Whether with noodles, spice or all other things nice, it’s hard to go wrong with chicken soup. From ambitious projects to midweek saviours, these recipes will restore the soul

• Get our weekend culture and lifestyle email

(Pictured above)

Whether you’re looking for all-over SPF protection for the family or a UV hair product, Sali Hughes selects her sunscreen winners – and the best of the rest

We are bad at engaging with sun protection unless there’s a heatwave, or we’re venturing on holiday – and the gunky, greasy, spot-causing and staining sunscreens of yore, which stained clothes and couldn’t be shifted, are partly to blame.

The most important aspect of suncare is that people use it. The elegance of a modern sunscreen formula, the texture on fingertips and the comfort on skin, the smell, the packaging, the price, the finish and its ability to play nicely with other skincare and makeup products – these are, in my view, often the difference between someone’s decision to protect themselves or not. What follows are 50 user-friendly sunscreens I’ve enjoyed trying in recent years, all of which have proved popular with those to whom I’ve recommended them and none of which make sun protection a bind. I would gladly use any of them on my own family.

West Indies all-rounder’s T20 World Cup final heroics left him feeling listless but joy of playing eventually returned

“Will 2016 be the sole focus of the piece?” comes the text back. That’s after a couple of friendly nudges and even more days of SMS silence. Carlos Brathwaite doesn’t really want to talk about his T20 World Cup-winning exploits at Kolkata in 2016. Three more pixellated dots unfurl on the phone screen … here we go. That drawing board is getting a revisit any second now. “Sorry, I don’t just want to regurgitate the same story.”

Fair enough. With the latest T20 World Cup reaching the business end in the Caribbean, the footage of a 27-year-old Brathwaite peppering the Eden Gardens stands with four consecutive sixes in the final over while the bowler – a body-buckled Ben Stokes – looks on in pained disbelief, will do the rounds once more.

Defending champions trounced semi-final opponents in 2022 but face a revitalised team with form and focus

Ben Duckett was a bit cheeky when he suggested India’s Test team had been inspired by Bazball earlier in the year. But in the second semi-final of the men’s T20 World Cup on Thursday, at Providence Stadium, Guyana, England’s white-ballers meet a side they influenced – or at least jolted into life – two years ago.

Much like the rollercoaster this time around, England had scraped their way into the knockouts in 2022 before delivering a thumping 10-wicket victory over India in Adelaide. “We were unbelievable with the bat,” said Moeen Ali as the defending champions jetted off to Georgetown on Tuesday, recalling the day Jos Buttler and Alex Hales vaporised a target of 169 with a staggering four overs to spare.

• Gulbadin appeared to suffer injury at crucial moment
• Rashid: ‘it’s not brought a massive difference in the game’

The Afghanistan all-rounder Gulbadin Naib has found himself at the centre of controversy following his side’s historic progress to a T20 World Cup semi-final after commentators accused him of faking – or at least exaggerating – an injury during the dramatic rain-affected match.

Gulbadin and his teammates needed to overcome Bangladesh in St Vincent to secure their spot and a final-four clash with South Africa at Australia’s expense – but their narrow eight-run victory, via the Duckworth-Lewis-Stern method, has come under scrutiny following the incident when Gulbadin indicated he had cramp.

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team.

La entrada AWS Cloud Security Checklist se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Enlarge / Michael Jackson in concert, 1986. Sony Music owns a large portion of publishing rights to Jackson's music. (credit: Getty Images)

Universal Music Group, Sony Music, and Warner Records have sued AI music-synthesis companies Udio and Suno for allegedly committing mass copyright infringement by using recordings owned by the labels to train music-generating AI models, reports Reuters. Udio and Suno can generate novel song recordings based on text-based descriptions of music (i.e., "a dubstep song about Linus Torvalds").

The lawsuits, filed in federal courts in New York and Massachusetts, claim that the AI companies' use of copyrighted material to train their systems could lead to AI-generated music that directly competes with and potentially devalues the work of human artists.

Like other generative AI models, both Udio and Suno (which we covered separately in April) rely on a broad selection of existing human-created artworks that teach a neural network the relationship between words in a written prompt and styles of music. The record labels correctly note that these companies have been deliberately vague about the sources of their training data.

Read 6 remaining paragraphs | Comments

For the first time since news broke about a ransomware attack on Change Healthcare, the company has released details about the data stolen during the attack.

