Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note that by default JMX endpoint is only bound locally.

We recommend users to:
 - Upgrade to a non-vulnerable Apache James version

 - Run Apache James isolated from other processes (docker - dedicated virtual machine)
 - If possible turn off JMX



1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-51518

**Apache James server: Privilege escalation via JMX pre-authentication deserialization**

Moderate severity GitHub Reviewed Published Feb 27, 2024 to the GitHub Advisory Database • Updated Feb 27, 2024

**Package**

maven org.apache.james:james-server (Maven)

**Affected versions**

<= 3.7.4

\>= 3.8.0, < 3.8.1

**Patched versions**

3.7.5

3.8.1

Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.  
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.  
Note that by default JMX endpoint is only bound locally.

We recommend users to:  
 - Upgrade to a non-vulnerable Apache James version

 - Run Apache James isolated from other processes (docker - dedicated virtual machine)  
 - If possible turn off JMX

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-51518
*   https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or

Published to the GitHub Advisory Database

Feb 27, 2024

Last updated

Feb 27, 2024

GHSA-px7w-c9gw-7gj3: Apache James server: Privilege escalation via JMX pre-authentication deserialization

This week on the Lock and Code podcast, we speak with Joseph Cox about how an OnlyFake-generated fake ID fooled a cryptocurrency exchange.

_This week on the Lock and Code podcast…_

For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents.

In 2024, that’s changed, as the uses for fake IDs have become enmeshed with the internet.

Want to sign up for a cryptocurrency exchange where you’ll use traditional funds to purchase and exchange digital currency? You’ll likely need to submit a _photo_ of your real ID so that the cryptocurrency platform can ensure you’re a real user. What about if you want to watch porn online in the US state of Louisiana? It’s a niche example, but because of a law passed in 2022, you will likely need to submit, again, a _photo_ of your state driver’s license to a separate ID verification mobile app that then connects with porn sites to authorize your request.

The discrepancies in these end-uses are stark; cryptocurrency and porn don’t have too much in common with Red Bull vodkas and, to pick just one example, a Guatemalan coup. But there’s something else happening here that reveals the subtle differences between yesteryear’s fake IDs and today’s, which is that modern ID verification doesn’t need a physical ID card or passport to work—it can sometimes function only with an _image_.

Last month, the technology reporting outfit 404 Media investigated an online service called OnlyFake that claimed to use artificial intelligence to pump out _images_ of fake IDs. By filling out some bogus personal information, like a made-up birthdate, height, and weight, OnlyFake would provide convincing images of real forms of ID, be they driver’s licenses in California or passports from the US, the UK, Mexico, Canada, Japan, and more. Those images, in turn, could then be used to fraudulently pass identification checks on certain websites.

When 404 Media co-founder and reporter Joseph Cox learned about OnlyFake, he tested whether an image of a fake passport he generated could be used to authenticate his identity with an online cryptocurrency exchange.

In short, it did.

By creating a fraudulent British passport through OnlyFake, Joseph Cox—or as his fake ID said, “David Creeks”—managed to verify his false identity when creating an account with the cryptocurrency market OKX.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cox about the believability of his fake IDs, the AI claims and limitations of OnlyFake, what’s in store for the future of the site— which went dark after Cox’s report—and what other types of fraud are now dangerously within reach for countless threat actors.

> Making fake IDs, even photos of fake IDs, is a very particular skill set—it’s like a trade in the criminal underground. You don’t need that anymore.
> 
> Joseph Cox, 404 Media co-founder

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How to make a fake ID online, with Joseph Cox: Lock and Code S05E05 

Gentoo Linux Security Advisory 202402-32 - A vulnerability has been discovered in btrbk which can lead to remote code execution. Versions greater than or equal to 0.31.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: btrbk: Remote Code Execution  
     Date: February 26, 2024  
     Bugs: #806962  
       ID: 202402-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in btrbk which can lead to remote  
code execution.

Background  
==========

btrbk is a backup tool for btrfs subvolumes, taking advantage of btrfs  
specific capabilities to create atomic snapshots and transfer them  
incrementally to your backup locations.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
app-backup/btrbk  < 0.31.2      >= 0.31.2

Description  
===========

A vulnerability has been discovered in btrbk. Please review the CVE  
identifier referenced below for details.

Impact  
======

Specialy crafted commands may be executed without being propely checked.  
Applies to remote hosts filtering ssh commands using ssh_filter_btrbk.sh  
in authorized_keys.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All btrbk users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-backup/btrbk-0.31.2"

References  
==========

[ 1 ] CVE-2021-38173  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38173

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-32

Gentoo Linux Security Advisory 202402-31 - A vulnerability has been discovered in GNU Aspell which leads to a heap buffer overflow. Versions greater than or equal to 0.60.8-r3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-31  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GNU Aspell: Heap Buffer Overflow  
     Date: February 26, 2024  
     Bugs: #803113  
       ID: 202402-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GNU Aspell which leads to a heap  
buffer overflow.

Background  
==========

GNU Aspell is a popular spell-checker. Dictionaries are available for  
many languages.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
app-text/aspell  < 0.60.8-r3   >= 0.60.8-r3

Description  
===========

Multiple vulnerabilities have been discovered in GNU Aspell. Please  
review the CVE identifiers referenced below for details.

Impact  
======

GNU Aspell has a heap-based buffer overflow in  
acommon::ObjStack::dup_top (called from acommon::StringMap::add and  
acommon::Config::lookup_list)

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All aspell users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/aspell-0.60.8-r3"

References  
==========

[ 1 ] CVE-2019-25051  
      https://nvd.nist.gov/vuln/detail/CVE-2019-25051

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-31

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-31

Gentoo Linux Security Advisory 202402-30 - A vulnerability has been found in Glances which may lead to arbitrary code execution. Versions greater than or equal to 3.1.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-30  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Glances: Arbitrary Code Execution  
     Date: February 26, 2024  
     Bugs: #791565  
       ID: 202402-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Glances which may lead to arbitrary  
code execution.

Background  
==========

Glances is an open-source system cross-platform monitoring tool. It  
allows real-time monitoring of various aspects of your system such as  
CPU, memory, disk, network usage etc.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
sys-process/glances  < 3.1.7       >= 3.1.7

Description  
===========

A vulnerability in XML parsing may lead to a variety of XML attacks.

Impact  
======

A vulnerability in XML parsing may lead to a variety of XML attacks.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Glances users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-process/glances-3.1.7"

References  
==========

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-30

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-30

Backdoor.Win32.AutoSpy.10 malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b012704cad2bae6edbd23135394b9127.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AutoSpy.10Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.Family: AutoSpyType: PE32MD5: b012704cad2bae6edbd23135394b9127Vuln ID: MVID-2024-0671Disclosure: 02/24/2024Exploit/PoC:C:\sec>nc64.exe x.x.x.x 1008startapp "c:\Windows\System32\mspaint.exe"Application started...startapp "c:\Windows\System32\calc.exe"Application started...msgbox hateMessagebox shown...info tickProduct Name       :Product ID         :Product Type       :User Organization  :User Name          :System Root        :Version            :Version Number     :Sub Version Number :Computer Name      : DESKTOP-2C4IJHOTime Zone          : @tzres.dll,-112Network Logon      :beep BeepBeep send...hangup victimDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AutoSpy.10 MVID-2024-0671 Remote Command Execution

Republicans who run elections are split over whether to keep working with the Cybersecurity and Infrastructure Security Agency to fight hackers, online falsehoods, and polling-place threats.

The meeting between top US election officials and their cybersecurity partners from the federal government almost went off without a hitch. Then Mac Warner spoke up.

Warner, West Virginia’s Republican secretary of state, didn’t have a mundane logistical question for the government representatives, who were speaking at the winter meeting of the National Association of Secretaries of State in Washington, DC, on February 8. Instead, Warner lambasted the officials for what he said was their agencies’ scheme to suppress the truth about US president Joe Biden’s son Hunter during the 2020 election and then cover their tracks.

“When we have our own federal agencies lying to the American people, that’s the most insidious thing that we can do in elections,” Warner told the officials from the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), who watched him impassively from the stage. “You all need to clean up your own houses.”

Neither of the officials responded to Warner, and the NASS meeting—a semiannual confab for the nation’s election administrators that deals with everything from mail-in voting to cyber threats—quickly moved on to other business. But Warner, who attended an election-denier rally after Biden’s 2020 victory and is now running for governor on a far-right platform, isn’t a fringe voice in the GOP. His impassioned speech reflected a growing right-wing backlash to the election security work of agencies like CISA and the FBI—one that now threatens the partnership that the federal government has been painstakingly building with state leaders over the eight years since Russia interfered in the 2016 election.

CISA plays a critical role in helping states run secure elections, but its work alerting social media companies to misinformation has earned it special contempt from conservatives. While most GOP secretaries of state are holding their fire about CISA’s efforts to combat online lies, Democrats and nonpartisan experts worry that that could change in the coming years. With national Republicans increasingly turning against CISA—investigating its activities and voting to slash its budget—the agency’s partnerships with GOP leaders in the states are more vulnerable than ever before.

“The hard and necessary work of securing our elections should not be a partisan issue,” says US representative Chris Deluzio, a Pennsylvania Democrat and former cyber policy scholar. “So I am very concerned that some Republican secretaries of state might undermine that work just to serve their selfish partisan interests.”

Stumbling Into Controversy

The federal program that earned Warner’s wrath began as a response to the rampant mis- and disinformation that has spread online since the 2016 election.

Determined to avoid another contest marred by viral false claims about voting processes, CISA in 2018 began coordinating conversations with social media companies and other federal agencies about the best ways to counter dangerous and destabilizing lies. During the 2020 election, through a process known as “switchboarding,” CISA alerted social media firms to complaints from state and local election officials about online misinformation, such as posts advertising incorrect voting times and locations.

It was in this spirit that FBI officials met with Twitter and Facebook executives in the lead-up to Election Day 2020 and advised them to be wary of Russian disinformation operations involving fake documents. That warning later led both companies to suppress posts about a controversial _New York Post_ story about the contents of a laptop belonging to Hunter Biden.

Silicon Valley’s response to the Hunter Biden laptop story outraged conservatives, who began accusing tech companies and their federal partners of conspiring to censor speech in an effort to rig the election. In subsequent investigations, CISA found itself squarely in the crosshairs. The agency had already earned the ire of former president Donald Trump and his allies for reassuring the public about the integrity of the 2020 election, but the new controversy practically made it a pariah on the right.

In June 2023, a House Judiciary Committee report blasted CISA as “the nerve center of the federal government’s domestic surveillance and censorship operations on social media.” A few months later, a federal appeals court partially affirmed a district judge’s ruling that placed limits on CISA’s ability to communicate with tech companies, finding that the agency’s work to fight disinformation “likely violated the First Amendment.”

Stunned by the intense backlash, CISA stopped working with social media platforms to combat mis- and disinformation. The FBI, too, scaled back its interactions with those companies, halting briefings about foreign interference activities. “The symbiotic relationship between the government and the social media companies has definitely been fractured,” a US official told NBC News.

CISA has staunchly avoided acknowledging the reality that its reputation has been damaged.

“CISA’s election security mission is stronger than ever,” says Cait Conley, a senior adviser to director Jen Easterly who oversees the agency’s election work. “We remain engaged with election officials in all 50 states and will continue to conduct all of our work in an apolitical and nonpartisan manner.”

A GOP Split

As the controversies have eroded CISA’s bipartisan brand, Republicans who run elections have split into two camps over whether to keep working with the agency to fight hackers, online falsehoods, and polling-place threats.

West Virginia’s Warner is the indisputable flag-bearer of the anti-CISA camp. “I’ve pulled away from them,” he tells WIRED at the NASS conference, a few hours after venting his frustrations to the federal officials. “I’m not attending their briefings, because I haven’t found anything useful out of them.”

