News

3649 Articles

This Week In Security: Zimbra, Lockbit 2, And Hacking NK

February 11, 2022 by 9 Comments

Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.

Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1.

LockBit 2.0

Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible. Continue reading “This Week In Security: Zimbra, Lockbit 2, And Hacking NK”

Making Light Of Superconductors

February 10, 2022 by 3 Comments

Once upon a time, making a superconductor required extremely cold temperatures. Scientists understood why superconducting materials could move electrons without loss, but the super cold temperatures were a problem. Then in 1986, a high-temperature superconductor was found. High temperature, of course, is a relative term. The new material works when cooled to a frosty temperature, just not a few degrees off of absolute zero like a conventional superconductor. Since then, the race has been on to find a room-temperature superconductor that doesn’t require other exotic conditions, such as extreme pressure. Department of Energy scientists may have found a different path to get there: X-ray light.

The problem is that scientists don’t fully understand why these high-temperature superconductors work. To study the material, YBCO, scientists chill a sample to it superconducting state and then use a magnetic field to disrupt the superconductivity to study the material’s normal state. The new research has shown that a pulse of light can also disrupt the superconductivty, although the resulting state is unstable.

The research shows that charge density waves, which can serve as markers for superconductivity, occur when the samples are exposed to a magnetic field or to high-energy light pulses. While this is a far cry from creating room temperature superconductors, further study of the mechanism that allows light and magnetic fields to cause similar changes in the material could lead to a better understanding of the physics and maybe — one day — room-temperature superconductors.

Want to make your own YBCO? Go for it! Of course, you can already get room-temperature superconductors if you can stand the pressure.

Ask Hackaday: What’s Going On With Mazdas In Seattle?

February 10, 2022 by 56 Comments

What hacker doesn’t love a puzzle? We have a doozy for you. According to KUOW — the NPR affiliate in Seattle — they have been getting an unusual complaint. Apparently, if you drive a Mazda made in 2016 and you tune to KUOW, your radio gets stuck on their frequency, 94.9 MHz, and you can’t change it.

According to a post from the radio station, it doesn’t just affect the FM radio. A listener named Smith reported:

“I tried rebooting it because I’ve done that in the past and nothing happened,” Smith said, “I realized I could hear NPR, but I can’t change the station, can’t use the navigation, can’t use the Bluetooth.”

Continue reading “Ask Hackaday: What’s Going On With Mazdas In Seattle?”

How Can 335 Horses Weigh 63 Pounds?

February 9, 2022 by 110 Comments

Koenigsegg, the Swedish car company, has a history of unusual engineering. The latest innovation is an electric motor developed for its Gemera hybrid vehicle. The relatively tiny motor weighs 63 pounds and develops 335 horsepower and 443 lb-ft of torque. Dubbed the Quark, the motor uses both radial and axial flux designs to achieve these impressive numbers.

There is a catch, of course. Like most EV motors, those numbers are not sustainable. The company claims the motor can output peak power for 20 seconds and then drops to 134 horsepower/184 lb-ft of torque. The Gemera can supplement, of course, with its internal combustion engine — a 3 cylinder design.

Continue reading “How Can 335 Horses Weigh 63 Pounds?”

As Light As Plastic; As Strong As Steel

February 7, 2022 by 38 Comments

Chemical engineers at MIT have pulled off something that was once thought impossible. By polymerizing material in two different directions at once, they have created a polymer that is very strong. You can read a pre-print version of the paper over on Arxiv.

Polymers owe many of their useful properties to the fact that they make long chains. Molecules known as monomers join together in strings held together by covalent bonds. Polymer chains may be cross-linked which changes its properties, but it has long been thought that material that had chains going through the X and Y axis would have desirable properties, but making these reliably is a challenge.

