Trojan #nanoremote #ref7707 #spionaggiocinese

Cybersecurity & cyberwarfare

2 mesi fa da Open app • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

Following the digital trail: what happens to data stolen in a phishing attack

Introduction

A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a commodity and enters the shadow market conveyor belt.

In this article, we trace the path of the stolen data, starting from its collection through various tools – such as Telegram bots and advanced administration panels – to the sale of that data and its subsequent reuse in new attacks. We examine how a once leaked username and password become part of a massive digital dossier and why cybercriminals can leverage even old leaks for targeted attacks, sometimes years after the initial data breach.

Data harvesting mechanisms in phishing at

... mostra di più

Following the digital trail: what happens to data stolen in a phishing attack

Introduction

Data harvesting mechanisms in phishing attacks

Before we trace the subsequent fate of the stolen data, we need to understand exactly how it leaves the phishing page and reaches the cybercriminals.

By analyzing real-world phishing pages, we have identified the most common methods for data transmission:

Send to an email address.
Send to a Telegram bot.
Upload to an administration panel.

It also bears mentioning that attackers may use legitimate services for data harvesting to make their server harder to detect. Examples include online form services like Google Forms, Microsoft Forms, etc. Stolen data repositories can also be set up on GitHub, Discord servers, and other websites. For the purposes of this analysis, however, we will focus on the primary methods of data harvesting.

Email

Data entered into an HTML form on a phishing page is sent to the cybercriminal’s server via a PHP script, which then forwards it to an email address controlled by the attacker. However, this method is becoming less common due to several limitations of email services, such as delivery delays, the risk of the hosting provider blocking the sending server, and the inconvenience of processing large volumes of data.

As an example, let’s look at a phishing kit targeting DHL users.

Phishing kit contents

The index.php file contains the phishing form designed to harvest user data – in this case, an email address and a password.

Phishing form imitating the DHL website

The data that the victim enters into this form is then sent via a script in the next.php file to the email address specified within the mail.php file.

Contents of the PHP scripts

Telegram bots

Unlike the previous method, the script used to send stolen data specifies a Telegram API URL with a bot token and the corresponding Chat ID, rather than an email address. In some cases, the link is hard-coded directly into the phishing HTML form. Attackers create a detailed message template that is sent to the bot after a successful attack. Here is what this looks like in the code:

Code snippet for data submission

Compared to sending data via email, using Telegram bots provides phishers with enhanced functionality, which is why they are increasingly adopting this method. Data arrives in the bot in real time, with instant notification to the operator. Attackers often use disposable bots, which are harder to track and block. Furthermore, their performance does not depend on the quality of phishing page hosting.

Automated administration panels

More sophisticated cybercriminals use specialized software, including commercial frameworks like BulletProofLink and Caffeine, often as a Platform as a Service (PaaS). These frameworks provide a web interface (dashboard) for managing phishing campaigns.

Data harvested from all phishing pages controlled by the attacker is fed into a unified database that can be viewed and managed through their account.

Sending data to the administration panel

These admin panels are used for analyzing and processing victim data. The features of a specific panel depend on the available customization options, but most dashboards typically have the following capabilities:

Sorting of real-time statistics: the ability to view the number of successful attacks by time and country, along with data filtering options
Automatic verification: some systems can automatically check the validity of the stolen data like credit cards and login credentials
Data export: the ability to download the data in various formats for future use or sale

Example of an administration panel

Admin panels are a vital tool for organized cybercriminals.

One campaign often employs several of these data harvesting methods simultaneously.

Sending stolen data to both an email address and a Telegram bot

The data cybercriminals want

The data harvested during a phishing attack varies in value and purpose. In the hands of cybercriminals, it becomes a method of profit and a tool for complex, multi-stage attacks.

Stolen data can be divided into the following categories, based on its intended purpose:

Immediate monetization: the direct sale of large volumes of raw data or the immediate withdrawal of funds from a victim’s bank account or online wallet.
- Banking details: card number, expiration date, cardholder name, and CVV/CVC.
- Access to online banking accounts and digital wallets: logins, passwords, and one-time 2FA codes.
- Accounts with linked banking details: logins and passwords for accounts that contain bank card details, such as online stores, subscription services, or payment systems like Apple Pay or Google Pay.
Subsequent attacks for further monetization: using the stolen data to conduct new attacks and generate further profit.
- Credentials for various online accounts: logins and passwords. Importantly, email addresses or phone numbers, which are often used as logins, can hold value for attackers even without the accompanying passwords.
- Phone numbers, used for phone scams, including attempts to obtain 2FA codes, and for phishing via messaging apps.
- Personal data: full name, date of birth, and address, abused in social engineering attacks
Targeted attacks, blackmail, identity theft, and deepfakes.
- Biometric data: voice and facial projections.
- Scans and numbers of personal documents: passports, driver’s licenses, social security cards, and taxpayer IDs.
- Selfies with documents, used for online loan applications and identity verification.
- Corporate accounts, used for targeted attacks on businesses.

We analyzed phishing and scam attacks conducted from January through September 2025 to determine which data was most frequently targeted by cybercriminals. We found that 88.5% of attacks aimed to steal credentials for various online accounts, 9.5% targeted personal data (name, address, and date of birth), and 2% focused on stealing bank card details.

Distribution of attacks by target data type, January–September 2025 (download)

Selling data on dark web markets

Except for real-time attacks or those aimed at immediate monetization, stolen data is typically not used instantly. Let’s take a closer look at the route it takes.

Sale of data dumps
Data is consolidated and put up for sale on dark web markets in the form of dumps: archives that contain millions of records obtained from various phishing attacks and data breaches. A dump can be offered for as little as $50. The primary buyers are often not active scammers but rather dark market analysts, the next link in the supply chain.
Sorting and verification
Dark market analysts filter the data by type (email accounts, phone numbers, banking details, etc.) and then run automated scripts to verify it. This checks validity and reuse potential, for example, whether a Facebook login and password can be used to sign in to Steam or Gmail. Data stolen from one service several years ago can still be relevant for another service today because people tend to use identical passwords across multiple websites. Verified accounts with an active login and password command a higher price at the point of sale.
Analysts also focus on combining user data from different attacks. Thus, an old password from a compromised social media site, a login and password from a phishing form mimicking an e-government portal, and a phone number left on a scam site can all be compiled into a single digital dossier on a specific user.

Selling on specialized markets
Stolen data is typically sold on dark web forums and via Telegram. The instant messaging app is often used as a storefront to display prices, buyer reviews, and other details.

Offers of social media data, as displayed in Telegram

The prices of accounts can vary significantly and depend on many factors, such as account age, balance, linked payment methods (bank cards, online wallets), 2FA authentication, and service popularity. Thus, an online store account may be more expensive if it is linked to an email, has 2FA enabled, and has a long history, with a large number of completed orders. For gaming accounts, such as Steam, expensive game purchases are a factor. Online banking data sells at a premium if the victim has a high account balance and the bank itself has a good reputation.

The table below shows prices for various types of accounts found on dark web forums as of 2025*.

Category	Price	Average price
Crypto platforms	$60–$400	$105
Banks	$70–$2000	$350
E-government portals	$15–$2000	$82.5
Social media	$0.4–$279	$3
Messaging apps	$0.065–$150	$2.5
Online stores	$10–$50	$20
Games and gaming platforms	$1–$50	$6
Global internet portals	$0.2–$2	$0.9
Personal documents	$0.5–$125	$15

*Data provided by Kaspersky Digital Footprint Intelligence

High-value target selection and targeted attacks
Cybercriminals take particular interest in valuable targets. These are users who have access to important information: senior executives, accountants, or IT systems administrators.
Let’s break down a possible scenario for a targeted whaling attack. A breach at Company A exposes data associated with a user who was once employed there but now holds an executive position at Company B. The attackers analyze open-source intelligence (OSINT) to determine the user’s current employer (Company B). Next, they craft a sophisticated phishing email to the target, purportedly from the CEO of Company B. To build trust, the email references some facts from the target’s old job – though other scenarios exist too. By disarming the user’s vigilance, cybercriminals gain the ability to compromise Company B for a further attack.
Importantly, these targeted attacks are not limited to the corporate sector. Attackers may also be drawn to an individual with a large bank account balance or someone who possesses important personal documents, such as those required for a microloan application.

Takeaways

The journey of stolen data is like a well-oiled conveyor belt, where every piece of information becomes a commodity with a specific price tag. Today, phishing attacks leverage diverse systems for harvesting and analyzing confidential information. Data flows instantly into Telegram bots and attackers’ administration panels, where it is then sorted, verified, and monetized.

It is crucial to understand that data, once lost, does not simply vanish. It is accumulated, consolidated, and can be used against the victim months or even years later, transforming into a tool for targeted attacks, blackmail, or identity theft. In the modern cyber-environment, caution, the use of unique passwords, multi-factor authentication, and regular monitoring of your digital footprint are no longer just recommendations – they are a necessity.

What to do if you become a victim of phishing

If a bank card you hold has been compromised, call your bank as soon as possible and have the card blocked.
If your credentials have been stolen, immediately change the password for the compromised account and any online services where you may have used the same or a similar password. Set a unique password for every account.
Enable multi-factor authentication in all accounts that support this.
Check the sign-in history for your accounts and terminate any suspicious sessions.
If your messaging service or social media account has been compromised, alert your family and friends about potential fraudulent messages sent in your name.
Use specialized services to check if your data has been found in known data breaches.
Treat any unexpected emails, calls, or offers with extreme vigilance – they may appear credible because attackers are using your compromised data.

securelist.com/what-happens-to…

Gabriele Marcosanti

2 mesi fa • •

Gabriele Marcosanti
2 mesi fa • •

Siete sempre che vi lamentate come delle signorine.
A che cosa pensate serva il contributo di 2€ sui pacchi di valore fino a 150€?
Le vacanze del Ministro del Ritardo mica si pagano da sole! Dai, su!

Catalin Cimpanu

2 mesi fa • •

Catalin Cimpanu
2 mesi fa • •

-EU has a problem attracting and retaining cyber talent
-Coupang CEO resigns following breach
-NoName057 and CARR member charged in the US
-Chrome and Gogs zero-days
-UK sanctions Chinese hacking firms
-Coupang hacker was a cyber employee
-Petco takes down leaky Vetco site
-UK fines LastPass over breach
-Ransomware at HSE Ireland, again
-Russia denies military registry hack
-New PowerShell security feature

Newsletter: news.risky.biz/risky-bulletin-…
Podcast: risky.biz/RBNEWS507/

EU has a problem attracting and retaining cyber talent

In other news: Coupang CEO resigns following breach; NoName057 and CARR member charged in the US; Chrome and Gogs zero-days.

^{Catalin Cimpanu (Risky.Biz)}

informapirata ⁂

2 mesi fa • •

informapirata ⁂
2 mesi fa • •

In view of Trump's third term, it was necessary to replace #Calibri with Times New Roman. It would have been awkward to write "Ill term" instead of "III term."

apnews.com/article/rubio-state…

#calibri

reshared this

in reply to informapirata ⁂

Gianmarco Gargiulo

in reply to informapirata ⁂ • 2 mesi fa • •

Calibri mi è sempre stato sulle palle quando usavo ancora Microsoft Office, troppo stondato...

in reply to Gianmarco Gargiulo

informapirata ⁂

in reply to Gianmarco Gargiulo • 2 mesi fa • •

@gianmarcogg03 suvvia, è un gran bel font. Le stondature sono una trovata geniale per compensano la perdita di eleganza delle "grazie" tipiche dei caratteri con grazie.
E comunque tornare ai caratteri con grazie è assurdo: per prima cosa hanno davvero stufato, poi si leggono oggettivamente meno e poi il Times New Roman fa proprio cagare!

@Gianmarco Gargiulo

in reply to informapirata ⁂

Fabrizio

in reply to informapirata ⁂ • 2 mesi fa • •

@gianmarcogg03 il times è brutto ma le grazie sono utili a leggere lunghi documenti.

Riprendo il discorso che ho fatto altrove sullo stesso argomento, ma lo sintetizzo.
Se si vuole usare un font senza grazie e restare in M$ allora c'è Aptos. Altrimenti l'Aktinson Hyperlegibile, non sarà bellissimo ma è di una leggibilità assurda e non impazzisci a distinguere le l dalle I.

@Gianmarco Gargiulo

informapirata ⁂ reshared this.

Unknown parent

informapirata ⁂

Unknown parent • 2 mesi fa • •

@elettrona Ormai dovrebbe essere chiaro dagli anni '30 che una bella grattata di abilismo dà sempre grandi soddisfazioni ai patrioti!
E poi, in vista del terzo mandato di Trump, era necessario sostituire il Calibri con il Times New Roman: sarebbe stato imbarazzante confondere "Ill term" con "III term".

@Elena Brescacin

informapirata ⁂

2 mesi fa • •

informapirata ⁂
2 mesi fa • •

Benvenuti alla guida per vivere senza DRM

Questa guida elenca tutti i fornitori di supporti digitali che forniscono file privi di #DRM e non richiedono l'uso di software proprietario. I fornitori che offrono supporti o opzioni senza DRM saranno accettati se distinguono tra file privi di DRM e file con DRM.

NB: alcuni fornitori potrebbero promuovere software non libero.

defectivebydesign.org/guide

@informatica

Grazie a @dogzilla per la segnalazione

Guide to DRM-Free Living | Defective by Design

^{www.defectivebydesign.org}

#drm @Informatica (Italy e non Italy) @dogzilla

Questa voce è stata modificata (2 mesi fa)

reshared this

securityaffairs

2 mesi fa • •

securityaffairs
2 mesi fa • •

U.S. #CISA adds an #OSGeo #GeoServer flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com/185604/hac…
#securityaffairs #hacking

U.S. CISA adds an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities catalog.

^{Pierluigi Paganini (Security Affairs)}

#hacking #cisa #securityaffairs #geoserver #osgeo

Dario$

2 mesi fa • •

Dario$
2 mesi fa • •

Gli Elkann stanno massacrando #Torino e l' #italia. Persone piccole, menefreghiste, egoiste, senza dignità. Si vendono anche il culo, e lo vendono senza avere alcun interesse che non siano i soldi. Gli agnelli hanno fatto grande Torino, gli Elkann la stanno distruggendo.

#italia #Torino

Devol ⁂

2 mesi fa • •

Devol ⁂
2 mesi fa • •

💸 Al Fediverso: se la vostra istanza è gestita da volontari o da un’associazione noprofit, questo è il momento giusto per dare una mano!

Il #Fediverso non vive di pubblicità, non vive di algoritmi tossici: vive delle persone che lo usano

Mentre il web è sempre più invivibile noi qui siamo in un'oasi perché qualcuno paga server, manutenzione, sicurezza, tempo al posto vostro.

👉 Se usate i sevizi devol potete dare una mano direttamente da qui:
it.liberapay.com/devol

Pubblicato su: @fediverso

L'immagine mostra una scena invernale disegnata in uno stile cartone animato. Sulla destra c'è Snoopy con indosso un cappello da Babbo Natale rosso e un completo da Babbo Natale rosso e bianco. Il cane ha la barba bianca ed è in piedi con la mano destra alzata che tiene una campana dorata. Sulla sinistra c'è una sezione di un camino in mattoni rossi. Il terreno sotto è coperto da una superficie ondulata bianca che assomiglia alla neve.

Profilo di devol - Liberapay

Devol è una piattaforma creata da attivisti del software libero e della privacy che fornisce servizi online basati sui principi di libertà, riservatezza, federazione e …

^Liberapay

#fediverso @Fediverso - social federati indipendenti

Questa voce è stata modificata (2 mesi fa)

filippodb ⁂ reshared this.

Stefano Tartarotti

2 mesi fa • •

Stefano Tartarotti
2 mesi fa • •

Il 12 dicembre di 56 anni fa, una bomba esplodeva nella Banca Nazionale Dell'Agricoltura di Piazza Fontana a Milano.
La valigetta, contenente l'ordigno e lasciata sotto a un tavolino, aprì uno squarcio nel pavimento, uccise 17 persone e ne ferì 87.
La strage fu compiuta da terroristi di estrema destra, con sospette complicità e depistaggi di parti deviate dello Stato.
Mandanti ed esecutori sono rimasti impuniti.
#stragedipiazzaFontana #TerrorismoNero #PiazzaFontana #12dicembre1969 #Milano

#milano #Piazzafontana #stragedipiazzafontana #TerrorismoNero #12dicembre1969

informapirata ⁂

2 mesi fa • •

informapirata ⁂
2 mesi fa • •

Il tuo governo di chiede SPID per vedere porno? i siti pubblici USA te lo mettono a disposizione gratuitamente. Ecco la guida definitiva per scovare porno di bassa qualità sui siti della PA statunitense

Decine di siti web governativi e universitari appartenenti a città, paesi ed enti pubblici in tutto il paese ospitano PDF che promuovono app pornografiche basate sull'intelligenza artificiale, siti pornografici e truffe sulle criptovalute.

404media.co/porn-is-being-inje…

@pirati

Porn Is Being Injected Into Government Websites Via Malicious PDFs

Dozens of government websites have fallen victim to a PDF-based SEO scam, while others have been hijacked to sell sex toys.

^{Jason Koebler (404 Media)}

@Pirati Europei

reshared this

Unknown parent

informapirata ⁂

Unknown parent • 2 mesi fa • •

@Gianlu hai ragione, ma in effetti non lo ricordavo nemmeno più 🤣

@Gianlu ⁂ 🇮🇹 🇪🇺

Unknown parent

versodiverso

Unknown parent • 2 mesi fa • •

@Gianlu Per qualche settimana quel sito ha avuto un'utilità 🤣
@informapirata

@informapirata ⁂ @Gianlu ⁂ 🇮🇹 🇪🇺

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Hungarian PM Viktor Orbán denounced the EU’s planned move to extend the freeze on Russian assets without unanimous consent, calling it a breach of EU law and “the end of the rule of law in the European Union.” He warned the move would inflict “irreparable damage” and declared Hungary will resist what he calls a “Brusselian dictatorship.”

Cybersecurity & cyberwarfare

2 mesi fa da Open app • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

Consider This Pocket Machine For Your iPhone Backups

What if you find yourself as an iPhone owner, desiring a local backup solution — no wireless tech involved, no sending off data to someone else’s server, just an automatic device-to-device file sync? Check out [Giovanni]’s ios-backup-machine project, a small Linux-powered device with an e-ink screen that backs up your iPhone whenever you plug the two together with a USB cable.

The system relies on libimobiledevice, and is written to make simple no-interaction automatic backups work seamlessly. The backup status is displayed on the e-ink screen, and at boot, it shows up owner’s information of your choice, say, a phone number — helpful if the device is ever lost. For preventing data loss, [Giovanni] recommends a small uninterruptible

... mostra di più

Ragnar Bjartur Gudmundsson

2 mesi fa • •

Ragnar Bjartur Gudmundsson
2 mesi fa • •

⚡️ WAR IN UKRAINE & RUSSIA — DEC 12, 2025 (1/2)

■ High casualties for the second day in a row; engagements slightly below average
■ Equipment losses include both an aircraft and armored vehicles (APVs and tanks)
■ Overnight attacks: double-digit, all drones, with a good interception rate; 11 locations still hit (including 3 by debris)
■ ...

📈 See dashboard for full data:
lookerstudio.google.com/s/ow6x…

Dashboard on Russia's war against Ukraine

Looker Studio turns your data into informative dashboards and reports that are easy to read, easy to share, and fully customizable.

^{Looker Studio}

in reply to Ragnar Bjartur Gudmundsson

Ragnar Bjartur Gudmundsson

in reply to Ragnar Bjartur Gudmundsson • 2 mesi fa • •

⚡️ WAR IN UKRAINE & RUSSIA — DEC 12, 2025 (2/2)

...
■ While Russia has made some advances (per Liveuamap), the 30-day average of area gains is down from the previous day
■ Fewer Russian strikes reported, but the strike ratio remains high

📈 See dashboard for full data:
lookerstudio.google.com/s/ow6x…

Dashboard on Russia's war against Ukraine

Looker Studio turns your data into informative dashboards and reports that are easy to read, easy to share, and fully customizable.

^{Looker Studio}

Tendar

2 mesi fa • •

Tendar
2 mesi fa • •

A group of German journalism students investigated the drone sightings over military installations in Western Europe and in one instance tracked it back to three commercial vessels belonging to Russian services. The cargo ships involved are the "Lauga", "HAV Dolphin" and "HAV Snapper". The vessels were caught with drones circling over them and showing most unusual movements.

Full report here:

digitaldigging.org/p/they-dron…

They Droned Back

Young journalists expose Russian-linked vessels circling off the Dutch and German coast

^{Henk van Ess (Digital Digging with Henk van Ess)}

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

🤝 Ukraine will receive around $5 billion worth of military equipment from U.S. stockpiles by the end of the year through the PURL program. This includes air defense systems, ammunition, and critical spare parts. The funding will come from EU allies, Canada, Australia, and New Zealand, said NATO Deputy Sec Gen Radmila Šekerinska.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

At the moment it is clear that an explosion occurred at the Orsk Mechanical Plant, which produces components for Russia’s military-industrial complex. The cause is unknown, but one can guess.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Additional footage from Orsk. Lots of smoke is visible.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Le Monde claims Ukraine is ready to accept a demilitarized zone in Donbas as a major concession. But this is misleading—Kyiv rejects any plan where only its troops withdraw or territory is ceded unilaterally. Ukraine supports a mutual pullback under international oversight, not a one-sided concession.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Slovakia will not take part in plans that only prolong suffering and death, Slovak Prime Minister Robert Fico says.

He announced he will not support any European Council decision that would fund Ukraine’s military costs. Fico has sent a letter to European Council President António Costa opposing the European Commission’s proposals to meet Ukraine’s 2026–2027 financing needs, including using frozen Russian assets.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Reports indicate a mechanical plant is burning in Orsk, Orenburg Oblast, Russia. Local residents reported a loud explosion overnight.‎

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Ukrainian drones struck Russia’s Slavneft-Yanos oil refinery in Yaroslavl overnight, one of the country’s largest, processing over 15M tons of oil annually.

The strike triggered multiple explosions and a major fire. FSB has cordoned off the site, while traffic in Yaroslavl hit a near standstill.

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

🇺🇸 Trump says the US is ready to join a “security agreement” for Ukraine, including providing air support and other forms of assistance. He claimed that both sides were “very close” to a deal, and suggested that Zelensky was resisting, even though his own team supported it. Trump added that “a peace agreement is complicated, like a very tough real estate deal multiplied by a thousand.”

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Russia launched 80 drones overnight on Dec 12, including ~50 Shaheds, from multiple directions in Russia and occupied Crimea. Ukrainian air defenses downed or suppressed 64 UAVs using jets, SAMs, EW, and mobile fire groups. 12 drones struck 8 sites; debris fell in 3 areas

Russia-Ukraine Daily News

2 mesi fa • •

Russia-Ukraine Daily News
2 mesi fa • •

🇺🇦 🇷🇺 #Russia’s Slavneft-YANOS oil refinery in Yaroslavl, one of the country’s five largest, is reportedly on fire after being struck in an overnight drone attack on Dec. 12, officials and local Telegram channels said.

kyivindependent.com/yaroslavl-…

#ukraine

Drone attack reportedly hits one of Russia’s largest oil refineries in Yaroslavl, setting it on fire

Russia’s Slavneft-YANOS oil refinery in Yaroslavl, one of the country’s five largest, is reportedly on fire after being struck in an overnight drone attack on Dec. 12, officials and local Telegram channels said.

^{Sonya Bandouil (The Kyiv Independent)}

#ukraine #russia

NOELREPORTS 🇪🇺 🇺🇦

2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Russian losses per 12/12/25 reported by the Ukrainian General Staff

+1400 men
+2 tanks
+6 ACVs
+16 artillery
+1 aircraft
+253 UAVs
+2 cruise missiles

Ulfh3dnar

2 mesi fa • •

Ulfh3dnar
2 mesi fa • •

Sensitive content

#ukraine #russia #UkraineRussiaWar #war

in reply to Ulfh3dnar

Ulfh3dnar

in reply to Ulfh3dnar • 2 mesi fa • •

Sensitive content

#ukraine #russia #UkraineRussiaWar #war

Ulfh3dnar

2 mesi fa • •

Ulfh3dnar
2 mesi fa • •

Sensitive content

#ukraine #russia #usa #UkraineRussiaWar #donaldtrump

Eugene McParland 🇺🇦

2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

Donald #Trump wants a Europe in chaos - a sure sign for Britain to shore up its democracy

by Polly Toynbee

With the US threatening to support 'patriotic' parties here, we need better defences, starting with tough new rules about political donations

theguardian.com/commentisfree/…

Donald Trump wants a Europe in chaos – a sure sign for Britain to shore up its democracy

With the US threatening to support ‘patriotic’ parties here, we need better defences, starting with tough new rules about political donations, says Guardian columnist Polly Toynbee

^{Polly Toynbee (The Guardian)}

#trump

reshared this

Cybersecurity & cyberwarfare

2 mesi fa da Open app • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

Turn me on, turn me off: Zigbee assessment in industrial environments

We all encounter IoT and home automation in some form or another, from smart speakers to automated sensors that control water pumps. These services appear simple and straightforward to us, but many devices and protocols work together under the hood to deliver them.

One of those protocols is Zigbee. Zigbee is a low-power wireless protocol (based on IEEE 802.15.4) used by many smart devices to talk to each other. It’s common in homes, but is also used in industrial environments where hundreds or thousands of sensors may coordinate to support a process.

There are many guides online about performing security assessments of Zigbee. Most focus on the Zigbee you see in home setups. They often skip the Zigbee used at industrial sites, what I call ‘non-public’ or ‘industrial’ Zigbee.

In this blog, I will take you on a journey through Zigbe

... mostra di più

Turn me on, turn me off: Zigbee assessment in industrial environments

In this blog, I will take you on a journey through Zigbee assessments. I’ll explain the basics of the protocol and map the attack surface likely to be found in deployments. I’ll also walk you through two realistic attack vectors that you might see in facilities, covering the technical details and common problems that show up in assessments. Finally, I will present practical ways to address these problems.

Zigbee introduction

Protocol overview

Zigbee is a wireless communication protocol designed for low-power applications in wireless sensor networks. Based on the IEEE 802.15.4 standard, it was created for short-range and low-power communication. Zigbee supports mesh networking, meaning devices can connect through each other to extend the network range. It operates on the 2.4 GHz frequency band and is widely used in smart homes, industrial automation, energy monitoring, and many other applications.

You may be wondering why there’s a need for Zigbee when Wi-Fi is everywhere? The answer depends on the application. In most home setups, Wi-Fi works well for connecting devices. But imagine you have a battery-powered sensor that isn’t connected to your home’s electricity. If it used Wi-Fi, its battery would drain quickly – maybe in just a few days – because Wi-Fi consumes much more power. In contrast, the Zigbee protocol allows for months or even years of uninterrupted work.

Now imagine an even more extreme case. You need to place sensors in a radiation zone where humans can’t go. You drop the sensors from a helicopter and they need to operate for months without a battery replacement. In this situation, power consumption becomes the top priority. Wi-Fi wouldn’t work, but Zigbee is built exactly for this kind of scenario.

Also, Zigbee has a big advantage if the area is very large, covering thousands of square meters and requiring thousands of sensors: it supports thousands of nodes in a mesh network, while Wi-Fi is usually limited to hundreds at most.

There are lots more ins and outs, but these are the main reasons Zigbee is preferred for large-scale, low-power sensor networks.

Since both Zigbee and IEEE 802.15.4 define wireless communication, many people confuse the two. The difference between them, to put it simply, concerns the layers they support. IEEE 802.15.4 defines the physical (PHY) and media access control (MAC) layers, which basically determine how devices send and receive data over the air. Zigbee (as well as other protocols like Thread, WirelessHART, 6LoWPAN, and MiWi) builds on IEEE 802.15.4 by adding the network and application layers that define how devices form a network and communicate.

Zigbee operates in the 2.4 GHz wireless band, which it shares with Wi-Fi and Bluetooth. The Zigbee band includes 16 channels, each with a 2 MHz bandwidth and a 5 MHz gap between channels.

This shared frequency means Zigbee networks can sometimes face interference from Wi-Fi or Bluetooth devices. However, Zigbee’s low power and adaptive channel selection help minimize these conflicts.

Devices and network

There are three main types of Zigbee devices, each of which plays a different role in the network.

Zigbee coordinator
The coordinator is the brain of the Zigbee network. A Zigbee network is always started by a coordinator and can only contain one coordinator, which has the fixed address 0x0000.
It performs several key tasks:
- Starts and manages the Zigbee network.
- Chooses the Zigbee channel.
- Assigns addresses to other devices.
- Stores network information.
- Chooses the PAN ID: a 2-byte identifier (for example, 0x1234) that uniquely identifies the network.
- Sets the Extended PAN ID: an 8-byte value, often an ASCII name representing the network.
The coordinator can have child devices, which can be either Zigbee routers or Zigbee end devices.
Zigbee router
The router works just like a router in a traditional network: it forwards data between devices, extends the network range and can also accept child devices, which are usually Zigbee end devices.
Routers are crucial for building large mesh networks because they enable communication between distant nodes by passing data through multiple hops.
Zigbee end device
The end device, also referred to as a Zigbee endpoint, is the simplest and most power-efficient type of Zigbee device. It only communicates with its parent, either a coordinator or router, and sleeps most of the time to conserve power. Common examples include sensors, remotes, and buttons.

Zigbee end devices do not accept child devices unless they are configured as both a router and an endpoint simultaneously.

Each of these device types, also known as Zigbee nodes, has two types of address:

Short address: two bytes long, similar to an IP address in a TCP/IP network.
Extended address: eight bytes long, similar to a MAC address.

Both addresses can be used in the MAC and network layers, unlike in TCP/IP, where the MAC address is used only in Layer 2 and the IP address in Layer 3.

Zigbee setup

Zigbee has many attack surfaces, such as protocol fuzzing and low-level radio attacks. In this post, however, I’ll focus on application-level attacks. Our test setup uses two attack vectors and is intentionally small to make the concepts clear.

In our setup, a Zigbee coordinator is connected to a single device that functions as both a Zigbee endpoint and a router. The coordinator also has other interfaces (Ethernet, Bluetooth, Wi-Fi, LTE), while the endpoint has a relay attached that the coordinator can switch on or off over Zigbee. This relay can be triggered by events coming from any interface, for example, a Bluetooth command or an Ethernet message.

Our goal will be to take control of the relay and toggle its state (turn it off and on) using only the Zigbee interface. Because the other interfaces (Ethernet, Bluetooth, Wi-Fi, LTE) are out of scope, the attack must work by hijacking Zigbee communication.

For the purposes of this research, we will attempt to hijack the communication between the endpoint and the coordinator. The two attack vectors we will test are:

Spoofed packet injection: sending forged Zigbee commands made to look like they come from the coordinator to trigger the relay.
Coordinator impersonation (rejoin attack): impersonating the legitimate coordinator to trick the endpoint into joining the attacker-controlled coordinator and controlling it directly.

Spoofed packet injection

In this scenario, we assume the Zigbee network is already up and running and that both the coordinator and endpoint nodes are working normally. The coordinator has additional interfaces, such as Ethernet, and the system uses those interfaces to trigger the relay. For instance, a command comes in over Ethernet and the coordinator sends a Zigbee command to the endpoint to toggle the relay. Our goal is to toggle the relay by injecting simulated legitimate Zigbee packets, using only the Zigbee link.

Sniffing

The first step in any radio assessment is to sniff the wireless traffic so we can learn how the devices talk. For Zigbee, a common and simple tool is the nRF52840 USB dongle by Nordic Semiconductor. With the official nRF Sniffer for 802.15.4 firmware, the dongle can run in promiscuous mode to capture all 802.15.4/Zigbee traffic. Those captures can be opened in Wireshark with the appropriate dissector to inspect the frames.

How do you find the channel that’s in use?

Zigbee runs on one of the 16 channels that we mentioned earlier, so we must set the sniffer to the same channel that the network uses. One practical way to scan the channels is to change the sniffer channel manually in Wireshark and watch for Zigbee traffic. When we see traffic, we know we’ve found the right channel.

After selecting the channel, we will be able to see the communication between the endpoint and the coordinator, though it will most likely be encrypted:

In the “Info” column, we can see that Wireshark only identifies packets as Data or Command without specifying their exact type, and that’s because the traffic is encrypted.

Even when Zigbee payloads are encrypted, the network and MAC headers remain visible. That means we can usually read things like source and destination addresses, PAN ID, short and extended MAC addresses, and frame control fields. The application payload (i.e., the actual command to toggle the relay) is typically encrypted at the Zigbee network/application layer, so we won’t see it in clear text without encryption keys. Nevertheless, we can still learn enough from the headers.

Decryption

Zigbee supports several key types and encryption models. In this post, we’ll keep it simple and look at a case involving only two security-related devices: a Zigbee coordinator and a device that is both an endpoint and a router. That way, we’ll only use a network encryption model, whereas with, say, mesh networks there can be various encryption models in use.

The network encryption model is a common concept. The traffic that we sniffed earlier is typically encrypted using the network key. This key is a symmetric AES-128 key shared by all devices in a Zigbee network. It protects network-layer packets (hop-by-hop) such as routing and broadcast packets. Because every router on the path shares the network key, this encryption method is not considered end-to-end.

Depending on the specific implementation, Zigbee can use two approaches for application payloads:

Network-layer encryption (hop-by-hop): the network key encrypts the Application Support Sublayer (APS) data, the sublayer of the application layer in Zigbee. In this case, each router along the route can decrypt the APS payload. This is not end-to-end encryption, so it is not recommended for transmitting sensitive data.
Link key (end-to-end) encryption: a link key, which is also an AES-128 key, is shared between two devices (for example, the coordinator and an endpoint).

The link key provides end-to-end protection of the APS payload between the two devices.

Because the network key could allow an attacker to read and forge many types of network traffic, it must be random and protected. Exposing the key effectively compromises the entire network.

When a new device joins, the coordinator (Trust Center) delivers the network key using a Transport Key command. That transport packet must be protected by a link key so the network key is not exposed in clear text. The link key authenticates the joining device and protects the key delivery.

The image below shows the transport packet:

There are two common ways link keys are provided:

Pre-installed: the device ships with an installation code or link key already set.
Key establishment: the device runs a key-establishment protocol.

A common historical problem is the global default Trust Center link key, “ZigBeeAlliance09”. It was included in early versions of Zigbee (pre-3.0) to facilitate testing and interoperability. However, many vendors left it enabled on consumer devices, and that has caused major security issues. If an attacker knows this key, they can join devices and read or steal the network key.

Newer versions – Zigbee 3.0 and later – introduced installation codes and procedures to derive unique link keys for each device. An installation code is usually a factory-assigned secret (often encoded on the device label) that the Trust Center uses to derive a unique link key for the device in question. This helps avoid the problems caused by a single hard-coded global key.

Unfortunately, many manufacturers still ignore these best practices. During real assessments, we often encounter devices that use default or hard-coded keys.

How can these keys be obtained?

If an endpoint has already joined the network and communicates with the coordinator using the network key, there are two main options for decrypting traffic:

Guess or brute-force the network key. This is usually impractical because a properly generated network key is a random AES-128 key.
Force the device to rejoin and capture the transport key. If we can make the endpoint leave the network and then rejoin, the coordinator will send the transport key. Capturing that packet can reveal the network key, but the transport key itself is protected by the link key. Therefore, we still need the link key.

To obtain the network and link keys, many approaches can be used:

The well-known default link key, ZigBeeAlliance09. Many legacy devices still use it.
Identify the device manufacturer and search for the default keys used by that vendor. We can find the manufacturer by:
- Checking the device MAC/OUI (the first three bytes of the 64-bit extended address often map to a vendor).
- Physically inspecting the device (label, model, chip markings).
Extract the firmware from the coordinator or device if we have physical access and search for hard-coded keys inside the firmware images.

Once we have the relevant keys, the decryption process is straightforward:

Open the capture in Wireshark.
Go to Edit -> Preferences -> Protocols -> Zigbee.
Add the network key and any link keys in our possession.
Wireshark will then show decrypted APS payloads and higher-level Zigbee packets.

After successful decryption, packet types and readable application commands will be visible, such as Link Status or on/off cluster commands:

Choose your gadget

Now that we can read and potentially decrypt traffic, we need hardware and software to inject packets over the Zigbee link between the coordinator and the endpoint. To keep this practical and simple, I opted for cheap, widely available tools that are easy to set up.

For the hardware, I used the nRF52840 USB dongle, the same device we used for sniffing. It’s inexpensive, easy to find, and supports IEEE 802.15.4/Zigbee, so it can sniff and transmit.

The dongle runs the firmware we can use. A good firmware platform is Zephyr RTOS. Zephyr has an IEEE 802.15.4 radio API that enables the device to receive raw frames, essentially enabling sniffer mode, as well as send raw frames as seen in the snippets below.

Using this API and other components, we created a transceiver implementation written in C, compiled it to firmware, and flashed it to the dongle. The firmware can expose a simple runtime interface, such as a USB serial port, which allows us to control the radio from a laptop.

At runtime, the dongle listens on the serial port (for example, /dev/ttyACM1). Using a script, we can send it raw bytes, which the firmware will pass to the radio API and transmit to the channel. The following is an example of a tiny Python script to open the serial port:

I used the Scapy tool with the 802.15.4/Zigbee extensions to build Zigbee packets. Scapy lets us assemble packets layer-by-layer – MAC → NWK → APS → ZCL – and then convert them to raw bytes to send to the dongle. We will talk about APS and ZCL in more detail later.

Here is an example of how we can use Scapy to craft an APS layer packet:
from scapy.layers.dot15d4 import Dot15d4, Dot15d4FCS, Dot15d4Data, Dot15d4Cmd, Dot15d4Beacon, Dot15d4CmdAssocResp
from scapy.layers.zigbee import ZigbeeNWK, ZigbeeAppDataPayload, ZigbeeSecurityHeader, ZigBeeBeacon, ZigbeeAppCommandPayload

Before sending, the packet must be properly encrypted and signed so the endpoint accepts it. That means applying AES-CCM (AES-128 with MIC) using the network key (or the correct link key) and adhering to Zigbee’s rules for packet encryption and MIC calculation. This is how we implemented the encryption and MIC in Python (using a cryptographic library) after building the Scapy packet. We then sent the final bytes to the dongle.

This is how we implemented the encryption and MIC:

Crafting the packet

Now that we know how to inject packets, the next question is what to inject. To toggle the relay, we simply need to send the same type of command that the coordinator already sends. The easiest way to find that command is to sniff the traffic and read the application payload. However, when we look at captures in Wireshark, we can see many packets under ZCL marked [Malformed Packet].

A “malformed” ZCL packet usually means Wireshark could not fully interpret the packet because the application layer is non-standard or lacks details Wireshark expects. To understand why this happens, let’s look at the Zigbee application layer.

The Zigbee application layer consists of four parts:

Application Support Sublayer (APS): routes messages to the correct profile, endpoint, and cluster, and provides application-level security.
Application Framework (AF): contains the application objects that implement device functionality. These objects reside on endpoints (logical addresses 1–240) and expose clusters (sets of attributes and commands).
Zigbee Cluster Library (ZCL): defines standard clusters and commands so devices can interoperate.
Zigbee Device Object (ZDO): handles device discovery and management (out of scope for this post).

To make sense of application traffic, we must introduce three concepts:

Profile: a rulebook for how devices should behave for a specific use case. Public (standard) profiles are managed by the Connectivity Standards Alliance (CSA). Vendors can also create private profiles for proprietary features.
Cluster: a set of attributes and commands for a particular function. For example, the On/Off cluster contains On and Off commands and an OnOff attribute that displays the current state.
Endpoint: a logical “port” on the device where a profile and clusters reside. A device can host multiple endpoints for different functions.

Putting all this together, in the standard home automation traffic we see APS pointing to the home automation profile, the On/Off cluster, and a destination endpoint (for example, endpoint 1). In ZCL, the byte 0x00 often means “Off”.

In many industrial setups, vendors use private profiles or custom application frameworks. That’s why Wireshark can’t decode the packets; the AF payload is custom, so the dissector doesn’t know the format.

So how do we find the right bytes to toggle the switch when the application is private? Our strategy has two phases.

Passive phase
Sniff traffic while the system is driven legitimately. For example, trigger the relay from another interface (Ethernet or Bluetooth) and capture the Zigbee packets used to toggle the relay. If we can decrypt the captures, we can extract the application payload that correlates with the on/off action.
Active phaseWith the legitimate payload at hand, we can now turn to creating our own packet. There are two ways to do that. First, we need to replay or duplicate the captured application payload exactly as it is. This works if there are no freshness checks like sequence numbers. Otherwise, we have to reverse-engineer the payload and adjust any counters or fields that prevent replay. For instance, many applications include an application-level counter. If the device ignores packets with a lower application counter, we must locate and increment that counter when we craft our packet.

Another important protective measure is the frame counter inside the Zigbee security header (in the network header security fields). The frame counter prevents replay attacks; the receiver expects the frame counter to increase with each new packet, and will reject packets with a lower or repeated counter.

So, in the active phase, we must:

Sniff the traffic until the coordinator sends a valid packet to the endpoint.
Decrypt the packet, extract the counters and increase them by one.
Build a packet with the correct APS/AF fields (profile, endpoint, cluster).
Include a valid ZCL command or the vendor-specific payload that we identified in the passive phase.
Encrypt and sign the packet with the correct network or link key.
Make sure both the application counter (if used) and the Zigbee frame counter are modified so the packet is accepted.

The whole strategy for this phase will look like this:

If all of the above are handled correctly, we will be able to hijack the Zigbee communication and toggle the relay (turn it off and on) using only the Zigbee link.

Coordinator impersonation (rejoin attack)

The goal of this attack vector is to force the Zigbee endpoint to leave its original coordinator’s network and join our spoofed network so that we can take control of the device. To do this, we must achieve two things:

Force the endpoint to leave the original network.
Spoof the original coordinator and trick the node into joining our fake coordinator.

Force leaving

To better understand how to manipulate endpoint connections, let’s first describe the concept of a beacon frame. Beacon frames are periodic announcements sent by a coordinator and by routers. They advertise the presence of a network and provide join information, such as:

PAN ID and Extended PAN ID
Coordinator address
Stack/profile information
Device capacity (for example, whether the coordinator can accept child devices)

When a device wants to join, it sends a beacon request across Zigbee channels and waits for beacon replies from nearby coordinators/routers. Even if the network is not beacon-enabled for regular synchronization, beacon frames are still used during the join/discovery process, so they are mandatory when a node tries to discover networks.

Note that beacon frames exist at both the Zigbee and IEEE 802.15.4 levels. The MAC layer carries the basic beacon structure that Zigbee then extends with network-specific fields.

Now, we can force the endpoint to leave its network by abusing how Zigbee handles PAN conflicts. If a coordinator sees beacons from another coordinator using the same PAN ID and the same channel, it may trigger a PAN ID conflict resolution. When that happens, the coordinator can instruct its nodes to change PAN ID and rejoin, which causes them to leave and then attempt to join again. That rejoin window gives us an opportunity to advertise a spoofed coordinator and capture the joining node.

In the capture shown below, packet 7 is a beacon generated by our spoofed coordinator using the same PAN ID as the real network. As a result, the endpoint with the address 0xe8fa leaves the network (see packets 14–16).

Choose me

After forcing the endpoint to leave its original network by sending a fake beacon, the next step is to make the endpoint choose our spoofed coordinator. At this point, we assume we already have the necessary keys (network and link keys) and understand how the application behaves.

To impersonate the original coordinator, our spoofed coordinator must reply to any beacon request the endpoint sends. The beacon response must include the same Extended PAN ID (and other fields) that the endpoint expects. If the endpoint deems our beacon acceptable, it may attempt to join us.

I can think of two ways to make the endpoint prefer our coordinator.

Jam the real coordinator
Use a device that reduces the real coordinator’s signal at the endpoint so that it appears weaker, forcing the endpoint to prefer our beacon. This requires extra hardware.
Exploit undefined or vendor-specific behavior
Zigbee stacks sometimes behave slightly differently across vendors. One useful field in a beacon is the Update ID field. It increments when a coordinator changes network configuration.

If two coordinators advertise the same Extended PAN ID but one has a higher Update ID, some stacks will prefer the beacon with the higher Update ID. This is undefined behavior across implementations; it works on some stacks but not on others. In my experience, sometimes it works and sometimes it fails. There are lots of other similar quirks we can try during an assessment.

Even if the endpoint chooses our fake coordinator, the connection may be unstable. One main reason for that is the timing. The endpoint expects ACKs for the frames it sends to the coordinator, as well as fast responses regarding connection initiation packets. If our responder is implemented in Python on a laptop that receives packets, builds responses, and forwards them to a dongle, the round trip will be too slow. The endpoint will not receive timely ACKs or packets and will drop the connection.

In short, we’re not just faking a few packets; we’re trying to reimplement parts of Zigbee and IEEE 802.15.4 that must run quickly and reliably. This is usually too slow for production stacks when done in high-level, interpreted code.

A practical fix is to run a real Zigbee coordinator stack directly on the dongle. For example, the nRF52840 dongle can act as a coordinator if flashed with the right Nordic SDK firmware (see Nordic’s network coordinator sample). That provides the correct timing and ACK behavior needed for a stable connection.

However, that simple solution has one significant disadvantage. In industrial deployments we often run into incompatibilities. In my tests I compared beacons from the real coordinator and the Nordic coordinator firmware. Notable differences were visible in stack profile headers:

The stack profile identifies the network profile type. Common values include 0x00, which is a network-specific (private) profile, and 0x02, which is a Zigbee Pro (public) profile.

If the endpoint expects a network-specific profile (i.e., it uses a private vendor profile) and we provide Zigbee Pro, the endpoint will refuse to join. Devices that only understand private profiles will not join public-profile networks, and vice versa. In my case, I could not change the Nordic firmware to match the proprietary stack profile, so the endpoint refused to join.

Because of this discrepancy, the “flash a coordinator firmware on the dongle” fix was ineffective in that environment. This is why the standard off-the-shelf tools and firmware often fail in industrial cases, forcing us to continue working with and optimizing our custom setup instead.

Back to the roots

In our previous test setup we used a sniffer in promiscuous mode, which receives every frame on the air regardless of destination. Real Zigbee (IEEE 802.15.4) nodes do not work like that. At the MAC/802.15.4 layer, a node filters frames by PAN ID and destination address. A frame is only passed to upper layers if the PAN ID matches and the destination address is the node’s address or a broadcast address.

We can mimic that real behavior on the dongle by running Zephyr RTOS and making the dongle act as a basic 802.15.4 coordinator. In that role, we set a PAN ID and short network address on the dongle so that the radio only accepts frames that match those criteria. This is important because it allows the dongle to handle auto-ACKs and MAC-level timing: the dongle will immediately send ACKs at the MAC level.

With the dongle doing MAC-level work (sending ACKs and PAN filtering), we can implement the Zigbee logic in Python. Scapy helps a lot with packet construction: we can create our own beacons with the headers matching those of the original coordinator, which solves the incompatibility problem. However, we must still implement the higher-level Zigbee state machine in our code, including connection initiation, association, network key handling, APS/AF behavior, and application payload handling. That’s the hardest part.

There is one timing problem that we cannot solve in Python: the very first steps of initiating a connection require immediate packet responses. To handle this issue, we implemented the time-critical parts in C on the dongle firmware. For example, we can statically generate the packets for connection initiation in Python and hard-code them in the firmware. Then, using “if” statements, we can determine how to respond to each packet from the endpoint.

So, we let the dongle (C/Zephyr) handle MAC-level ACKs and the initial association handshake, but let Python build higher-level packets and instruct the dongle what to send next when dealing with the application level. This hybrid model reduces latency and maintains a stable connection. The final architecture looks like this:

Deliver the key

Here’s a quick recap of how joining works: a Zigbee endpoint broadcasts beacon requests across channels, waits for beacon responses, chooses a coordinator, and sends an association request, followed by a data request to identify its short address. The coordinator then sends a transport key packet containing the network key. If the endpoint has the correct link key, it can decrypt the transport key packet and obtain the network key, meaning it has now been authenticated. From that point on, network traffic is encrypted with the network key. The entire process looks like this:

The sticking point is the transport key packet. This packet is protected using the link key, a per-device key shared between the coordinator (Trust Center) and the joining endpoint. Before the link key can be used for encryption, it often needs to be processed (hashed/derived) according to Zigbee’s key derivation rules. Since there is no trivial Python implementation that implements this hashing algorithm, we may need to implement the algorithm ourselves.

I implemented the required key derivation; the code is available on our GitHub.

Now that we’ve managed to obtain the hashed link key and deliver it to the endpoint, we can successfully mimic a coordinator.

The final success

If we follow the steps above, we can get the endpoint to join our spoofed coordinator. Once the endpoint joins, it will often remain associated with our coordinator, even after we power it down (until another event causes it to re-evaluate its connection). From that point on, we can interact with the device at the application layer using Python. Getting access as a coordinator allowed us to switch the relay on and off as intended, but also provided much more functionality and control over the node.

Conclusion

In conclusion, this study demonstrates why private vendor profiles in industrial environments complicate assessments: common tools and frameworks often fail, necessitating the development of custom tools and firmware. We tested a simple two-node scenario, but with multiple nodes the attack surface changes drastically and new attack vectors emerge (for example, attacks against routing protocols).

As we saw, a misconfigured Zigbee setup can lead to a complete network compromise. To improve Zigbee security, use the latest specification’s security features, such as using installation codes to derive unique link keys for each device. Also, avoid using hard-coded or default keys. Finally, it is not recommended to use the network key encryption model. Add another layer of security in addition to the network level protection by using end-to-end encryption at the application level.

securelist.com/zigbee-protocol…

gianlucamantoani.blog

2 mesi fa • •

gianlucamantoani.blog
2 mesi fa • •

L’Italia del 12 dicembre

Prima i fatti. Il 12 dicembre è anniversario dela strage di piazza Fontana che fu un attentato terroristico, di matrice neofascista, compiuto nel 1969, nel centro di Milano, all'interno della sede della Banca Nazionale dell'Agricoltura in piazza Fontana e che causò 17 morti e 88 feriti. E fu l'inizio di un trentennio di violenza politica. Gli ultimi versi della canzone di Francesco De Gregori, Viva l'Italia, suonano così:

gianlucamantoani.blog/2025/12/…

Cybersecurity & cyberwarfare

2 mesi fa • •

Cybersecurity & cyberwarfare
2 mesi fa • •

Copia e Incolla e hai perso l’account di Microsoft 365! Arriva ConsentFix e la MFA è a rischio

Un nuovo schema chiamato “ConsentFix” amplia le capacità del già noto attacco social ClickFix e consente di dirottare gli account Microsoft senza password o autenticazione a più fattori. Per farlo, gli aggressori sfruttano un’applicazione Azure CLI legittima e le funzionalità di autenticazione OAuth , trasformando il processo di accesso standard in uno strumento di dirottamento.

... mostra di più

Copia e Incolla e hai perso l’account di Microsoft 365! Arriva ConsentFix e la MFA è a rischio

ClickFix si basa sulla visualizzazione di istruzioni pseudo-sistema all’utente, chiedendogli di eseguire comandi o eseguire diversi passaggi, presumibilmente per correggere un errore o dimostrare la propria identità.

La variante “ConsentFix”, descritta dal team di Push Security, mantiene lo scenario generale dell’inganno, ma invece di installare malware, mira a rubare un codice di autorizzazione OAuth 2.0, che viene poi utilizzato per ottenere un token di accesso all’interfaccia della riga di comando di Azure.

L’attacco inizia con la visita a un sito web legittimo compromesso, ben indicizzato su Google per le query pertinenti. Sulla pagina appare un finto widget Cloudflare Turnstile, che richiede un indirizzo email valido. Lo script degli aggressori confronta l’indirizzo inserito con un elenco predefinito di obiettivi ed esclude bot, analisti e visitatori casuali. Solo alle vittime selezionate viene presentato il passaggio successivo, strutturato come un tipico script ClickFix con passaggi di verifica apparentemente innocui.

Alla vittima viene chiesto di cliccare sul pulsante di accesso, dopodiché il vero dominio Microsoft si apre in una scheda separata. Tuttavia, invece del consueto modulo di accesso, utilizza una pagina di autorizzazione di Azure che genera un codice OAuth specifico per l’interfaccia a riga di comando di Azure. Se l’utente ha effettuato l’accesso a un account Microsoft, è sufficiente selezionarlo; in caso contrario, l’accesso avviene normalmente tramite il modulo autentico.

Dopo l’autorizzazione, il browser viene reindirizzato a localhost e nella barra degli indirizzi viene visualizzato un URL con il codice di autorizzazione dell’interfaccia della riga di comando di Azure associato all’account. Il passaggio finale dell’inganno consiste nell’incollare nuovamente questo indirizzo nella pagina dannosa, come indicato. A questo punto, l’aggressore può scambiare il codice con un token di accesso e gestire l’account tramite l’interfaccia della riga di comando di Azure senza conoscere la password o completare l’autenticazione a più fattori . Durante una sessione attiva, l’accesso non viene effettivamente richiesto. Per ridurre il rischio di divulgazione, lo script viene eseguito una sola volta da ciascun indirizzo IP.

Gli esperti di Push Security consigliano ai team addetti alla sicurezza di monitorare le attività insolite dell’interfaccia della riga di comando di Azure, inclusi gli accessi da indirizzi IP insoliti, e di monitorare l’utilizzo delle autorizzazioni Graph legacy, su cui questo schema si basa per eludere gli strumenti di rilevamento standard.

L'articolo Copia e Incolla e hai perso l’account di Microsoft 365! Arriva ConsentFix e la MFA è a rischio proviene da Red Hot Cyber.