First, a quick refresher: On February 21, 2024, Change Healthcare experienced serious system outages due to a cyberattack. The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States. Patients were left facing enormous pharmacy bills, small medical providers teetered on the edge of insolvency, and the government scrambled to keep the money flowing and the lights on. The ransomware group ALPHV claimed responsibility for the attack.

But shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the FBI had seized control over the group’s website. Then a new ransomware group, RansomHub, listed the organization as a victim on its dark web leak site, saying it possessed 4 TB of “highly selective data,” relating to “all Change Health clients that have sensitive data being processed by the company.”

In April, parent company UnitedHealth Group released an update, saying:

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

Now, Change Healthcare has detailed the types of medical and patient data that was stolen. Although Change cannot provide exact details for every individual, the exposed information may include:

• Contact information: Names, addresses, dates of birth, phone numbers, and email addresses.
• Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
• Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
• Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
• Other personal information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

Change Healthcare added:

“The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review.”

Change Healthcare says it will send written letters—as long as it has a person’s address and they haven’t opted out of notifications—once it has concluded the data review.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Decoding IntelBroker’s Claims of Lindex Group Data Breach

IntelBroker Hacking Spree

TCE Cyberwatch: A Weekly Round Up

CISA Issues Urgent Advisories to Patch Critical Flaws in Industrial Control Systems

Microsoft Vows Security Overhaul After U.S. Report

Over 300 Fake Paris 2024 Sites Target Olympic Ticket Buyers

Tesla's $45 Billion Payout: Court Battle Looms Over Coercion Claims

MFA Failure Exposes Millions: Medibank Fined for Massive Data Breach

META Stealer Ups the Ante: Encrypted Builds, Custom Stubs in v5.0 Update

Handala Hacker Group Claims Responsibility for Zerto Cyberattack

The Implication of Cyberattack on Zerto

Rajneesh Garg Extensive Background

Way Forward

Argument Injection for PHP on Windows

This week includes modules that target file traversal and arbitrary file read vulnerabilities for software such as Apache, SolarWinds and Check Point, with the highlight being a module for the recent PHP vulnerability submitted by sfewer-r7. This module exploits an argument injection vulnerability, resulting in remote code execution and a Meterpreter shell running in the context of the Administrator user.
Note, that this attack requires the target to be running a Japanese or Chinese locale, as the attack targets Windows’s character replacement behavior for certain code pages when calling Win32 API functions.
A default configuration of XAMPP is vulnerable. This attack is unauthenticated and the server must expose PHP in CGI mode, not FastCGI. More information on this exploit can be found on AttackerKB.

New module content (4)

Check Point Security Gateway Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19221 contributed by remmons-r7
Path: gather/checkpoint_gateway_fileread_cve_2024_24919
AttackerKB reference: CVE-2024-24919

Description: This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919.

SolarWinds Serv-U Unauthenticated Arbitrary File Read

Authors: Hussein Daher and sfewer-r7
Type: Auxiliary
Pull request: #19255 contributed by sfewer-r7
Path: gather/solarwinds_servu_fileread_cve_2024_28995
AttackerKB reference: CVE-2024-28995

Description: This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.

Apache OFBiz Forgot Password Directory Traversal

Authors: Mr-xn and jheysel-r7
Type: Exploit
Pull request: #19249 contributed by jheysel-r7
Path: multi/http/apache_ofbiz_forgot_password_directory_traversal
AttackerKB reference: CVE-2024-32113

Description: This adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz.

PHP CGI Argument Injection Remote Code Execution

Authors: Orange Tsai, sfewer-r7, and watchTowr
Type: Exploit
Pull request: #19247 contributed by sfewer-r7
Path: windows/http/php_cgi_arg_injection_rce_cve_2024_4577
AttackerKB reference: CVE-2024-4577

Description: Windows systems running Japanese or Chinese (simplified or traditional) locales are vulnerable to a PHP CGI argument injection vulnerability. This exploit module returns a session running in the context of the Administrator user.

Enhancements and features (2)

• #18829 from cdelafuente-r7 - Adding multiple HttpServer services in a module is sometimes complex since they share the same methods. This usually causes situations where #on_request_uri needs to be overridden to handle requests coming from each service. This updates the cmdstager and the Java HTTP ClassLoader mixins, since these are commonly used in the same module. This also updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module to make use of these new changes.
• #19229 from softScheck - The junos_phprc_auto_prepend_file module used to depend on having a user authenticated to the J-Web application to steal the necessary session tokens in order to exploit. With this enhancement the module will now create a session if one doesn't exist. Also it adds datastore options to change the hash format to be compatible with older versions as well an option to attempt to set ssh root login to true before attempting to establish a root ssh session.