Warner says he’s proud of the “tremendous advances” that federal and state officials have made together on election security since 2016, but he warns that CISA and the FBI will continue losing conservatives’ trust until they investigate their roles in the controversies of 2020. “I’ve brought this to the attention of CISA officials,” he says, “and there’s no effort there to do this.”

Warner argues that CISA’s warnings about foreign disinformation, AI-powered deep fakes, and death threats to election officials are “distractions from the real threat to American democracy” posed by censorship.

It remains unclear how many of Warner’s colleagues agree with him. But when WIRED surveyed the other 23 Republican secretaries who oversee elections in their states, several of them said they would continue working with CISA.

“The agency has been beneficial to our office by providing information and resources as it pertains to cybersecurity,” says JoDonn Chaney, a spokesperson for Missouri’s Jay Ashcroft.

South Dakota’s Monae Johnson says her office “has a good relationship with its CISA partners and plans to maintain the partnership.”

But others who praised CISA’s support also sounded notes of caution.

Idaho’s Phil McGrane says CISA is doing “critical work … to protect us from foreign cyber threats.” But he also tells WIRED that the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), a public-private collaboration group that he helps oversee, “is actively reviewing past efforts regarding mis/disinformation” to determine “what aligns best” with CISA’s mission.

Mississippi’s Michael Watson says that “statements following the 2020 election and some internal confidence issues we’ve since had to navigate have caused concern.” As federal and state officials gear up for this year’s elections, he adds, “my hope is CISA will act as a nonpartisan organization and stick to the facts.”

CISA’s relationships with Republican secretaries are “not as strong as they’ve been before,” says John Merrill, who served as Alabama’s secretary of state from 2015 to 2023. In part, Merrill says, that’s because of pressure from the GOP base. “Too many conservative Republican secretaries are not just concerned about how the interaction with those federal agencies is going, but also about how it’s perceived … by their constituents.”

Free Help at Risk

CISA’s defenders say the agency does critical work to help underfunded state and local officials confront cyber and physical threats to election systems.

The agency’s career civil servants and political leaders “have been outstanding” during both the Trump and Biden administrations, says Minnesota secretary of state Steve Simon, a Democrat.

Others specifically praised CISA’s coordination with tech companies to fight misinformation, arguing that officials only highlighted false claims and never ordered companies to delete posts.

“They’re just making folks aware of threats,” says Arizona’s Democratic secretary of state, Adrian Fontes. The real “bad actors,” he says, are the people who “want the election denialists and the rumor-mongers to run amok and just spread out whatever lies they want.”

If Republican officials begin disengaging from CISA, their states will lose critical security protections and resources. CISA sponsors the EI-ISAC, which shares information about threats and best practices for thwarting them; provides free services like scanning election offices’ networks for vulnerabilities, monitoring those networks for intrusions and reviewing local governments’ contingency plans; and convenes exercises to test election officials’ responses to crises.

“For GOP election officials to back away from \[CISA\] would be like a medical patient refusing to accept free wellness assessments, check-ups, and optional prescriptions from one of the world’s greatest medical centers,” says Eddie Perez, a former director for civic integrity at Twitter and a board member at the OSET Institute, a nonprofit group advocating for improved election technology.

Worse, some CISA projects will become less effective as they lose participants. The EI-ISAC’s information-sharing initiative is only as valuable as the information that state and federal agencies submit to it.

Even if most states stick with CISA, it would only take a few holdouts to create systemic risk. “America's election security posture is only as strong as its weakest jurisdiction,” says David Levine, the senior elections integrity fellow at the German Marshall Fund’s Alliance for Securing Democracy.

Cautious Optimism Despite ‘Strain’

Election security experts and Democratic officials express cautious optimism that there won’t be a GOP exodus from CISA this year.

“I have faith Republican secretaries of state will continue to prioritize their voters and collaborate with CISA to ensure a secure 2024 election,” says Mississippi representative Bennie Thompson, the top Democrat on the House Homeland Security Committee.

Lawrence Norden, the senior director of the Brennan Center for Justice’s Elections and Government Program, notes that some of CISA’s new regional election security advisers “have worked in recent years as or for Republican officeholders,” giving them credibility with GOP leaders.

According to Minnesota’s Simon, “the vast majority of secretaries find these partnerships valuable.”

Still, Warner says some secretaries quietly support his pushback against CISA and other aspects of the Biden administration’s election security strategy. “There \[is a\] meeting of the minds by some of the secretaries, especially on the right, with some of these similar concerns,” he says, even if “they’re not as outspoken as I am.”

That shared skepticism of CISA means that, even after Warner leaves office next year, the agency will remain on precarious footing with some of its Republican partners. For now, CISA’s allies are left hoping that the agency’s time-tested bonds will prove stronger than pressures from conservative activists.

“You can have strain in some areas of a relationship and still have a strong relationship,” says Arizona’s Fontes. “That’s what being a grown-up is about. And I think most of us are doing that pretty well.”

How a Right-Wing Controversy Could Sabotage US Election Security

By cyberwire
Brea, California, February 26th, 2024, Cyberwire – The current large surge in cyber threats has left many organizations…
This is a post from HackRead.com Read the original post: ThreatHunter.ai Halts 100s of Attacks: Battling Ransomware & Nation-State Cyber Threats

**Brea, California, February 26th, 2024, Cyberwire** – The current large surge in cyber threats has left many organizations grappling for security so ThreatHunter.ai is taking decisive action. Recognizing the critical juncture at which the digital world stands, ThreatHunter.ai is now offering its cutting-edge cybersecurity services free of charge to all organizations for 30 days, irrespective of their current cybersecurity measures. 

James McMurry, Founder of ThreatHunter.ai, reflects on the situation’s urgency: “In the past 48 hours alone, we have stopped hundreds of actual attacks and performed mitigations for our customers. Yet, the frequency and sophistication of these attacks are escalating at an alarming rate. Our mission is clear: to extend our protective reach to every organization in need, ensuring that the digital frontier is safe for all.”

Drawing on recent events and the resilient nature of cyber threats, as highlighted in an insightful piece on the LockBit ransomware saga, it’s evident that the cybersecurity landscape is more volatile than ever. The LockBit group’s audacity in bouncing back after a significant takedown operation underlines the persistent and evolving threat posed by cybercriminals. 

ThreatHunter.ai, with its elite team of threat hunters, engineers, and cybersecurity experts, employs the ARGOS platform to provide real-time threat detection and mitigation. Our AI and ML-driven technologies have been pivotal in safeguarding organizations from the ever-evolving tactics of cyber adversaries.

“We see the problem getting larger, with cyber threats becoming more sophisticated by the day. Offering our services for free for 30 days is our way of bolstering the defences of organizations across the globe. It’s a call to action for everyone, and to show that ThreatHunter.ai is much more than all the MDRs offering automated alerts, we actually will stop threats, and how our team operates as part of our customers’ cyber team,” McMurry emphasizes.

This initiative is not just about offering a temporary solution; it’s about raising awareness and driving home the point that in the face of rising cyber threats, complacency is not an option.

Organizations interested in taking advantage of ThreatHunter.ai’s complimentary 30-day services are encouraged to reach out immediately. Together, we can turn the tide against the cyber threats that loom large over our connected world.

****About ThreatHunter.ai****

ThreatHunter.ai is at the forefront of cybersecurity, specializing in real-time detection, analysis, and mitigation of cyber threats. Powered by the innovative ARGOS platform, our approach combines advanced AI and ML technologies with the expertise of the industry’s most skilled professionals. We are dedicated to defending the digital infrastructure against the complex landscape of cyber threats, ensuring peace of mind for businesses and governments worldwide.

ThreatHunter.ai, a 100% Service-Disabled Veteran Owned Small Business, is a leading provider of AI-driven threat-hunting solutions. Its advanced machine learning algorithms and expert analysis help organizations detect, identify, and respond to cyber threats. Its solutions are designed to supplement existing security resources and provide a fresh perspective on how to address today’s complex cyber threats.

Don’t miss the opportunity to safeguard your organization with the unparalleled cybersecurity protection offered by ThreatHunter.ai. Visit our website at www.threathunter.ai to explore our unique approach, learn more about our cutting-edge solutions, and discover how we can empower your business to stay ahead of cyber threats.

To speak with our experts or schedule a personalized demo, reach out to our sales team at \[email protected\] or call 714.515.4011. Take action today and ensure the security and resilience of your digital infrastructure.

****Contact****

*   **Lydia Coulter**
*   **Marketing and Media Manager**
*   **ThreatHunter.ai**
*   **7145154011**
*   **\[email protected\]**

ThreatHunter.ai Halts 100s of Attacks: Battling Ransomware & Nation-State Cyber Threats

A student investigation at the University of Waterloo uncovered a system that scanned countless undergrads without consent.

Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent.

The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a face recognition application that nobody expected to be part of the process of using a vending machine.

"Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered.

The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.

Stanley sounded the alarm after consulting Invenda sales brochures that promised “the machines are capable of sending estimated ages and genders” of every person who used the machines—without ever requesting consent.

This frustrated Stanley, who discovered that Canada's privacy commissioner had years ago investigated a shopping mall operator called Cadillac Fairview after discovering some of the malls' informational kiosks were secretly “using facial recognition software on unsuspecting patrons.”

Only because of that official investigation did Canadians learn that “over 5 million nonconsenting Canadians” were scanned into Cadillac Fairview's database, Stanley reported. Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive face recognition data without consent for Invenda clients like Mars remain unclear.

Stanley's report ended with a call for students to demand that the university “bar facial recognition vending machines from campus.”

A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked to disable the vending machine software until the machines could be removed.

Students told CTV News that their confidence in the university's administration was shaken by the controversy. Some students claimed on Reddit that they attempted to cover the vending machine cameras while waiting for the school to respond, using gum or Post-it notes. One student pondered whether “there are other places this technology could be being used” on campus.

Elming was not able to confirm the exact timeline for when the machines would be removed, other than telling Ars it would happen “as soon as possible.” Elming declined Ars' request to clarify if there are other areas of campus collecting face recognition data. She also wouldn't confirm, for any casual snackers on campus, when, if ever, students could expect the vending machines to be replaced with snack dispensers not equipped with surveillance cameras.

Invenda Claims Machines Are GDPR-Compliant

MathNEWS' investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo's campus.

Adaria Vending Services told MathNEWS that “what’s most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface—never taking or storing images of customers.”

According to Adaria and Invenda, students shouldn't worry about data privacy because the vending machines are “fully compliant” with the world's toughest data privacy law, the European Union's General Data Protection Regulation (GDPR).

“These machines are fully GDPR compliant and are in use in many facilities across North America,” Adaria's statement said. “At the University of Waterloo, Adaria manages last mile fulfillment services—we handle restocking and logistics for the snack vending machines. Adaria does not collect any data about its users and does not have any access to identify users of these M&M vending machines.”

A Vending Machine Error Revealed Secret Face Recognition Tech

By Waqas
Friend or Foe?
This is a post from HackRead.com Read the original post: Russian Ministry Software Backdoored with North Korean KONNI Malware

Discover the latest cybersecurity revelation: KONNI malware, linked to North Korean cyber operations, targets the Russian Ministry of Foreign Affairs. Learn about the sophisticated tactics and geopolitical implications

German cybersecurity firm DCSO has discovered a malware sample uploaded to VirusTotal in January 2024, believed to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs (MID). The malware is believed to be **KONNI**, a North Korean nexus tool used since 2014.

KONNI, first **discovered in 2014**, is associated with the Democratic People’s Republic of Korea (DPRK)-nexus actors like Konni Group and TA406. The malware has unique stealer functionality and remote administration capability. It’s installed in an MSI file, with C2 servers encrypted with AES-CTR, and a CustomAction for detection and payload selection.