Cybersecurity & cyberwarfare

2 mesi fa • •

Cybersecurity & cyberwarfare
2 mesi fa • •

Aumento di stipendio? Tranquillo, l’unico che riceve i soldi è l’hacker per la tua negligenza

Emerge da un recente studio condotto da Datadog Security Labs un’operazione attualmente in corso, mirata a organizzazioni che utilizzano Microsoft 365 e Okta per l’autenticazione Single Sign-On (SSO). Questa operazione, avvalendosi di tecniche sofisticate, aggira i controlli di sicurezza con l’obiettivo di sottrarre token di sessione.

... mostra di più

Aumento di stipendio? Tranquillo, l’unico che riceve i soldi è l’hacker per la tua negligenza

Mentre le valutazioni delle prestazioni di fine anno stanno per essere comunicate ai dipendenti, questa complessa truffa di phishing ha iniziato a diffondersi, trasformando quello che sembrava un aumento salariale in una minaccia per la sicurezza informatica.

Dall’inizio di dicembre 2025, questa campagna sfrutta senza scrupoli i benefit offerti dalle aziende. I destinatari ignari ricevono messaggi di posta elettronica dissimulati da comunicazioni ufficiali dei reparti risorse umane o di servizi di gestione stipendi, tra cui ADP o Salesforce.

Gli oggetti sono progettati per suscitare urgenza e curiosità immediate, utilizzando frasi come “Azione richiesta: rivedere le informazioni su stipendio e bonus del 2026” o “Riservato: aggiornamento sulla retribuzione”.

Secondo il rapporto , i ricercatori di sicurezza riportano che “gli URL di phishing includono un parametro URL che indica il tenant Okta preso di mira. Inoltra qualsiasi richiesta al dominio .okta.com originale, garantendo che tutte le personalizzazioni alla pagina di autenticazione Okta vengano preservate, rendendo la pagina di phishing più legittima”.

Alcuni attacchi utilizzano allegati PDF crittografati con la password fornita nel corpo dell’e-mail: una tattica classica per aggirare gli scanner di sicurezza della posta elettronica.

La minaccia risulta essere ancora più subdola nel caso in cui la vittima faccia accesso a una pagina di login contraffatta di Microsoft 365. Il codice maligno esamina il traffico del browser in modo occulto. Rilevato che l’utente sta effettuando l’autenticazione tramite Okta, tramite un campo JSON specifico chiamato FederationRedirectUrl, il traffico viene immediatamente intercettato.

Una volta che l’utente inserisce le proprie credenziali, uno script lato client chiamato inject.js entra in funzione. Traccia le sequenze di tasti premuti per acquisire nomi utente e password, ma il suo obiettivo principale è il dirottamento della sessione.

L’infrastruttura alla base di questi attacchi è in rapida evoluzione.

Gli autori delle minacce utilizzano Cloudflare per nascondere i loro siti dannosi ai bot di sicurezza e perfezionano costantemente il loro codice.

L'articolo Aumento di stipendio? Tranquillo, l’unico che riceve i soldi è l’hacker per la tua negligenza proviene da Red Hot Cyber.

Antonella Ferrari

2 mesi fa da Fedilab • •

Antonella Ferrari
2 mesi fa da Fedilab • •

Da piazza Fontana alla stazione di Bologna. La mano fascista dietro alle stragi della strategia della tensione

@Giornalismo e disordine informativo
articolo21.org/2025/12/da-piaz…
Il 1969 è l’anno degli scioperi, dei

@Giornalismo e disordine informativo

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Журнал «Холод»

2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Осторожно, новости!

Sensitive content

Redhotcyber

2 mesi fa • •

Redhotcyber
2 mesi fa • •

CSRA: Perché serve un nuovo modo di percepire ciò che non riusciamo più a controllare

📌 Link all'articolo : redhotcyber.com/post/csra-perc…

#redhotcyber #news #cybersecurity #sicurezzainformatica #datianalysis #soc #gestioneincidenti

CSRA: Perché serve un nuovo modo di percepire ciò che non riusciamo più a controllare

La cybersecurity è un ambiente in continua evoluzione. Scopri il modello CSRA per una nuova consapevolezza nella difesa cyber, grazie alla percezione delle trasformazioni nella rete.

^{Alessandro Rugolo (Red Hot Cyber)}

#redhotcyber #cybersecurity #News #sicurezzainformatica #soc #datianalysis #gestioneincidenti

Questo sito web utilizza cookie tecnici e di sessione. Proseguendo la navigazione su questo sito, accetti l'utilizzo dei cookie.

⇧

воля 2 mesi fa • •

Russia-Ukraine Daily News 2 mesi fa • •

Russia-Ukraine Daily News 2 mesi fa • •

kravietz 🦇 2 mesi fa • •

stefania maurizi 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦 2 mesi fa • •

stefania maurizi 2 mesi fa • •

воля 2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

воля 2 mesi fa • •

Anja Wachsmuth 🇺🇦 🇮🇱 2 mesi fa • •

Kristie 2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦 2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦 2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦 2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦 2 mesi fa • •

Informa Pirata 2 mesi fa da Bleah • •

Eugene McParland 🇺🇦 2 mesi fa • •

DOXA 🏳️‍🌈🏳️‍⚧️ 2 mesi fa • •

Журнал «Холод» 2 mesi fa • •

Eugene McParland 🇺🇦 2 mesi fa • •

Duckbilled Plattypus. 2 mesi fa • •

Cybersecurity & cyberwarfare 2 mesi fa da Open app • •

Cybersecurity & cyberwarfare 2 mesi fa da Open app • •

MadeInDex 📰🌎 2 mesi fa • •

The Human Capybara 2 mesi fa • •

monumental-movement-records 2 mesi fa • •

Cybersecurity & cyberwarfare 2 mesi fa da Open app • •

Lou Plummer 💖 2 mesi fa • •

Max - Poliverso 🇪🇺🇮🇹 2 mesi fa — (43.7697955 11.2556404) • •

Team KeePassXC 2 mesi fa • •

monumental-movement-records 2 mesi fa • •

Gabriele Marcosanti 2 mesi fa • •

Журнал «Холод» 2 mesi fa • •

Журнал «Холод» 2 mesi fa • •

Журнал «Холод» 2 mesi fa • •

Eugene McParland 🇺🇦 2 mesi fa • •

Eugene McParland 🇺🇦 2 mesi fa • •

Журнал «Холод» 2 mesi fa • •

Журнал «Холод» 2 mesi fa • •

Журнал «Холод» 2 mesi fa • •

Redhotcyber 2 mesi fa • •

воля
2 mesi fa • •

Russia-Ukraine Daily News
2 mesi fa • •

Russia-Ukraine Daily News
2 mesi fa • •

kravietz 🦇
2 mesi fa • •

stefania maurizi
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

stefania maurizi
2 mesi fa • •

воля
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

воля
2 mesi fa • •

Anja Wachsmuth 🇺🇦 🇮🇱
2 mesi fa • •

Kristie
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

NOELREPORTS 🇪🇺 🇺🇦
2 mesi fa • •

Informa Pirata
2 mesi fa da Bleah • •

Eugene McParland 🇺🇦
2 mesi fa • •

DOXA 🏳️‍🌈🏳️‍⚧️
2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

Duckbilled Plattypus.
2 mesi fa • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

MadeInDex 📰🌎
2 mesi fa • •

The Human Capybara
2 mesi fa • •

monumental-movement-records
2 mesi fa • •

Cybersecurity & cyberwarfare
2 mesi fa da Open app • •

Lou Plummer 💖
2 mesi fa • •

Max - Poliverso 🇪🇺🇮🇹
2 mesi fa — (43.7697955 11.2556404) • •

Team KeePassXC
2 mesi fa • •

monumental-movement-records
2 mesi fa • •

Gabriele Marcosanti
2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

Eugene McParland 🇺🇦
2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Журнал «Холод»
2 mesi fa • •

Redhotcyber
2 mesi fa • •