Part of the problem is that it is hard to line up molecules, even large monomers. If one monomer in the chain rotates a bit, it will create a defect in the 2D structure and that defect will grow rapidly as you add more monomers. The new technique is relatively easy to do and is irreversible which is good because reversible chains tend to have undesirable characteristics like low chemical stability. Synthesis does require a few chemicals like melamine, calcium chloride, pyridine, and trimesic acid. Along with N-Methyl-2-pyrrolidone, the mixture eventually forms a gel. The team took pieces of gel and soaked it in ethanol. With some filtering, ultrasonics, centrifuging, and washing with water and acetone, the material was ready for vacuum drying and was made into a powder.

The powder is dissolved in acid and placed on a spinning silicon wafer to form a polymerized nanofilm. Other 2D films have been produced, of course, such as graphene, but polymer films may have a number of applications. In particular, in contrast to conventional polymers, sheets of this material are impermeable to gas and liquid, which could make it very useful as a coating.

According to the MIT press release, the film’s elastic modulus is about four and six times greater than that of bulletproof glass. The amount of force required to break the material is about twice that of steel. It doesn’t sound like this material will be oozing out of our 3D printers anytime soon. But maybe one day you’ll be able to get 2D super-strong resin.

For all their faults, conventional polymers changed the world as we know it. Some polymers occur naturally, and some use natural ingredients, too.

The Weirdest Hack

February 5, 2022 by 31 Comments

I was on the FLOSS podcast (for the Episode of the Beast no less!) and we were talking all about Hackaday. One of the hosts, secretly Hackaday’s own Jonathan Bennett in disguise, asked me what the weirdest hack I’d ever seen on Hackaday was. Weird?!?!

I was caught like a deer in headlights. None of our hacks are weird! Or maybe all of them are? I dunno, it certainly depends on your perspective. Is it weird to build a box that makes periodic meowing noises to hid in a friend’s closet? Is it weird to design new and interesting wheels for acrobats to roll themselves around in? Is it weird to want a rainbow-colored USB DIP switch? Is it weird that these are all posts from the last week?

OK, maybe we are a little bit weird. But that’s the way we like it. Keep it weird and wonderful, Hackaday. You’ve got enough normal stuff to do eight hours a day!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE

February 4, 2022 by 6 Comments

Samba has a very serious vulnerability, CVE-2021-44142, that was just patched in new releases 4.13.17, 4.14.12, and 4.15.5. Discovered by researchers at TrendMicro, this unauthenticated RCE bug weighs in at a CVSS 9.9. The saving grace is that it requires the fruit VFS module to be enabled, which is used to support MacOS client and server interop. If enabled, the default settings are vulnerable. Attacks haven’t been seen in the wild yet, but go ahead and get updated, as PoC code will likely drop soon.

Crypto Down the Wormhole

One notable selling point to cryptocurrencies and Web3 are smart contracts, little computer programs running directly on the blockchain that can move funds around very quickly, without intervention. It’s quickly becoming apparent that the glaring disadvantage is these are computer programs that can move money around very quickly, without intervention. This week there was another example of smart contracts at work, when an attacker stole $326 million worth of Ethereum via the Wormhole bridge. A cryptocurrency bridge is a service that exists as linked smart contracts on two different blockchains. These contracts let you put a currency in on one side, and take it out on the other, effectively transferring currency to a different blockchain. Helping us make sense of what went wrong is [Kelvin Fichter], also known appropriately as [smartcontracts].

When the bridge makes a transfer, tokens are deposited in the smart contract on one blockchain, and a transfer message is produced. This message is like a digital checking account check, which you take to the other side of the bridge to cash. The other end of the bridge verifies the signature on the “check”, and if everything matches, your funds show up. The problem is that one one side of the bridge, the verification routine could be replaced by a dummy routine, by the end user, and the code didn’t catch it.

It’s a hot check scam. The attacker created a spoofed transfer message, provided a bogus verification routine, and the bridge accepted it as genuine. The majority of the money was transferred back across the bridge, where other user’s valid tokens were being held, and the attacker walked away with 90,000 of those ETH tokens. Continue reading “This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE”