This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T20:45:23+00:00 www.secnews.physaphae.fr Reversemode - Blog de reverser IntroductionYesterday afternoon, I was writing what should have been the regular newsletter when the power suddenly went out. I wasn\'t alarmed at all because I live in a mountain area, and power outages like this happen several times a year. It was a slightly windy day, so I assumed that maybe a tree had cracked and hit a low-voltage line or something similar. But, as it turns out, that wasn\'t the case. Instead, something unprecedented occurred, a \'zero energy\' event: the power grid in Spain and Portugal went down completely.As we can see from the following graph coming from Red Eléctrica Española (transmission system operator responsible for managing the Spanish electricity system), at 12:35pm suddenly 15 GW of generation power went \'missing\'. As the prime minister would explain during a press release: "in 5 seconds, 60% of the country\'s demand disappeared from the system".The interconnected power system is one of the most complex systems ever built. It is beyond the scope of this article to provide a detailed technical assessment of all possible non-cyber scenarios that could contribute to a \'black swan\' event. In fact, investigations into large-scale power outages typically take months to reach reliable conclusions. Therefore, I will leave this task to the experts, who have access to the necessary data to conduct such a complex analysis.However, there is specific information suggesting that a potential cyber attack could be behind this. For example:https://www.larazon.es/economia/cni-apunta-ciberataque-como-posible-causa-apagon_20250428680f7e19319ae75da4ba8c32.htmlThe President of the regional government of Andalusia (Spain) claims that, after consulting with cybersecurity experts, the massive power outage is likely the result of a cyber attack.https://www.eleconomista.es/energia/noticias/13337515/04/25/juanma-moreno-apunta-a-un-ciberataque-como-posible-causa-del-gran-apagon-en-espana.htmlMeanwhile, top European figures such as the European Council p]]> 2025-04-29T11:04:11+00:00 https://www.reversemode.com/2025/04/spains-blackout-cyber-or-not-unbiased.html www.secnews.physaphae.fr/article.php?IdArticle=8669358 False Ransomware,Malware,Threat,Studies,Prediction,Technical APT 44 3.0000000000000000 Reversemode - Blog de reverser Introduction2. Practical Gamma Spectroscopy for Security Researchers3. SIGMA Network4. ConclusionsDisclaimerTo avoid any misunderstandings, I want to clarify that all the information in this post is based on open-source intelligence, publicly available documents, and reverse engineering. I have not attempted to compromise or replicate any potential attacks on internet-facing SIGMA systems. Instead, I conducted a simple, non-invasive reconnaissance phase, which involved accessing public websites, reviewing their source code, and examining generic endpoints to gather general information, such as system versions. A month before publishing this post, I gave a heads-up about it to those who needed to be informed.Introduction This is the first part of a series on the cyber-physical analysis of weapons of mass destruction detection systems, focusing on technologies like CBRN networks and nuclear safeguards. These posts will cover how these systems integrate physical methods with cyber capabilities to counter potential threats. By analyzing both the hardware and software components, I aim to highlight the challenges and advancements in ensuring these systems function effectively in real-world scenarios, as well as some of the vulnerabilities, exploits, and security-related issues discovered during the research. Above all, the goal is to contribute to a better understanding of these systems and encourage critical thinking, especially in these challenging times.Thirty years ago, the Japanese apocalyptic cult \'Aum Shinrikyo\' managed to fabricate sarin gas in-house and released it in multiple trains during rush hour on the Tokyo subway system. The deadly nerve agent killed 14 people, injured over 1000, and caused severe health issues for thousands more. Initial reports only mentioned \'an explosion in the subway,\' causing the first 30 police officers who arrived at the scene to overlook the possibility of a chemical attack. As a result, they were exposed to and harmed by the sarin gas, which also delayed their ability to provide a timely and proper response to the other victims.Could a similar event happen today in a modern city? Probably yes, but at least in theory, it would be orders of magnitude harder for the perpetrators to achieve their goals. Even if they succeeded, the immediate aftermath (essentially the ability to mitigate the consequences), would (is expected to) be managed much more effectively, due to technological progress in countering Chemical, Biological, Radiological,]]> 2025-04-01T16:18:36+00:00 https://www.reversemode.com/2025/04/cyber-physical-analysis-of-weapons-of.html