In the latest discovery, researchers noted that KONNI’s command set remains unchanged, allowing operators to execute commands, upload/download files, specify sleep intervals, communicate via HTTP, and compress file extensions into .CAB archives.

> #ShortAndMalicious  
> Our researchers recently discovered an installer for the mandatory 🇷🇺Russian tax filling software "Spravki BK" (Справки БК) which was backdoored with #KONNI malware, generally attributed to 🇰🇵North Korean threat actors. 1/5
> 
> — DCSO CyTec (@DCSO\_CyTec) October 17, 2023

Interestingly, the sample **DCSO analyzed** was delivered via a backdoored Russian language software installer, similar to a previously observed KONNI delivery technique. The sample was for a tool called “Statistika KZU”, which is believed to be intended for internal use within the Russian MID. The software is used for relaying annual report files from overseas consular posts to the MID’s Consular Department via a secure channel.

Additionally, two user manuals were found in the backdoored installer, detailing the installation and usage of the “Statistika KZU” program. The first manual explains installing the program on an administrative account, providing minimum software requirements and screenshots.

The second 22-pager manual, “StatRKZU\_Pyкoвoдcтвo,” outlines how to use the software for generating annual report files on KZU consular activities, including templates for calculating registered and detained citizens.

The MID’s software, identified as “GosNIIAS” (a Russian federal research institute primarily involved in aerospace research), was tested offline and found legitimate. Despite no direct correlations between GosNIIAS and Statistika KZU, references to contracts were found, including a procurement order for automated system maintenance and data protection software.

This discovery comes amid increasing geopolitical proximity between Russia and the DPRK, following Russia’s renewed invasion of Ukraine in 2022.

****Russia and North Korea’s Cyber Standoff****

This is not the first time Russia and North Korea have made collective headlines over cybersecurity threats. **In August 2023**, the world witnessed another significant incident when “elite North Korean hackers” affiliated with OpenCarrot and the Lazarus group breached NPO Mashinostroyeniya, a key Russian missile developer. This breach, lasting for at least five months, revealed the alarming capabilities and determination of the attackers.

****Previous Use of KONNI Backdoor****

KONNI has been used in many cyberespionage campaigns targeting Russian agencies. FortiGuard Labs discovered a KONNI malware campaign **in November 2023**, targeting Windows systems through Word documents with malicious macros. Malwarebytes researchers **discovered** a campaign in mid-2021 using Russian language lures concerning Russian-Korean trade and economic issues and a meeting of a Russian-Mongolian intergovernmental commission.

An unknown hacking group **targeted** North Korean organizations using KONNI Malware in 2017. Three campaigns were identified back then- two by Talos Intelligence, a Cisco-owned cybersecurity firm, and the third reported by Cylance security firm.

For insights into this, we reached out to John Bambenek, President at Bambenek Consulting, who emphasised that “It is not uncommon for intelligence agencies to spy even on their putative allies, if for nothing else, for insights to either strengthen the relationship or to identify and mitigate threats.”

Mr. Bambenek highlighted that “The use of a backdoor in software used almost exclusively by the Russian Foreign Ministry stands out and shows that the DPRK did their research here for a particular hook into their victims and is, ironically, a more targeted and precise adaptation of the approach Russian intelligence used with **NotPetya**.”

“Espionage has a couple of nuances where sometimes you want more sophisticated tools and for some attacks, you want narrow and simpler tools. For espionage, you want long-term persistent infection and sophisticated and interactive tools provide defenders more opportunities for detection. It’s not uncommon to see tools used for espionage that lack some of the obfuscation commonly observed in **cybercrime tools**,” he added.

****RELATED ARTICLES****

1.  **Gone: Russian Central Bank hacked; $31 million stolen**
2.  **2 Russian Industrial Firms Hacked, 112GB of Data Leaked**
3.  **Anonymous Leaks 128 GB of Data from Russian ISP Convex**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data**

Tag

#mac