By Owais Sultan
Web3 infrastructure leader COTI is excited to announce a significant community rewards initiative, with the platform airdropping up…
This is a post from HackRead.com Read the original post: COTI Announces Upcoming V2 Airdrop Campaign Worth +10M USD

COTI V2 is thrilled to announce a massive 40 million token Airdrop Campaign

Web3 infrastructure leader COTI is excited to announce a significant community rewards initiative, with the platform airdropping up to 40 million COTI V2 tokens, currently worth approximately $10 million, to its Native and ERC-20 $COTI holders. The need for COTI V2 as a confidentiality layer on Ethereum has resulted in a large, vocal community of supporters, and the platform is thrilled to reward that critical support.

The COTI V2 Airdrop Campaign will begin on Monday, March 25th, 2024. The planned distribution of the COTI V2 tokens will take place in Q4 2024, shortly after the COTI V2 TGE.  All Treasury participants will automatically be included in the airdrop of 40 million tokens, whether they are holding Native or ERC-20 $COTI.

Note, that this airdrop is in addition to all APY rewards for token holders. Users simply need to have a deposit in the Treasury to participate, but those who have made deposits before February 28th 2024 will receive an additional bonus as a show of the COTI team’s gratitude for their early support.

The Airdrop rewards will be determined for each member through a combination of each deposit’s current APY, the other deposit settings including multiplier and locking period, and the amount of time and activity spent in the Treasury itself.

****COTI V2 Ecosystem and Treasury****

COTI has quickly become a major Web3 infrastructure developer, building the lightest and fastest confidentiality layer for the Ethereum ecosystem. The key to this data protection breakthrough is a cryptographic protocol that is derived from Garbled Circuits, allowing for the privacy of on-chain data.  This layer is secured by Ethereum’s L1, which creates the most comprehensive data privacy solution that maintains full compliance. 

This breakthrough is nothing less than the key to unlocking brand new use cases for the Web3 economy, allowing confidentiality while utilizing all the data integrity and trustless benefits of blockchain.  Web3 companies will soon build applications for decentralized identification, DeFi, private auctions, data broker analysis (while protecting data privacy), and even Artificial Intelligence applications.

****QUOTE ABOUT THE AIRDROP HERE****

The COTI Treasury was launched in 2022 to provide a reward structure for those wishing to deposit $COTI and earn APY in the form of $COTI and $gCOTI.  As an indication of the COTI community’s overwhelming support, members have deposited over 500 million $COTI into the Treasury. 

In addition, to support, depositors have also been drawn to the Treasury by the strength of its rewards, allowing a member to customize their desired potential APY by setting the amount to deposit, a multiplier, a lock period, and an APY boost. The team plans to extend rewards even further by offering longer lock periods of 180, 270, and 360 days starting 25 March.

This campaign is also notable because, for the first time, the community’s $COTI ERC-20 token holders without VIPER wallets can also participate in Treasury rewards, both APY and the Airdrop Campaign. 

For those who don’t have a deposit in the Treasury yet, there is still time to visit Treasury.coti.io, connect a VIPER or Metamask Wallet, and set up a deposit by selecting the amount, multiplier, lock period, and APY boost (tutorial). Those with deposits already set up in the Treasury do not need to take further action, but do have the option to extend the locking period of their deposit to earn additional rewards.

The COTI V2 Airdrop Campaign is another successful step in COTI’s roadmap toward a thriving community of developers and users who are passionate about building an ever-improving Web3 ecosystem. 

With COTI’s compliant confidentiality layer, entire new industries within Web3 can be unlocked, which will continue COTI, Ethereum, and the rest of Web3 toward mass adoption across the globe. The airdrop is a very heartfelt thank you to the community that joins in COTI’s vision, rewarding both new and long-standing members for their continued support.

****About COTI****

COTI is the fastest and lightest confidentiality layer on Ethereum. Powered by the breakthrough cryptographic protocol Garbled Circuits and secured by Ethereum, COTI introduces the most advanced and compliant solution for data protection on the public blockchain.

Paving the way for the next wave of Web3 innovation and adoption, COTI unlocks a whole new world of use cases, including confidential transactions, Artificial Intelligence, DeFi, decentralized identification, and more.

COTI Announces Upcoming V2 Airdrop Campaign Worth +10M USD

Plus: The operator of a dark-web cryptocurrency “mixing” service is found guilty, and a US senator reveals that popular safes contain secret backdoors.

How do you know the internet has a deepfake porn problem? Just look at copyright takedown requests. WIRED found this week that Google is receiving thousands of Digital Millennium Copyright Act complaints for deepfake nudes, most of which are published by just a handful of websites. Experts say the deluge of DMCA takedown requests is evidence that Google should delist the offending sites from search. In Texas, meanwhile, a federal court upheld the state’s age-verification requirements for porn sites, which could lead to even more lawsuits.

In a win for privacy advocates, Airbnb announced on Monday that it will ban the use of indoor security cameras at short-term rental properties around the world. The ban extends to outdoor areas where there is a “greater expectation of privacy,” such as saunas or outdoor showers. The company has long banned the use of hidden cameras and required hosts to tell guests where it has security cameras installed. Hosts who violate the security cam ban could have their properties removed from Airbnb.

Cryptocurrency firm Binance’s troubles have gone from bad to downright scary. Two of the company's executives—Tigran Gambaryan, a former financial crimes investigator for the IRS, and UK-based government affairs specialist Nadeem Anjarwalla, have been held for weeks by Nigeria’s government amid its broader crackdown on cryptocurrency. Neither man has been charged with any crime, and their families are asking the US and UK governments for help securing their release.

In case you’re wondering: No, the US government isn’t hiding evidence of aliens, according to a new Pentagon report. But it sure seems to be hiding _something_, raising more questions about what’s out there if that thing isn’t UFOs. Elsewhere in the world of government secrets, the US House Intelligence Committee chair recently held a closed-door meeting in which he urged lawmakers to block privacy reforms to a major US surveillance program by citing how it could be used to surveil US-based protesters, further raising civil liberties concerns. Congress’ efforts to renew that program, known as Section 702, remain ongoing.

Donald Trump this week earned enough delegates in the 2024 Republican primary to officially win the party’s nomination. If Trump does win another term in the White House, experts fear he could use a slate of “emergency powers” to carry out an authoritarian agenda—and there’s little the other branches of government could do to stop him.

Finally, reporters at _Der Spiegel_, Recorder, _The_ _Washington Post_, and WIRED collaborated on an investigation into a global network of violent predators who use major platforms like Discord, Telegram, and even Roblox to target children and extort them into committing horrific acts of abuse—or worse.

And that’s not all. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Insurance companies have long offered discounts to drivers who'll carry GPS devices or download smartphone apps that track their driving habits. But when wary drivers refuse, insurers find other ways of monitoring their driving. Data brokers like LexisNexus are buying people's car data directly from manufacturers, such as General Motors, which are making a killing by selling it off. This data is then used to create “risk” scores for individual drivers, which insurance providers use to set premiums. The businesses claim the data-sharing is consensual, but most drivers have no idea what's happening. Drivers whose risk scores are shared with insurance providers often see their monthly insurance payments skyrocket.