www.secnews.physaphae.fr/article.php?IdArticle=8659628 False Tool,Vulnerability,Threat,General Information,Legislation,Mobile,Prediction,Cloud,Commercial None 2.0000000000000000 Reversemode - Blog de reverser The war that began with Russia\'s full-scale invasion of Ukraine has led to a series of unprecedented nuclear-related situations. During the first 48 hours, Chernobyl-a symbol of the deep-seated fear of nuclear disaster, especially within Europe-was taken by Russian troops.This was accompanied by reports of  radiation spikes, various plots involving dirty bombs and nuclear materials, and Russian soldiers allegedly killed by acute radiation syndrome. In the end, all of it was proven to be as fictitious as the reported radiation levels.We should view these mutual accusations between Ukraine and Russia as part of the information war, which likely didn\'t come as a complete surprise to those in the know. For instance, in an insightful piece Politico published documenting the \'first-ever oral history of how top U.S. and Western officials saw the warning signs of a European land war,\' John Kirby stated the following:Without time to recover from the shock caused by the events in the Chernobyl Exclusion Zone, just a few days later, Russia attacked and eventually occupied Europe\'s largest nuclear power plant: Zaporizhzhia. Four weeks later, Russian forces withdrew from Chernobyl, but they did not withdraw from Zaporizhzhia NPP, which remains occupied to this day. With a new administration taking over the U.S. government, likely to have a significant influence on the conditions and terms for ending this armed conflict-if it ends at all-now seems like the right moment to address a gap in the existing coverage of the Zaporizhzhia NPP occupation: its cyber dimension.Ukraine: From Non-Proliferation to the Modernization of Its Nuclear Power PlantsAfter the Soviet Union\'s collapse in 1991, Ukraine agreed to give up its nuclear weapons under the Budapest Memorandum (1994), in exchange for security assurances from Russia, the U.S., and the UK.  Some might argue that this move has not aged well, ]]> 2025-01-22T14:43:46+00:00 https://www.reversemode.com/2025/01/the-cyber-dimension-of-zaporizhzhia-npp.html www.secnews.physaphae.fr/article.php?IdArticle=8654591 False Tool,Vulnerability,Studies,Industrial,Technical None 3.0000000000000000 Reversemode - Blog de reverser Anatomy of a Nuclear Scare", an article that covers this issue.This trend does not come as a surprise, as radioactivity is one of those few things that can collectively trigger significant levels of societal anxiety and emotional, rather than rational, response, which is often disproportionate to the actual physical risks it poses. This radiation fear has been shaped during years by a mix of cultural, historical, and media-driven narratives. In recent years, increasing geopolitical instability, the ever-growing influence of social media, the return of magical thinking and the precariousness and discrediting of traditional sources of information have resulted in a constant flow of misinformation.. It\'s no coincidence that successful campaigns can be executed with limited resources, compared to traditional manipulation activities, and still have the potential to go viral, maximizing ROI.Despite the fact that these campaigns explicitly exploited-or leveraged-publicly available online resources providing real-time radiation levels, in most cases, the actions were simplistic and carried out without the need for specialized \'cyber\' skills or expertise. So far, the only exception to this trend can be found in Chernobyl\'s post-invasion radiation spikes from 2022.I see no reason to believe that we won\'t likely see similar campaigns in the near future. I also acknowledge that this topic is not everyone\'s cup of tea. You may not have the time or interest to go through detailed technical explanations of radioactivity from both physics and cybersecurity perspectives. However, for those who are really interested in that kind of in-depth reading, I\'ve published comprehensive research papers on this topic.So, I thought it might be useful to put together this publication, which is merely intended to serve as an \'emergency guide\' to quickly grasp a set of simple yet sound principles that hopefully can help everyone, regardless of their background, to approach radioactivity-related reports with a critical eye. Armed with these fundamentals of radiation monitoring, we\'ll learn how to quickly discern between stories that make sense and those that don\'t hold water.An Emergency Guide to Understanding Radioactivity and Radiation MonitoringLet\'s say that you want to build a simple cabin in a small plot of land you have in the woods. The foundations should be stable enough to ensure the structure does not collapse just right after finishing it. However, you have an unusual constraint: the only material you can use is balloons. Common sense suggests that, although balloons are not the ideal material, the best way to use them would be to keep them completely deflated. Anything built using inflated balloons will not last long; it depends on the quality of the material the balloon is made of, but everybody acknowl]]> 2025-01-08T18:35:29+00:00 https://www.reversemode.com/2025/01/addressing-exploitation-of-radiation.html www.secnews.physaphae.fr/article.php?IdArticle=8654592 False Tool,Threat,Industrial,Prediction,Technical None 3.0000000000000000 Reversemode - Blog de reverser Chernobyl Research , j'ai été surpris pour découvrir que A Plethora of Brand-Nwi (2e génération) Des composants étaient disponibles sur eBay.  Framatome\'s Teleperm XS (TXS) is a digital Instrumentation & Control platform designed specifically for use in safety systems in Nuclear power plants, as a replacement pour ou améliorent leurs homologues analogiques. C'est l'une des plates-formes I&C de sécurité numérique les plus utilisées, soutenant la principale ligne de défense (système de protection des réacteurs, système d'actionnement des caractéristiques de sécurité conçue) dans des dizaines de réacteurs nucléaires à l'échelle mondiale, y compris l'Europe, les États-Unis, la Russie et la Chine. Évidemment, qui a été une bonne opportunité pour conférer à la plus grande importance des modernes de sécurité numérique, donc j'ai acheté des modernes TX sur le monde.  C'était le point de départ de la recherche que je libère aujourd'hui: " une analyse pratique des attaques cyber-physiques contre les réacteurs nucléaires ". ]]> 2024-10-01T12:10:41+00:00 https://www.reversemode.com/2024/10/a-practical-analysis-of-cyber-physical.html www.secnews.physaphae.fr/article.php?IdArticle=8654593 False Tool,Technical,Commercial None 4.0000000000000000 Reversemode - Blog de reverser Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication\'. Kim Zetter also wrote an investigative piece. The research materials are publicly available.As I casually discovered a few days ago, around the date I received  the acceptance notification from BlackHat, the paper \'Preliminary assessment of the radiological consequences of the hostile military occupation of the Chornobyl Exclusion Zone\' was submitted to the \'Journal of Radiological Protection\'. This paper would be eventually approved and then published in September. So it seems that both investigations were being performed in parallel, but unfortunately we never crossed our paths.There is also a significant detail: this investigation doesn\'t come from a random guy like me, but from official entities. The authors of this paper belong to an international mission led by the "State Nuclear Regulatory Inspectorate of Ukraine" (SNRIU) and its technical support organization, the "Scientific and Technical Centre for Nuclear and Radiation Safety", with funds from Norway\'s nuclear authority (DSA).This international group of experts carried out a comprehensive radiation survey over different areas (with a risk for their lives due to the mines left behind by the Russian occupation forces), including the Chernobyl Exclusion Zone, and specifically in those spots where some of the radiation monitoring devices (GammaTRACER) reported radiation spikes during the beginning of the Russian invasion. The outcome of the survey is that they didn\'t find any trace of contamination, the radiation levels were basically the same&nb]]> 2024-06-05T14:00:23+00:00 https://www.reversemode.com/2024/06/ukraines-nuclear-regulator-confirms.html www.secnews.physaphae.fr/article.php?IdArticle=8654594 False Technical None 4.0000000000000000 Reversemode - Blog de reverser Finding vulnerabilities in Swiss Post's future e-voting system - Part 1". That was the first of a series of blog posts covering that system. During these two years I've been periodically assessing the security posture of this e-voting solution, as part of their Bug Bounty program, which I personally recommend.  Since the first time I reviewed their codebase a lot of things have changed, for good, as many areas have been dramatically improved. To be honest, from a security perspective the codebase back then was kind of a mess.  When the first Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community.  As a result, some significant issues were uncovered, so eventually Swiss Post decided to suspend the deployment of the system. That first version had been developed by Scytl, Spanish company specialized in electronic voting systems. After that fiasco, Swiss Post changed their approach, thus acquiring the source code from Scytl and moving to a transparent, open-source focused, in-house development process, which is where they are at now.I've already expressed my thoughts about e-voting, which is a thorny issue for many in the security community. Obviously, bearing in mind what is at stake, all kind of concerns are expected, understandable, and actually, needed. That said, I think that it is also our, we security people, responsibility to properly raise legitimate concerns, while keeping a technically accurate position. For me, this means properly understanding the scope, extent and context for both the e-voting solution and the threats it may face.This can be achieved by carefully studying the 'Protocol of the Swiss Post Voting System' document, which includes their threat model. The trust assumptions are a key concept to understanding Swiss Post's e-voting system.]]> 2024-01-28T15:16:46+00:00 https://www.reversemode.com/2024/01/finding-vulnerabilities-in-swiss-posts.html www.secnews.physaphae.fr/article.php?IdArticle=8654595 False None None 3.0000000000000000 Reversemode - Blog de reverser BlackHat USA 2023. It is intended to ease the indexing and dissemination of the information collected during this research. In a few days, I\'ll be in Brussels presenting this research. The original paper (PDF) can be downloaded here.Additional references:https://www.wired.com/story/chernobyl-radiation-spike-mystery/ (Kim Zetter)https://www.zetter-zeroday.com/p/radiation-spikes-at-chernobyl-a-mystery (Kim Zetter)https://medium.com/war-notes/chornobyl-3-92216d21b223 (Olegh Bondarenko)INDEXForeword Executive summary Introduction 1. Physical     1986    Resuspension     Transport     Humidity     Traffic 2. Cyber ]]> 2024-01-15T16:59:43+00:00 https://www.reversemode.com/2024/01/what-really-happened-in-chernobyl.html www.secnews.physaphae.fr/article.php?IdArticle=8654596 False Malware,Vulnerability,Mobile,Industrial,Prediction,Cloud,Conference,Technical,Commercial None 3.0000000000000000 Reversemode - Blog de reverser Après plusieurs mois de recherches intenses, je libère enfin l'article qui contient des détails techniques complets et des preuves collectées. J'ai présenté ces recherches sur

---

 Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of FabricationAfter many months of intense research, I\'m finally releasing the paper that contains full technical details and collected evidence. I presented this research at BlackHat USA 2023 a few days ago.Kim Zetter published on ]]> 2024-01-15T16:59:25+00:00 https://www.reversemode.com/2023/08/seeing-through-invisible-research.html www.secnews.physaphae.fr/article.php?IdArticle=8654599 False Technical None 3.0000000000000000 Reversemode - Blog de reverser 2023-10-20T17:13:53+00:00 https://www.reversemode.com/2023/10/some-thoughts-on-e-voting.html www.secnews.physaphae.fr/article.php?IdArticle=8654597 False Malware,Vulnerability None 3.0000000000000000 Reversemode - Blog de reverser France Identité\', the new french digital ID. The bug bounty program itself was disappointing to me so I\'d say that, likely, it wasn\'t necessarily worth my efforts, although I\'ve been rewarded with some bounties for the reports. On the other hand, the scope was very interesting so for me, the technical part eventually made up for the negative aspects.It was a pure black-box approach against the preproduction version. I received a \'specimen\' French ID card (carte d\'identité), which obviously did not correspond to any actual citizen. However, I didn\'t get a PIN, so I couldn\'t fully cover all the functionalities implemented in the \'France Identité\' system. Now let\'s see what I found.IntroductionA relatively common approach to designing cost effective, user-friendly, chip-to-cloud solutions is to leverage the communication capabilities of the user\'s mobile phone. As a result, instead of endowing the smart device (e.g., digital ID Card) with all the required electronics and software that would enable it to autonomously transmit and receive data from the internet, the product is developed to use a short-range communication stack such as Bluetooth/NFC (something any modern mobile phone supports by default) and then, an App in the phone will create a communication channel with the backend, thus acting as a bridge for both worlds.]]> 2023-10-08T11:35:58+00:00 https://www.reversemode.com/2023/10/reversing-france-identite-new-french.html www.secnews.physaphae.fr/article.php?IdArticle=8654598 False Vulnerability,Mobile,Technical None 3.0000000000000000 Reversemode - Blog de reverser Ecostrutuxure Control Expert . CVE-2023-27976 CVSS V3.1 Score de base 8.8 | Haut | CVSS: 3.1 / AV: N / AC: L / PR: N / UI: R / S: U / C: H / I: H / A: H Il s'agit principalement d'un problème de conception dansLe bus de périphérique orienté vers le service (SE.SODB.HOST.EXE). Ce composant est une partie fondamentale de l'architecture d'experts de contrôle, prenant en charge sa fonctionnalité \\ 'topology \' qui permet d'interfacer avec différents types de dispositifs industriels, y compris les contrôleurs de sécurité. \\ 'SE.SODB.HOST.EXE \' expose un ensemble spécifique de services Web, construit sur un ]]> 2023-04-11T16:14:08+00:00 https://www.reversemode.com/2023/04/losing-control-over-schneiders.html www.secnews.physaphae.fr/article.php?IdArticle=8654600 False Vulnerability,Threat,Industrial None 4.0000000000000000 Reversemode - Blog de reverser Précédent Posts , i \\ 'a déjà décrit certains bogues dans le système électronique Swiss post \\ de Swiss. Tout en lisant leur Crypto-Primitifs Spécification , qui, parmi les autres choses, décrit l'algorithme de plan de perfectionnement Swiss Swiss,,, parmi d'autres choses remarqué quelque chose de potentiellement intéressant. Fondamentalement, il existe 4 types différents qui sont pris en charge: des tableaux d'octets, des chaînes, des entiers et des vecteurs. Avant d'être haché, les chaînes sont converties en un tableau d'octets via l'algorithme \\ ' stringToByTearray \' Cependant, en comparant \\ ' stringToByTearray \' et \\ ' bytearraytostring \', nous pouvons trouver une différence significative: les séquences UTF-8 invalides sont considérées que dans le second. Soit \\ voir comment cela a été mis en œuvre dans le code: Fichier: crypto-primitive-master / src / main / java / ch / post / it / evoting / cryptoprimitive / interne / utils / conversioninternal.java ]]> 2023-03-31T20:35:32+00:00 https://www.reversemode.com/2023/03/beware-of-javas-stringgetbytes.html www.secnews.physaphae.fr/article.php?IdArticle=8654601 False Vulnerability None 3.0000000000000000 Reversemode - Blog de reverser "Swiss Post Offers up to €230,000 for Critical Vulnerabilities in e-Voting System" while catching up with the security news. The headline certainly caught my attention as it looked like an outlier from the regular bug bounty programs or well-known exploit contests, not only for the announced rewards but mainly because of the target. So essentially Swiss Post, the national postal service of Switzerland, was opening to the general public a bug bounty program, using the YesWeHack platform, intended to uncover vulnerabilities in its future e-voting system.The first part of this blog post series will detail the approach used to analyze the Swiss Post e-voting system, as well as the first round of vulnerabilities that I reported during September/October \'21.IndexIntroductionApproachAttack SurfaceVulnerabilities    1. Insecure USB file handling during \'importOperation\'    2. Insecure \'ReturnCodeGenerationInput\' signature generation allows vote manipulation    3. Lack of consistency check allows an adversary to forge the verificationCardId in SecureLog entries    4. Improper parsing of the request body when validating signatures for secure requestsIntroductionE-voting systems immediately raise concerns in a significant part of the security community. Not in vain, we are talking about systems that should be considered a critical infrastructure, as they are intended to support a democratic election process. Therefore, this kind of systems should provide the same guarantees regarding confidentiality, integrity and availability that current, let\'s oversimplify and say \'analog\', election processes provide. However, security people usually don\'t trust computers and everyday we see examples that certainly do not facilitate changing your mind on this aspect.  That said, we implicitly trust the outcome of safety-critical computer operations happening everyday in our life: from the state estimator that guarantees we have a stable power-grid, the train control systems providing a safe commute, or the avionics systems that keep you alive while flying. It doesn\'t mean those systems can\'t be hacked but supposedly they are being supported to keep up with the attacks they may face, while still successfully performing the tasks modern societies rely on. I know, it\'s not a perfect scenario but it\'s what it is.Although e-voting may not be suitable for every country, Switzerland seems to have a long tradition on referendums, and actually, they have been already using e-voting for many years. However, when the Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community.  As a result, some significant issues were uncovered, so eventually Swiss Post decided to suspend the deployment of the system. The first version had been developed by ]]> 2023-02-14T14:58:31+00:00 https://www.reversemode.com/2022/01/finding-vulnerabilities-in-swiss-posts.html www.secnews.physaphae.fr/article.php?IdArticle=8654608 False Vulnerability,Threat None 3.0000000000000000 Reversemode - Blog de reverser Part I of this series of blog posts on vulnerabilities in Swiss Post\'s future e-voting system. That publication comprehensively explains the context, methodology and attack surface for the Swiss Post e-voting system, so it is highly recommended to go through it before reading this post, if you\'re really interested in getting the whole picture.This second round of bugs (reported during December \'21 and January \'22 ) includes multiple cryptographic vulnerabilities and a deserialization issue.  