**The Bitcoin Fog Case Ends in a Guilty Verdict**

The operator of a darknet cryptocurrency “mixing” service called Bitcoin Fog faces a maximum of 20 years in prison after his conviction this week by a federal jury in Washington, DC. Roman Sterlingov, 35, ran Bitcoin Fog between 2011 and 2021, moving roughly $400 million worth of currency, much of which, prosecutors say, was tied to narcotics, identity theft, and cybercrime. Sterlingov had denied founding Bitcoin Fog in interviews with WIRED; however, the US Justice Department countered that claim in court with blockchain analysis and a trial of financial paperwork.

**Popular Safes Contain Secret Backdoors**

Two commercial safe makers have been called out for installing backdoors in their safes, according to a letter by Ron Wyden, a US senator from Oregon. The reset codes are one reason the Department of Defense has banned the safes from being used inside the US government. Knowledge of the codes, which Wyden says leaves consumers vulnerable to criminals and spies, was made public through a letter he wrote to the National Counterintelligence and Security Center. In it, he asks the agency to issue an alert, warning Americans about the risks posed by the safes.

Automakers Are Telling Your Insurance Company How You Really Drive

For months, US lawmakers have examined every side of a historic surveillance debate. With the introduction of the SAFE Act, all that’s left to do now is vote.

A bill introduced by senators Dick Durbin and Mike Lee to reauthorize the Section 702 surveillance program is the fifth introduced in the US Congress this winter. The authority is threatening to expire in a month, disrupting a global wiretapping program said to inform a third of articles in the President’s Daily Briefing—a morning “tour d’horizon” of US spies’ top concerns.

But the stakes aren't exactly so clear. With or without Congress, the Biden administration is seeking court approval to extend the 702 program into 2025. From the moment US representative Mike Johnson assumed the House speakership, he’s been unable to orchestrate a vote on the program. Outgunned most recently by Mike Turner, the chairman of the House Intelligence Committee, Johnson was forced to kill a vote after a month of negotiations.

This, even though Congress can essentially agree on one thing if nothing else: that the 702 program is vital to the national defense and that it can’t be allowed to expire. Johnson has, once again, vowed to hold a vote on the matter, this time after Easter. And historically, this is where things have begun to fall apart.

The biggest hurdle to reauthorizing the program is a dispute between lawmakers over whether the government should get search warrants before looking up Americans using 702, a massive wiretap database full of millions of email, voice, and text conversations intercepted by spies.

The Durbin-Lee bill contains tweaks designed, its authors say, to meet the Biden administration halfway. While all the legislation up to this point has wrestled over the title of “reform bill,” Durbin’s has set its sights on an idea far more defensible: The Security and Freedom Enhancement (SAFE) Act, he says, is a “bill of compromise.”

Unlike other reform bills, the SAFE Act would _not_ require the FBI to obtain a warrant to find out if the 702 database contains an American’s communications. Only if the search produces results would investigators need a warrant, and only if they wanted to read what the messages say.

Without going to court, investigators could learn whether the communications they’re after exist, whether the person they’re looking at communicated with any foreigners under US surveillance, and when exactly those conversations took place. As it’s generally trivial for law enforcement to obtain these kinds of records anyway, this is a compromise that doesn’t serve up a major loss for lawmakers on the side of reform.

The tweak will add to the difficulty the FBI is having convincing lawmakers that warrants will hinder investigations or destroy the program altogether. “This narrow warrant requirement is carefully crafted to ensure that it is feasible to implement,” Durbin says, “and sufficiently flexible to accommodate legitimate security needs.”

“There is little doubt that Section 702 is a valuable national security tool,” adds Durbin, but the program sweeps up “massive amounts of Americans’ communications.”

“Even after implementing compliance measures, the FBI still conducted more than 200,000 warrantless searches of Americans’ communications in just one year—more than 500 warrantless searches per day,” he says.

The SAFE Act contains the same menu of emergency exceptions that members of the House Judiciary Committee offered up in previously introduced legislation. The exceptions would allow the FBI to ignore the warrant requirements during emergencies, such as people faced with imminent harm or death. The bureau can search the database at will using “known threat signatures” linked to cybercrimes as well, a carve-out designed to help the FBI dodge legal red tape while mitigating harm from malicious software.

While the possibility looms that the Foreign Intelligence Surveillance Court (FISC) will approve the Biden administration’s request, extending the 702 program into 2025 on its own, it's an outcome that all sides seem eager to avoid—improvising a way to prolong a hotly debated surveillance program being a bad look for nearly everyone involved.

One of the program’s core tenets, according to a “fact sheet” distributed by the Office of the Director of National Intelligence (ODNI) this year, reflects the bargain it strikes between the government and the public: US spies are to receive an “invaluable source of intelligence on foreigners located outside the US.” Americans get in return “robust civil liberties and privacy safeguards, overseen by all three branches of government.”

If Congress had meant, in 2018, to reauthorize the 702 program for seven years rather than six, its members wouldn’t have found out last week. Allowing the program to carry on without a mandate from Congress—with nothing but a green light from a secret court—is a legacy of dysfunction that most members aren’t eager to carry, and one that the intelligence community may also come to resent, as people start to question the integrity of its oversight.

“Although the legislation does not include every reform we have called for, it is a thoughtful compromise that would meaningfully restore privacy in the United States,” says Sean Vitka, policy director at Demand Progress, a digital rights nonprofit.

“An overwhelming number of Americans from across the political spectrum want Congress to seize this once-in-a-generation moment and get this done.”

Sinking Section 702 Wiretap Program Offered One Last Lifeboat

Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later.

Friday, March 15, 2024 10:00

In ancient Greek mythos, the mighty Hercules faced a seemingly insurmountable challenge when he encountered the Lernaean Hydra. This fearsome serpent had a terrifying ability: For every head that Hercules severed, two more would spring forth, creating a never-ending cycle of regrowth and renewal. 

Much like the Hydra, modern ransomware gangs present society with a daunting task. When law enforcement manages to take one adversary or low-level member off the streets, the victory is often short-lived. In the hidden depths of these criminal organizations, the heads — or leaders — remain shrouded in shadow, orchestrating their operations often with impunity. 

And so, as one member falls, two more may rise to take their place, perpetuating an enduring saga of illicit activity that are the challenges of our time: the ransomware ecosystem. A landscape where affiliates tend to move from ransomware group to ransomware group, following the money, bringing their skills and tools with them to conduct new attacks.

In this blog, we’ll explore the recent law enforcement takedown of LockBit, a group who previously held the title of the number one most deployed ransomware variant for two years running. Just seven days after the takedown, LockBit claimed to resume their operations.

**The History of LockBit**

LockBit emerged around 2019. Since then, it has continually evolved and innovated to update their ransomware and build their RaaS program.

For the past two years, LockBit ransomware operations accounted for over 25 percent of the total number of posts made to data leak sites. CISA’s assessment is also that LockBit has been the most deployed ransomware variant in recent years.

As we wrote in the 2023 Talos Year in Review report, posts made to the group’s data leak site ebbed and flowed from September 2022 to August 2023. Detections of LockBit activity appear to spike in March, partially coinciding with LockBit’s deployment against vulnerable instances of the printer management software PaperCut, where it has remained consistently high**.**

💡

In 2020, Talos researchers made contact with a self-described LockBit operator. Over several weeks, we conducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal activities. Confirmed theories included LockBit having a profit-sharing requirement that the affiliate has to meet for the first four or five ransoms. This also used to be the case for Maze. Also, keeping your word to the victim is an important part of LockBit’s business model. Read the interview in full __here__.

**The Collaboration Trend**

For the past two years, Talos researchers have written about a growing ransomware trend, wherein actors are increasingly collaborating with each other and sharing tools and infrastructure (aka the affiliate model).

For example, Talos recently reported on how the GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. The two groups have started a new ransomware-as-a-service (RaaS) program STMX\_GhostLocker, providing various options for their affiliates.

We are seeing more diversified groups employing multiple encryption programs, as well as less sophisticated actors “standing on the shoulders” of giants by using leaked ransomware code. Some players are exiting the game altogether, but not before selling their source code to the highest bidder. This is posing significant challenges to the security community, especially when it comes to attributing attacks.

In the case of LockBit, this was also a group that operated as a RaaS model. They recruited affiliates by offering them shares of profits and encouraging them to conduct ransomware attacks using LockBit’s tools and infrastructure. These affiliates were often unconnected, and as a result, there were many variations in the attacks that used LockBit ransomware.

Notably, the LockBit ransomware group posted on a Russian-speaking dark web forum in December 2023 offering to recruit ALPHV (BlackCat) and NoEscape ransomware affiliates and any of the ALPHV developers, after the Federal Bureau of Investigation (FBI)’s announcement of a disruption campaign against the ALPHV ransomware operation.

**Operation Cronos**

The NCA, working closely with the FBI and supported by international partners from nine other countries, covertly investigated LockBit as part of a dedicated taskforce called Operation Cronos. 

On Feb. 20, 2024, after infiltrating the group’s network, the NCA took control of LockBit’s primary administration environment. This environment enabled affiliates to build and carry out ransomware attacks, as well as host the group’s public-facing leak site on the dark web, which was used to threaten the publication of data stolen from victims. 

The technical infiltration and disruption were only the beginning of a series of actions against LockBit and their affiliates. In wider actions coordinated by Europol, at least three LockBit affiliates were arrested in Poland and Ukraine, and more than 200 cryptocurrency accounts linked to the group have been frozen.

**The Return**

Seven days after the operation, messages and leak information was published on a new LockBit page. Here are screenshots of their leak site taken daily from Feb. 27 – March 4, with a huge increase of cards on March 3.

The site lists both pre- and post-takedown victims, suggesting LockBit may not have lost access to their entire dataset or infrastructure. 

Of particular interest is the fbi.gov card in the lower right corner that links to a lengthy writeup (in English and Russian), stating what LockBit thinks happened during the operation. They talk about lessons learned, speculations and discredit the law enforcement agencies. Talos believes the operation was carried out by the NCA, not the FBI, as LockBit stated.

**A recurring theme**

While LockBit is currently dominating the headlines, we’ve seen similar stories before following takedown attempts. For example, the commodity trojan Trickbot had its infrastructure dismantled in February 2022.

However, Talos telemetry picked up Trickbot activity throughout 2023, as covered in our Year in Review.

**Still open for business**

Talos has intelligence that Lockbit is still accepting affiliates into their program. 

Does this mean that law enforcement operations are pointless? Far from it. Takedown attempts such as Operation Cronos severely disrupt their operations, and forces ransomware operators to change their attacks. The operation against LockBit doesn’t appear to have inflicted the final blow against the ransomware group, but it has wounded them. 

We also know that law enforcement was able to obtain troves of intelligence through their operation. That intelligence will only serve to be useful in further disruptions, undermining Lockbit's growth. Therefore, if you put Lockbit into a market perspective, they appear to be quite exposed. 

Crucially, as with the case of LockBit, decryption tools can be released so that victims of ransomware can gain access to their systems again. In January Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.

Therefore, it’s important not to view this operation as a “one and done” effort. Sustained, targeted approaches from law enforcement and the defender community can and do have a significant impact. For example, following the FBI’s actions against BlackCat/ALPHV, the group reportedly denied an affiliate a $22 million ransomware payment before subsequently going out of business in early March, as Brian Krebs wrote about on his website a few days ago.

Azim Khodjibaev from Talos’ threat interdiction and intelligence organization team discusses the ebs and flows of ransomware groups after a takedown in the episode of Talos Takes below. This episode was recorded in 2022 after a separate law enforcement operation to disrupt LockBit.

**The lucrative affiliate model**

One of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS outfits at a time. In underground forums, we are seeing increased advertisements by RaaS groups showcasing their affiliate programs and offering profit shares. They can offer large profits, as threat actors can conduct multiple campaigns using the encryption programs that are offered or distributed. 

In the case of the GhostSec group, they have a business model that offers affilates three different options: a paid version, a free version and a version that allows actors who don’t want to become a member ransomware gang but would like to publish victim data on their leak site.

We are also seeing multiple groups working together, sharing their malicious tooling with each other, then falling out, and then building trust back up with each other, adding to the difficulty in attributing attacks. Here are Talos’ Nick Biasini and Matt Olney talking about the impact of leaked ransomware code, where Matt describes the situation as “The Real Housewives of Eastern Europe:”

Fundamentally, ransomware continues to be hugely profitable and widespread. In the last quarter, the Talos Incident Response team responded to ransomware incidents involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time, and there was a 17% rise in ransomware incidents in this quarter.

In the end, Operation Cronos may have disrupted LockBit’s operations temporarily with valuable assets gained, a weaker market position for the group, and a few affiliates are now sitting in jail. However, the Hyrdra’s roots run deeper, and this is why we may continue to see LockBit activity throughout the course of the year.

**Where to go from here**

Like Hercules who outwitted the Hydra with a blend of strength and strategy, our law enforcement’s relentless efforts are essential and commendable. It’s going to take persistent, strategic efforts to significantly damage RaaS operations and weaken the regenerative power of these gangs. Arrests at the top will be a key part of this. In the case of LockBit, it appears as though the leaders of the group have evaded arrest on this occasion.  

At the very same time the people of Lerna (or us, the private defenders), need to pay attention to the entire threat landscape. We can’t rely on just Hercules to take them down. Just like we can’t be sure there is just a single Hydra.

Read more about the recent ransomware operations Talos Incident Responders engaged in.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

By Waqas
New INTERPOL Financial Fraud assessment reveals how cybercrime is being fueled by the abuse of AI and other technologies.
This is a post from HackRead.com Read the original post: AI-Powered Scams, Human Trafficking Fuel Global Cybercrime Surge: INTERPOL

AI tech fuels surge in financial fraud and cybercrime, warns INTERPOL. Sophisticated scams and human trafficking rings exploit cryptocurrency and social engineering to steal billions. Urgent global action is needed to combat this growing threat.

In its latest assessment of global cybercrime and financial fraud, INTERPOL has rung the alarm on the rapidly increasing threat posed by growing sophisticated criminal operations leveraging technology.

The report reveals a difficult-to-face reality: the **emergence of Artificial Intelligence (AI)**, large language models, cryptocurrencies, and service-based fraud models like phishing and ransomware are empowering a surge in fraudulent activities worldwide.

Advanced technologies have enabled organized crime groups to carry out professional and complex fraud campaigns with minimal technical expertise and cost previously required. The emergence of malicious AI-powered chatbots like **WormGPT and FraudGPT** are a few such examples.

Notably, the report highlights the expansion of human trafficking networks involved in call center operations, particularly in executing hybrid scams such as ‘**pig-butchering**‘ schemes, which blend elements of romance and investment frauds while exploiting cryptocurrencies.

Secretary General of INTERPOL, Jürgen Stock, expressed serious concern over the epidemic of financial fraud, emphasizing the devastating impact on individuals, businesses, and even governments. He emphasised the urgent need for coordinated action to close existing loopholes, enhance information-sharing mechanisms, and encourage a global response to combat this threat.

Key findings from the report highlight the pervasive nature of financial fraud, with prevalent trends including investment fraud, advance payment fraud, **romance fraud**, and business email compromise. Furthermore, financial fraud typically involves networks of co-offenders, varying from highly organized to loosely affiliated groups.

To address the growing menace of financial fraud, the report advocates for the establishment of multi-stakeholder Public-Private Partnerships to trace and recover lost funds.

Notably, since the launch of INTERPOL’s Global Rapid Intervention of Payments (I-GRIP) mechanism in 2022, over USD 500 million in criminal proceeds have been intercepted, primarily originating from cyber-enabled fraud.

Regional trends **outlined in the report** shed light on the evolving nature of financial fraud across continents:

**Africa:** Business Email Compromise (**BEC**) remains prevalent, with emerging trends in ‘pig butchering’ fraud. West African criminal syndicates are expanding transnationally, exhibiting expertise in various forms of online financial fraud.

**Americas:** Fraud types include impersonation, romance, tech support, advance payment, and telecom fraud. **Human trafficking-driven fraud** is on the rise, with syndicates exploiting victims coerced into committing financial crimes.

**Asia:** ‘**Pig butchering**‘ fraud schemes have proliferated, alongside telecommunication frauds where perpetrators impersonate officials to deceive victims. Criminal organizations in Asia are adopting business-like structures to facilitate fraudulent activities.

**Europe:** Online investment frauds and **phishing schemes are escalating**, targeting selected individuals and exploiting mobile phone apps. Criminal networks involved exhibit sophisticated modi operandi, often combining multiple fraud types.

In response to the news, we reached out to **Oliver Spence**, CEO of Cybaverse who emphasised the importance of employee training, of not ignoring the threats and tackling them before it is too late.

“This news from Interpol should not be taken lightly by organisations and clearly, financially motivated cybercrime is on the rise, and generative AI tools are heightening the problem while lowering the technical barrier of entry into cybercrime._”_

“To counter the threat, employees need to be trained about AI-generated phishing scams and taught to question emails, even when they seem realistic. Organisations must bolster this with email security solutions that can detect malicious code embedded into emails, so they can be stopped before reaching user inboxes,_”_ he advised.

As financial fraud continues to evolve and increase globally, the INTERPOL report goes on to highlight the urgent need for collaborative efforts to stem this growing epidemic and protect vulnerable individuals and entities from exploitation.

1.  INTERPOL Dismantles ’16shop’ Phishing-as-a-Service Platform
2.  Interpol Nets $300M, Arrests 3,500 in Major Cyber Crime Bust
3.  US government seizes classified advertising website Backpage
4.  Utilizing Programmatic Advertising to Locate Abducted Children
5.  Operation Narsil – INTERPOL Busts Decade-Old Child Abuse Network

AI-Powered Scams, Human Trafficking Fuel Global Cybercrime Surge: INTERPOL

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

The data privacy company **Onerep.com** bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families, and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.

A testimonial on onerep.com.

Customer case studies published on onerep.com state that it struck a deal to offer the service to employees of **Permanente Medicine**, which represents the doctors within the health insurance giant **Kaiser Permanente**. Onerep also says it has made inroads among police departments in the United States.

But a review of Onerep’s domain registration records and that of its founder reveal a different side to this company. Onerep.com says its founder and CEO is **Dimitri Shelest** from Minsk, Belarus, as does Shelest’s profile on LinkedIn. Historic registration records indexed by DomainTools.com say Mr. Shelest was a registrant of onerep.com who used the email address **dmitrcox2@gmail.com**.

A search in the data breach tracking service Constella Intelligence for the name Dimitri Shelest brings up the email address **dimitri.shelest@onerep.com**. Constella also finds that Dimitri Shelest from Belarus used the email address **d.sh@nuwber.com**, and the Belarus phone number **+375-292-702786**.

Nuwber.com is a people search service whose employees all appear to be from Belarus, and it is one of dozens of people-search companies that Onerep claims to target with its data-removal service. Onerep.com’s website disavows any relationship to Nuwber.com, stating quite clearly, “Please note that OneRep is not associated with Nuwber.com.”

However, there is an abundance of evidence suggesting Mr. Shelest is in fact the founder of Nuwber. Constella found that Minsk telephone number (375-292-702786) has been used multiple times in connection with the email address **dmitrcox@gmail.com**. Recall that Onerep.com’s domain registration records in 2018 list the email address dmitrcox2@gmail.com.

It appears Mr. Shelest sought to reinvent his online identity in 2015 by adding a “2” to his email address. The Belarus phone number tied to Nuwber.com shows up in the domain records for **askmachine.org**, and DomainTools says this domain is tied to both dmitrcox@gmail.com and dmitrcox2@gmail.com.

Onerep.com CEO and founder Dimitri Shelest, as pictured on the “about” page of onerep.com.

A search in DomainTools for the email address dmitrcox@gmail.com shows it is associated with the registration of at least 179 domain names, including dozens of mostly now-defunct people-search companies targeting citizens of Argentina, Brazil, Canada, Denmark, France, Germany, Hong Kong, Israel, Italy, Japan, Latvia and Mexico, among others.

Those include **nuwber.fr**, a site registered in 2016 which was identical to the homepage of Nuwber.com at the time. DomainTools shows the same email and Belarus phone number are in historic registration records for nuwber.at, nuwber.ch, and nuwber.dk (all domains linked here are to their cached copies at archive.org, where available).

Nuwber.com, circa 2015. Image: Archive.org.

Historic WHOIS records for onerep.com show it was registered for many years to a resident of Sioux Falls, SD for a completely unrelated site. But around Sept. 2015 the domain switched from the registrar GoDaddy.com to eNom, and the registration records were hidden behind privacy protection services. DomainTools indicates around this time onerep.com started using domain name servers from DNS provider constellix.com. Likewise, Nuwber.com first appeared in late 2015, was also registered through eNom, and also started using constellix.com for DNS at nearly the same time.

Listed on LinkedIn as a former product manager at OneRep.com between 2015 and 2018 is **Dimitri Bukuyazau**, who says their hometown is Warsaw, Poland. While this LinkedIn profile (linkedin.com/in/**dzmitry**bukuyazau) does not mention Nuwber, a search on this name in Google turns up a 2017 blog post from privacyduck.com, which laid out a number of reasons to support a conclusion that OneRep and Nuwber.com were the same company.

“Any people search profiles containing your Personally Identifiable Information that were on Nuwber.com were also mirrored identically on OneRep.com, down to the relatives’ names and address histories,” Privacyduck.com wrote. The post continued:

> “Both sites offered the same immediate opt-out process. Both sites had the same generic contact and support structure. They were – and remain – the same company (even PissedConsumer.com advocates this fact: https://nuwber.pissedconsumer.com/nuwber-and-onerep-20160707878520.html).”
> 
> “Things changed in early 2016 when OneRep.com began offering privacy removal services right alongside their own open displays of your personal information. At this point when you found yourself on Nuwber.com OR OneRep.com, you would be provided with the option of opting-out your data on their site for free – but also be highly encouraged to pay them to remove it from a slew of other sites (and part of that payment was removing you from their own site, Nuwber.com, as a benefit of their service).”

Reached via LinkedIn, Mr. Bukuyazau declined to answer questions, such as whether he ever worked at Nuwber.com. However, Constella Intelligence finds two interesting email addresses for employees at nuwber.com: d.bu@nuwber.com, and d.bu+figure-eight.com@nuwber.com, which was registered under the name “**Dzmitry**.”

PrivacyDuck’s claims about how onerep.com appeared and behaved in the early days are not readily verifiable because the domain onerep.com has been completely excluded from the Wayback Machine at archive.org. The Wayback Machine will honor such requests if they come directly from the owner of the domain in question.

Still, Mr. Shelest’s name, phone number and email also appear in the domain registration records for a truly dizzying number of country-specific people-search services, including **pplcrwlr.in**, pplcrwlr.fr, pplcrwlr.dk, pplcrwlr.jp, **peeepl.br.com**, **peeepl.in**, peeepl.it and peeepl.co.uk.

The same details appear in the WHOIS registration records for the now-defunct people-search sites waatpp.de, waatp1.fr, azersab.com, and ahavoila.com, a people-search service for French citizens.

The German people-search site waatp.de.

A search on the email address dmitrcox@gmail.com suggests Mr. Shelest was previously involved in rather aggressive email marketing campaigns. In 2010, an anonymous source leaked to KrebsOnSecurity the financial and organizational records of **Spamit**, which at the time was easily the largest Russian-language pharmacy spam affiliate program in the world.

Spamit paid spammers a hefty commission every time someone bought male enhancement drugs from any of their spam-advertised websites. Mr. Shelest’s email address stood out because immediately after the Spamit database was leaked, KrebsOnSecurity searched all of the Spamit affiliate email addresses to determine if any of them corresponded to social media accounts at **Facebook.com** (at the time, Facebook allowed users to search profiles by email address).

That mapping, which was done mainly by generous graduate students at my alma mater **George Mason University**, revealed that dmitrcox@gmail.com was used by a Spamit affiliate, albeit not a very profitable one. That same Facebook profile for Mr. Shelest is still active, and it says he is married and living in Minsk (last update: 2021).

The Italian people-search website peeepl.it.

Scrolling down Mr. Shelest’s Facebook page to posts made more than ten years ago show him liking the Facebook profile pages for a large number of other people-search sites, including findita.com, findmedo.com, folkscan.com, huntize.com, ifindy.com, jupery.com, look2man.com, lookerun.com, manyp.com, peepull.com, perserch.com, persuer.com, pervent.com, piplenter.com, piplfind.com, piplscan.com, popopke.com, pplsorce.com, qimeo.com, scoutu2.com, search64.com, searchay.com, seekmi.com, selfabc.com, socsee.com, srching.com, toolooks.com, upearch.com, webmeek.com, and many country-code variations of viadin.ca (e.g. viadin.hk, viadin.com and viadin.de).

The people-search website popopke.com.

Domaintools.com finds that all of the domains mentioned in the last paragraph were registered to the email address dmitrcox@gmail.com.

Mr. Shelest has not responded to multiple requests for comment. KrebsOnSecurity also sought comment from onerep.com, which likewise has not responded to inquiries about its founder’s many apparent conflicts of interest. In any event, these practices would seem to contradict the goal Onerep has stated on its site: “We believe that no one should compromise personal online security and get a profit from it.”

The people-search website findmedo.com.

**Max Anderson** is chief growth officer at 360 Privacy, a legitimate privacy company that works to keep its clients’ data off of more than 400 data broker and people-search sites. Anderson said it is concerning to see a direct link between between a data removal service and data broker websites.

“I would consider it unethical to run a company that sells people’s information, and then charge those same people to have their information removed,” Anderson said.

Last week, KrebsOnSecurity published an analysis of the people-search data broker giant **Radaris**, whose consumer profiles are deep enough to rival those of far more guarded data broker resources available to U.S. police departments and other law enforcement personnel.

That story revealed that the co-founders of Radaris are two native Russian brothers who operate multiple Russian-language dating services and affiliate programs. It also appears many of the Radaris founders’ businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

KrebsOnSecurity will continue investigating the history of various consumer data brokers and people-search providers. If any readers have inside knowledge of this industry or key players within it, please consider reaching out to krebsonsecurity at gmail.com.

**Update, March 15, 11:35 a.m. ET:** Many readers have pointed out something that was somehow overlooked amid all this research: The Mozilla Foundation, the company that runs the Firefox Web browser, has launched a data removal service called Mozilla Monitor service that bundles OneRep. That notice says Mozilla Monitor is offered as a free or paid subscription service.

“The free data breach notification service is a partnership with Have I Been Pwned (“HIBP”),” the Mozilla Foundation explains. “The automated data deletion service is a partnership with OneRep to remove personal information published on publicly available online directories and other aggregators of information about individuals (“Data Broker Sites”).”

In a statement shared with KrebsOnSecurity.com, Mozilla said they did assess OneRep’s data removal service to confirm it acts according to privacy principles advocated at Mozilla.

“We were aware of the past affiliations with the entities named in the article and were assured they had ended prior to our work together,” the statement reads. “We’re now looking into this further. We will always put the privacy and security of our customers first and will provide updates as needed.”

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!”

Thursday, March 14, 2024 14:00

Some of my Webex rooms recently have been blowing up with memes about blaming Canada or wild speculation that a state-sponsored actor is carrying out some sort of major campaign.  

After a widespread outage of cellular service with AT&T and other carriers a few weeks ago, people were sure it was some sort of coordinated attack to disrupt Americans’ services that largely power our day-to-day lives. The outage lasted about 11 hours, and after the fact, the company announced they’d give customers a whopping $5 credit to make up for the issue. The Federal Communications Commission also announced last week that it was launching a formal investigation into the outage, requesting more information about the exact cause and how many users were affected.  

About two weeks later, the same kinds of messages and questions to our team came flooding in when Meta experienced an outage across many of its platforms, most notably Facebook, Instagram and Threads. Though this only lasted a few hours, any time Americans can’t access their Instagram feeds, it’s going to make headlines. 

In both cases, consumers immediately wanted to start pointing fingers — Which actor was behind these? Why is there so little information about this outage? Is this China getting revenge for talk of forcing a TikTok sale? What’s the broader conspiracy behind this? The outages also quickly opened the door for some of the world’s chief spreaders of misinformation and fake news to start spreading conspiracy theories. 

The problem is, not every technical issue can or needs to be explained away by a cyber attack. That’s not to undersell the danger that state-sponsored APTs pose currently, or the fact that they \*could\* one day cause a disruption like this. But jumping to that conclusion every time Down Detector pops off is only going to spread fear/FUD and help these outlets for disinformation reach a larger audience.  

It creates a “boy who cried wolf” situation for when a major cyber attack actually does happen, and the average consumer is forced to make an immediate update to some piece of software or hardware. 

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!” conclusion. One is that Hollywood has been “glamorizing” the idea of a major cyber attack or major disruption for years now. Movies and TV shows like Netflix’s “Leave the World Behind” have dramatized what a major cyber attack or internet outage may look like, and how quickly it could lead to the unraveling of civilization. Because of our current doomscrolling culture, the second something even looks like it could be a cyber event, we’re ready to declare the end of our economy and society. 

It’s also sexier when it’s a cyber attack. AT&T says its outage was caused by a technical error that occurred when it was trying to upgrade its network’s capacity, explicitly stating it was not caused by any sort of disruption campaign or cyber attack. Meta simply chalked their outage up to a “technical issue.”  

None of these things make for good headlines. But sometimes, the simplest explanation is the most obvious one — we’ve all pressed a wrong button here or there, and stuff breaks on the internet all the time for all sorts of reasons. But “Users logged out of Instagram after Meta employee hits ‘enter’ too soon” isn’t as eye-catching as “Are Instagram and Facebook down because of a cyber attack?” 

Could these multi-billion-dollar corporations be lying? Sure, but I also find it hard enough to believe that the truth would not have made it out to consumers by now if these outages weren’t simple technical issues, nor would AT&T feel compelled to reimburse customers for something that could be totally out of their control. 

And if you ever get logged out of Facebook or Instagram, maybe you’re just better off being offline for a few hours anyway than immediately assuming Mahershala Ali is going to be knocking on your vacation home’s door in any minute.   

**The one big thing **

We want to keep reminding users to update and upgrade their network infrastructure. Aging devices like switches and routers that are used across the globe are a consistently vulnerable surface for adversaries to gain an initial foothold onto targeted networks. Talos recently highlighted the three most common post-compromise attacks that adversaries carry out after compromising these types of vulnerable devices, including modifying the device’s firmware and downgrading the firmware to remove older patches and open the door to new exploitable vulnerabilities. Nick Biasini from Talos Outreach also spoke about this issue for an article in NetworkWorld.  

**Why do I care? **

As Hazel Burton puts it in the blog post linked above: “Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden post-compromise activities once they have gained initial access to the network. The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals. Think of it like a burglar breaking into a house via the water pipes. They’re not using “traditional” methods such as breaking down doors or windows (the noisy smash-and-grab approach) — they’re using an unusual route, because no one ever thinks their house will be broken into via the water pipes. Their goal is to remain stealthy on the inside while they take their time to find the most valuable artefacts.” 

**So now what? **

If you are using network infrastructure that is end of life, out of support, and now has vulnerabilities that cannot be patched, now really is the time to replace those devices. Using networking equipment that has been built with secure-by-design principles such as running secure boot, alongside having a robust configuration and patch management approach, is key to combatting these types of threats. Ensure that these devices are being watched very carefully for any configuration changes and patch them promptly whenever new vulnerabilities are discovered.   

**Top security headlines of the week **

**Security researchers have found a new vulnerability affecting chips made by nearly all major CPU makers dubbed “GhostRace.”** The vulnerability, identified as CVE-2024-2193, requires an adversary to win a race condition and to have physical or privileged access to the targeted machine. However, it could allow a malicious user to steal potentially sensitive information from memory like passwords and encryption keys. "The vulnerability affects many CPU architectures, including those made by Intel, AMD, Arm and IBM. It also affected some hypervisor vendors and the Linux operating system. AMD released an advisory this week that informed customers that they should follow previous defense guidance for other security flaws like Spectre that have affected CPUs in the past. “Our analysis shows all the other common write-side synchronization primitives in the Linux kernel are ultimately implemented through a conditional branch and are therefore vulnerable to speculative race conditions,” VU Amsterdam said in its blog post disclosing GhostRace. (SecurityWeek, Vrije Universiteit Amsterdam) 

**Health care providers are still reeling from a cyber attack on Change Healthcare**, a subsidiary of the United HealthGroup Inc. insurance provider. First Health Advisory, a digital health risk assurance firm, recently estimated that health care providers are losing an estimated $100 million daily as they still cannot process payments from insurance providers. Change first disclosed the suspected ransomware attack in late February, and on March 5, the U.S. government announced a plan to provide relief payments for providers who are facing financial shortfalls due to the outage. Many doctors' offices and care clinics are facing late rent payments and unpaid invoices. The attack has also limited some patients’ ability to obtain pre-authorization for certain services and surgeries, and others have not been able to refill their prescriptions at hospitals. U.S. Congress is also asking the CEO of United HealthGroup to appear before a committee to answer questions about the hack. (CBS News, Bloomberg) 

**The U.S. has placed formal sanctions against two individuals and five entities associated with the Intellexa Consortium,** responsible for developing and distributing the Predator spyware. Talos has previously reported on Intellexa’s tools, and how their spyware is silently loaded onto targeted devices. This is the first time the Treasury Department has sanctioned a spyware organization and announced it publicly. The sanctions include five vendors who work with Intellexa to sell the spyware, all of whom are spread across Europe. Intellexa itself is based in Greece. Predator and other spyware developed by private parties are often used to target high-risk individuals to track their communication and movement, including politicians, journalists, activists and political dissidents. Under the sanctions, anyone in the U.S. is forbidden from doing business with Intellexa or the associated companies and individuals. The Biden administration has long pushed for additional action against spyware makers, including Israel-based NSO Group, which distributes the Pegasus spyware. (Voice of America, Axios) 

**Can’t get enough Talos? **

*   Threat actors leverage document publishing sites for ongoing credential and session token theft 
*   Heather Couk is here to keep your spirits up during a cyber emergency, even if it takes the “Rocky” music 
*   Another Patch Tuesday with no zero-days, only two critical vulnerabilities disclosed by Microsoft 
*   Talos Takes Ep. #175: What's new about GhostSec's ransomware-as-a-service model 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_   

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe   
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a   
**Typical Filename:** nYzVlQyRnQmDcXk   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent

Not everything has to be a massive, global cyber attack

By Waqas
Microsoft's Copilot for Security will be accessible through a pay-as-you-use licensing model.
This is a post from HackRead.com Read the original post: Microsoft is Opening AI-Powered “Copilot for Security” to Public

Microsoft’s innovative security solution, Copilot for Security, will be available to the public from April 1, 2024, marking a significant advancement in the fight against cybercrime.

Microsoft Copilot for Security, initially accessible to select users through an exclusive early access initiative, is an innovative AI-driven tool aimed at fortifying defenders’ capabilities and efficiency in tackling security challenges. The feature is now becoming available to the public, enabling everyone to leverage its benefits.

****What is Microsoft Copilot?****

Copilot is an industry-first **generative AI** solution designed to empower security and IT professionals. It leverages the power of artificial intelligence to analyze vast amounts of data and provide crucial insights, allowing security teams to:

*   **Catch hidden threats:** Copilot’s AI capabilities can uncover subtle anomalies that human analysts might miss, bolstering overall threat detection.
*   **Respond faster:** By automating routine tasks and offering real-time guidance, Copilot streamlines security operations, enabling a quicker response to security incidents.
*   **Boost expertise:** The AI assistant serves as a valuable learning tool, helping security professionals stay up-to-date on the latest threats and best practices.

****Microsoft Copilot for Security: Tailored for the Modern Defender****

This specific feature of Copilot focuses on the unique needs of cybersecurity professionals. It integrates seamlessly with existing security workflows, offering features such as:

*   **Natural language interaction:** Security personnel can interact with Copilot using plain English, asking questions and receiving clear, actionable responses.
*   **Enhanced incident response:** Copilot assists in investigations by analyzing data, suggesting potential causes, and recommending next steps.
*   **Proactive threat hunting:** The AI proactively scans for vulnerabilities and suspicious activity, helping to identify potential threats before they escalate.
*   **Improved posture management:** Copilot continuously monitors an organization’s security posture, providing valuable insights for strengthening defences.

> _“Threat actors are getting more sophisticated. Things happen fast, so we need to be able to respond fast. With the help of Copilot for Security, we can start focusing on automated responses instead of manual responses. It’s a huge gamechanger for us.”_
> 
> Mario Ferket, Chief Information Security Officer, Dow Inc.

****General Availability and Beyond****

Microsoft **announced** the general availability of Copilot for Security on April 1, 2024. This means the solution is now accessible for purchase by any organization seeking to strengthen its cybersecurity efforts.

The future of Copilot appears bright, with Microsoft continuously developing new capabilities. The company emphasizes its commitment to working with security professionals to further refine the solution and ensure it remains a valuable asset in the growing cyber threat landscape.

1.  Microsoft’s new tool detects, reports pedophiles in chats
2.  Kali Linux 2023.4 is Out: Cloud ARM64, Hyper-V, Pi 5, & More!
3.  Microsoft’s Windows File Recovery tool recovers your lost data
4.  Microsoft launches Linux memory forensics tool to detect malware
5.  McAfee’s Mockingbird AI Tool Detects Deepfake with 90% accuracy

Microsoft is Opening AI-Powered “Copilot for Security” to Public

Apple Security Advisory 03-07-2024-4 - macOS Monterey 12.7.4 addresses buffer overflow, bypass, code execution, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

macOS Monterey 12.7.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214083.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Admin Framework  
Available for: macOS Monterey  
Impact: An app may be able to elevate privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2024-23276: Kirin (@Pwnrin)

Airport  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23227: Brian McNulty

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-23269: Mickey Jin (@patch1t)

ColorSync  
Available for: macOS Monterey  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23247: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

CoreCrypto  
Available for: macOS Monterey  
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5  
ciphertexts without having the private key  
Description: A timing side-channel issue was addressed with improvements  
to constant-time computation in cryptographic functions.  
CVE-2024-23218: Clemens Lang

Dock  
Available for: macOS Monterey  
Impact: An app from a standard user account may be able to escalate  
privilege after admin user login  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23244: Csaba Fitzl (@theevilbit) of OffSec

Image Processing  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23270: an anonymous researcher

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-23234: Murray Mike

Kerberos v5 PAM module  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-23266: Pedro Tôrres (@t0rr3sp3dr0)

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-23201: Koh M. Nakagawa of FFRI Security, Inc. and an anonymous  
researcher

MediaRemote  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-28826: Meng Zhang (鲸落) of NorthSea

Metal  
Available for: macOS Monterey  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

Notes  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23283

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to elevate privileges  
Description: An injection issue was addressed with improved input  
validation.  
CVE-2024-23274: Bohdan Stasiuk (@Bohdan_Stasiuk)  
CVE-2024-23268: Mickey Jin (@patch1t), and Pedro Tôrres (@t0rr3sp3dr0)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to access protected user data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23275: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to bypass certain Privacy preferences  
Description: The issue was addressed with improved checks.  
CVE-2024-23267: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-23216: Pedro Tôrres (@t0rr3sp3dr0)

SharedFileList  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved file handling.  
CVE-2024-23230: Mickey Jin (@patch1t)

Shortcuts  
Available for: macOS Monterey  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: The issue was addressed with additional permissions checks.  
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts  
Available for: macOS Monterey  
Impact: Third-party shortcuts may use a legacy action from Automator to  
send events to apps without user consent  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-23245: an anonymous researcher

Storage Services  
Available for: macOS Monterey  
Impact: A user may gain access to protected parts of the file system  
Description: A logic issue was addressed with improved checks.  
CVE-2024-23272: Mickey Jin (@patch1t)

macOS Monterey 12.7.4 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqccMACgkQX+5d1TXa  
IvoRPw//aOvhmfw+nqXXgAMv5Ptm8/G29gC7vtiS6WVFJsmUEQA5aM5P8KYRT1VP  
UtxDS0ShqKze958tIsiGpOshP7jildMmv52VKLG3HIV8XTTgiSBmO7ODPheGQaaG  
wgUkoZbue7VRSr9UZEm8qbLPdJpCUIbSWJImRbE6k4+Ap1IqRsYVv01gLN9+Ohhw  
tv6ObXbqeKI7EjRcfxqAG/SdehWg2azogMsdrq+wfpaEZG+Fy6B2NPu8AOcKICRQ  
to8JKPWMvtoGjbns5r8OPd9O29z3icsIB8b3qfQZHTc5i/eWi++VoAhLR2lEq8Ts  
hUPbOyf1AU4BeFKCC2MI060lOwK1WE4LRvD/CWv0g02b+yW9lXQ5xTah4+ycYaEp  
vXbxtlp7Da8s0XTDACFVvfMMN7fi3NIBSjwtz6YnqN6cxVnV/re69UYwuT44aJ4s  
UA5NElkhe7NZJ1+QQ5mSws19+PjP7TZpdeaPxxQfr6JN2Mi0a52tCaCmF0gIZHJj  
/HyjQzJHb40w5e4Vqw2r4GxvgZvjmUiW4pvPXgKD+6Ykp+g4lhHldSSFnDakjSy3  
OUM2idhKAHeHdFSm6UEv4ehhJM660DbDRujaZPpVuSKpcqKS79vcjs/gD/EGt/uG  
rhwMQd321+WzaKcGxu0gbAVRMzAtP/yxMEovCU2zFfh3AxbopDg=  
=KbmJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-4

Artificial intelligence (AI) has been evolving as one of the top priorities for organizations because of the increasing volume of data being generated from core data centers to the edge. Similarly, the adoption of Kubernetes in the past 10 years has resulted in improved scalability, reliability and business resilience.While Kubernetes has resulted in immense benefits, operational management and security continue to be challenging. Managing software supply chain integrity, monitoring the security of container images and runtime environments and enforcing compliance policies can be overwhelming.

Artificial intelligence (AI) has been evolving as one of the top priorities for organizations because of the increasing volume of data being generated from core data centers to the edge. Similarly, the adoption of Kubernetes in the past 10 years has resulted in improved scalability, reliability and business resilience.

While Kubernetes has resulted in immense benefits, operational management and security continue to be challenging. Managing software supply chain integrity, monitoring the security of container images and runtime environments and enforcing compliance policies can be overwhelming.

Organizations frequently experience challenges scaling AI and machine learning (AI/ML) use cases for enterprise-wide adoption. MLOps helps teams provision infrastructure, stage models, manage dependencies, orchestrate model calling and serve AI models in a scalable fashion to accelerate the time-to-value of AI/ML applications for organizations. MLOps has been gaining momentum with Kubernetes adoption for data models similar to how DevOps has been adopted for app development, providing self-healing, auto scalability, automated pipeline and many more capabilities.

An MLOps process constitutes five major steps:

1.  Data acquisition from different sources
2.  Data tuning and data validation
3.  Data model training
4.  Deploying models at scale to enable AI applications
5.  Continuous monitoring and modification of models and AI applications

Red Hat OpenShift AI is built using open source technologies, providing a flexible and scalable MLOps platform with tools to build, deploy and manage AI-enabled applications. It brings together a powerful suite of tools designed to make the process of fine-tuning and serving foundation models more seamless, scalable and efficient, simplifying the end-to-end data science process from model development to deployment.

Red Hat OpenShift Platform Plus serves as a foundation for MLOps, providing a collaborative environment for data scientists, analysts, operations and developers, resulting in a 210% return on investment and 20% improvement in data scientist efficiencies. OpenShift AI and OpenShift Platform Plus provide a more secure open hybrid cloud platform to run data science models, that enables tighter controls across application development, model provenance, governance and runtime threat detection.

Kubernetes misconfigurations are serious threats against containerized AI workloads because cybercriminals can exploit these settings to breach the enterprises (for example, enabling anonymous access with high privileges or getting access to data users aren’t allowed to access). Data model security must be considered early in the MLOps pipeline, and shouldn’t be an afterthought. OpenShift Platform Plus, along with its ecosystem partners, reduces complexity by enforcing security policies and providing a zero trust architecture for running AI models on the platform.

Here are 12 aspects of OpenShift Platform Plus that make this possible:

1.  **Red Hat Enterprise Linux CoreOS**: OpenShift runs on Red Hat Enterprise Linux CoreOS, providing the same rich automated and remote upgrade features of Red Hat Enterprise Linux (RHEL) while enhancing the security and experience for developers, data scientists and operations team.
2.  **Role Based Access Control (RBAC)**: RBAC allows fine-grained control over who has various access levels to the cluster, helping define strict boundaries between different projects and blocking unauthorized resource access.
3.  **Auditing and monitoring**: OpenShift provides the ability to audit and monitor the cluster in a variety of ways, including metrics, alerts, logs, dashboards, etc.
4.  **Context-based access control**: Red Hat Single Sign-On (SSO), included in OpenShift, provides identity federation based on SAML 2.0, OpenID Connect and OAuth 2.0.
5.  **Multifactor authentication**: OpenShift supports multiple identity providers, including active directory, LDAP, OpenID connect, etc.  
6.  **Quotas and limit range**: OpenShift allows you to enforce resource quotas per project to limit the damage from denial of service attacks. The namespace segregation and storage isolation are also enforced.
7.  **Compliance Operator**: This operator allows you to assess the required compliance state of the cluster as well as provide an overview of gaps and ways to remediate them.
8.  **Real-time vulnerability management**: Red Hat Advanced Cluster Security for Kubernetes helps detect and restrict network policy based on application ports and protocols.
9.  **Encryption**: Red Hat OpenShift Data Foundation supports cluster-wide encryption (encryption-at-rest) for all the disks and multicloud Object Gateway operations in the storage cluster.
10.  **Implement version control**: Quay.io helps prevent deploying of images with known vulnerabilities.
11.  **Secrets**: OpenShift provides a mechanism to store sensitive information such as passwords, configuration files and repository credentials to help avoid data poisoning.
12.  **Regularly updated container images**: OpenShift simplifies Day-2 activities and health checks to improve the speed at which vulnerabilities are addressed.

To summarize, Red Hat provides an enterprise-ready open hybrid cloud platform enabling self-service for data scientists and developers to integrate, streamline, automate and simplify the creation of a zero trust architecture for MLOps processes. Please reach out to your account team for more information.

Arun Mamgai has more than 18 years of experience in cloud-native application modernization, cybersecurity, open-source secure supply chain, data privacy, AI/machine learning, and digital transformation while working with Fortune 1000 customers across industries. He is responsible for building strategic relationship with technology leaders and promoting Red Hat OpenShift cloud-native application development platform, cybersecurity, and software supply chain solutions.

Read full bio

Niti comes with 20 years of experience in technology at different levels. From writing ANSI C applications on embedded devices to PHP based web applications to microservices on OpenShift, she has extensive knowledge on ‘how’ and ‘why’ of building applications. 

Read full bio

Tag

#intel