For me, the most interesting issue is \'#YWH-PGM2323-65\', not only because it would have prevented ballot boxes from being decrypted during the tally phase, but also due to the potential design weaknesses that I\'m coming across as a result of its analysis. Let\'s briefly discuss the reported issues before going into detail:IDTitleReward (€)Attack Surface Areas*CVSS#YWH-PGM2323-53Multiple unchecked length values during SafeStreamDeserialization may crash Control Components35003 & 4]]> 2023-02-14T12:57:29+00:00 https://www.reversemode.com/2022/05/finding-vulnerabilities-in-swiss-posts.html www.secnews.physaphae.fr/article.php?IdArticle=8654604 False Ransomware,Vulnerability None 3.0000000000000000 Reversemode - Blog de reverser information on this incident, which initially matches the proposed scenario. You can find the update  at the bottom of this post.------February 24th: at the same time Russia initiated a full-scale attack on Ukraine, tens of thousands of KA-SAT SATCOM terminals suddenly stopped working in several european countries: Germany, Ukraine, Greece, Hungary, Poland...Germany\'s Enercon moved forward and acknowledged that approximately 5800 of its wind turbines, presumably those remotely operated via a SATCOM link in central Europe, had lost contact with their SCADA server.  In the affected countries, a significant part of the customers of Eutelsat\'s domestic broadband service were also unable to access Internet. From the very beginning Eutelsat and its parent company Viasat, stated that the issue was being investigated as a cyberattack. Since then, details have been scarcely provided but few days ago I came across a really interesting video in the following tweet.In the video, the Commander General Michel Friedling confirms that the incident was originated by a cyberattack. However, he also provides a key detail that has the potential to turn a boring DDoS scenario, as some initially pointed out, into something much more interesting: "the terminals have been damaged, made inoperable and probably cannot be repaired"Based on the information publicly available and my experience researching into SATCOM terminals I\'ll try to present a plausible explanation for such a destructive attack. IntroductionPlease note that this is merely a speculative exercise, although backed by a realistic technical reasoning...anyway probably I\'m totally wrong.Back in 2014 and then in 2018 I presented at BlackHat USA two different papers mainly focused on evaluating the security posture of multiple SATCOM terminals, by uncovering a plethora of vulnerabilities and real-world scenarios across different sectors. Within these papers the reader can find an introduction to the SATCOM architecture, threat scenarios and some technical terms that will be used during this blog post.2014 - A Wake-Up call for SATCOM Security]]> 2023-02-10T11:06:16+00:00 https://www.reversemode.com/2022/03/satcom-terminals-under-attack-in-europe.html www.secnews.physaphae.fr/article.php?IdArticle=8654607 False Vulnerability,Threat,Technical,Commercial None 4.0000000000000000 Reversemode - Blog de reverser Hundreds of Nuclear Radiation Monitors Were Allegedly Hacked by Former Repairmen".  Basically, it seems that more than a year ago  two disgruntled employees sabotaged +300 radiation monitoring devices, which were part of a nation-wide civil radiation monitoring network (RAR) in Spain. On top of that, they were apparently using the free WiFi of a Starbucks to carry out their activities. Obviously not being the sharpest tool in the box they were eventually caught.In this story there is a boring part, which is everything related to these guys and their motivations, and a slightly more interesting part which is the underlying technology behind Radiation Monitoring Networks (RMN).In 2017 I presented at BlackHat USA \'Go Nuclear: Breaking Radiation Monitoring Devices", so I thought  it could be interesting to write a brief post to provide some context.The NeverEnding storyAs in most \'disgruntled employee\' attacks, the initial motivation behind the sabotage seems to be a \'poorly assessed\' reaction to a troubled employment relationship. According to the information publicly released by the police the attacks started on March 2021. Coincidentally, by using the public procurement portal of the Spanish State, we can find that, in 2020, a public contract to support and maintain the RAR network was announced, as the valid one at that time was about to expire in Feb 2021.  Anyway, if you\'re interested in the technology,  public procurement documents always provide a lot of information when you are researching into nation-wide systems. As expected, it is possible to find some interesting bits of information about the RAR network, including its topology, devices, deployments...The radiation monitoring devices are provided by Envinet. Indra seems to have developed some Data Acquisition Units as well as the Control System.]]> 2022-08-03T12:05:12+00:00 https://www.reversemode.com/2022/08/ill-have-gamma-frappuccino-please.html www.secnews.physaphae.fr/article.php?IdArticle=8654602 False Tool,Legislation,Industrial,Commercial None 3.0000000000000000 Reversemode - Blog de reverser Yeswehack m'a invité à participer à un programme privé Bounty organisé par bodke Suisse au nom de Proton Ag.  La portée du programme était assez intéressante et hétérogène, car elle couvrait la plupart des applications et services offerts par Proton, tels que ProtonMail et ProtonVPN. En conséquence, plusieurs technologies et bases de code étaient dans la portée, allant de TypeScript, dans la partie open source de ProtonMail, à .NET / SWIFT utilisé par les applications protonvpn pour Windows et MacOS respectivement. ]]> 2022-06-08T17:36:48+00:00 https://www.reversemode.com/2022/06/de-anonymization-attacks-against-proton.html www.secnews.physaphae.fr/article.php?IdArticle=8654603 False Vulnerability,Threat,Legislation,Industrial,Technical None 3.0000000000000000 Reversemode - Blog de reverser research that describes in detail the reverse engineering methodology and vulnerabilities found in a DAL-A, safety-critical, certified avionics component: Collins\' Pro Line Fusion - AFD-3700, a LynxOS-178 based system deployed in both commercial and military aircraft. At the time of writing this I don\'t know exactly what will happen after the disclosure. However, this time, I certainly know what will not happen. I understand this statement does sound a little bit cryptic, so you should keep reading to understand the context; from where this situation is coming and why this point has been reached.Right, the title is probably more suited for a cheap sequel of Stieg Larsson\'s "Millenium" trilogy rather than for the usual technical contents I publish over here, so for the fans of that saga I would kindly ask you to forgive the liberty of giving myself that license. You\'ll understand that title afterwards.This post contains traces of a \'plot\' spanning several years now. As a compulsive fiction reader I didn\'t want to miss this opportunity to follow a dramatic structure, thus having a little bit of fun out of situation that, for me, has been everything but fun. That said, I\'ve learnt a lot along the way, which is probably the only thing that paid off.In this story there are no evil or good characters, I guess it\'s just people doing their job the best they can.  Obviously there has to be some kind of conflict, which emerges from the fact that the nature of their jobs, although theoretically pursuing the same objectives, usually makes them clash. There is also an escalation on the action over the years, some plot twists included, until reaching a high tension moment that determines how the conflict will be resolved. The resolution is yet to be written...As one would have expected I\'ll write this story from my perspective, others may have a different one. Let\'s start.Index1. 20182. 20193. 20204. 20215. 20226. Paper7. Personal Statement2018.During a flight to Copenhagen, aboard a Norwegian Boeing 737, I noticed something weird in the In-Flight WiFi, which was provided by a satellite network. Once at the hotel I found out it was possible to reach, over the internet through a misconfigured SATCOM infrastructure, tens of in-flight aircraft from different airlines. We coordinated]]> 2022-04-21T12:59:05+00:00 https://www.reversemode.com/2022/04/the-guy-with-rudimentary-tools-who.html www.secnews.physaphae.fr/article.php?IdArticle=8654605 False Hack,Tool,Vulnerability,Threat,Studies,Industrial,Conference,Technical,Commercial None 3.0000000000000000 Reversemode - Blog de reverser published a statement providing some technical details about the attack that affected tens of thousands of its SATCOM terminals. Also yesterday, I eventually had access to two Surfbeam2 modems: one was targeted during the attack and the other was in a working condition. Thank you so much to the person who disinterestedly donated the attacked modem.I\'ve been closely covering this issue since the beginning, providing a plausible theory based on the information that was available at that time, and my experience in this field. Actually, it seems that this theory was pretty close to what really happened.Fortunately, now we can move from just pure speculation into something more tangible, so I dumped the flash memory for both modems (Spansion S29GL256P90TFCR2) and the differences were pretty clear. In the following picture you can see \'attacked1.bin\', which belongs to the targeted modem and \'fw_fixed.bin\', coming from the modem in working conditions.A destructive pattern, that corrupted the flash memory rendering the SATCOM modems inoperable, can be observed on the left, confirming what Viasat stated yesterday. After verifying the destructive attack, I\'m now statically analyzing the firmware extracted from the \'clean\' modem. Firmware version is 3.7.3.10.9, which seems to date back to late 2017.Besides talking about a \'management network\' and \'legitimate management commands\', Viasat did not provide any specific details about this. In my previous blog post I introduced the ]]> 2022-04-05T20:09:00+00:00 https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html www.secnews.physaphae.fr/article.php?IdArticle=8654606 False Malware,Vulnerability,Threat,Technical None 3.0000000000000000