Bugs fixed (4)

• #19176 from Fufu-btw - This adds the x86 and x64 architectures to the exploit/windows/http/dnn_cookie_deserialization_rce module's target metadata.
• #19253 from aaronjfeingold - This fixes an incorrect CVE reference in the exploit/unix/http/zivif_ipcheck_exec module.
• #19256 from adfoster-r7 - Fix warnings in acceptance tests.
• #19261 from zeroSteiner - Fixed powershell_base64 encoder to execute encoded strings correctly.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.13...6.4.14
• Full diff 6.4.13...6.4.14

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Source: www.databreachtoday.com – Author: 1 Blockchain & Cryptocurrency , Next-Generation Technologies & Secure Development Also: UwU Lend’s Hacks, Terraform Labs’ Dissolution, Gemini’s Settlement Rashmi Ramesh (rashmiramesh_) • June 20, 2024     Image: Shutterstock Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, CertiK researchers allegedly stole money from […]

La entrada Cryptohack Roundup: Kraken, CertiK Feud Over Zero-Day, $3M – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here. 

Earlier this week, the US surgeon general, also known as the “nation’s doctor,” authored an article making the case that health warnings should accompany social media. The goal: to protect teenagers from its harmful effects. “Adolescents who spend more than three hours a day on social media face double the risk of anxiety and depression symptoms,” Vivek Murthy wrote in a piece published in the New York Times. “Additionally, nearly half of adolescents say social media makes them feel worse about their bodies.”

His concern instinctively resonates with me. I’m in my late 30s, and even I can end up feeling a lot worse about myself after a brief stint on Instagram. I have two young daughters, and I worry about how I’ll respond when they reach adolescence and start asking for access to whatever social media site their peers are using. My children already have a fascination with cell phones; the eldest, who is almost six, will often come into my bedroom at the crack of dawn, find my husband’s phone, and somehow figure out how to blast “Happy Xmas (War Is Over)” at full volume.

But I also know that the relationship between this technology and health isn’t black and white. Social media can affect users in different ways—often positively. So let’s take a closer look at the concerns, the evidence behind them, and how best to tackle them.

Murthy’s concerns aren’t new, of course. In fact, almost any time we are introduced to a new technology, some will warn of its potential dangers. Innovations like the printing press, radio, and television all had their critics back in the day. In 2009, the Daily Mail linked Facebook use to cancer.

More recently, concerns about social media have centered on young people. There’s a lot going on in our teenage years as our brains undergo maturation, our hormones shift, and we explore new ways to form relationships with others. We’re thought to be more vulnerable to mental-health disorders during this period too. Around half of such disorders are thought to develop by the age of 14, and suicide is the fourth-leading cause of death in people aged between 15 and 19, according to the World Health Organization. Many have claimed that social media only makes things worse.

Reports have variously cited cyberbullying, exposure to violent or harmful content, and the promotion of unrealistic body standards, for example, as potential key triggers of low mood and disorders like anxiety and depression. There have also been several high-profile cases of self-harm and suicide with links to social media use, often involving online bullying and abuse. Just this week, the suicide of an 18-year-old in Kerala, India, was linked to cyberbullying. And children have died after taking part in dangerous online challenges made viral on social media, whether from inhaling toxic substances, consuming ultra-spicy tortilla chips, or choking themselves.

Murthy’s new article follows an advisory on social media and youth mental health published by his office in 2023. The 25-page document, which lays out some of known benefits and harms of social media use as well as the “unknowns,” was intended to raise awareness of social media as a health issue. The problem is that things are not entirely clear cut.

“The evidence is currently quite limited,” says Ruth Plackett, a researcher at University College London who studies the impact of social media on mental health in young people. A lot of the research on social media and mental health is correlational. It doesn’t show that social media use causes mental health disorders, Plackett says.

The surgeon general’s advisory cites some of these correlational studies. It also points to survey-based studies, including one looking at mental well-being among college students after the rollout of Facebook in the mid-2000s. But even if you accept the authors’ conclusion that Facebook had a negative impact on the students’ mental health, it doesn’t mean that other social media platforms will have the same effect on other young people. Even Facebook, and the way we use it, has changed a lot in the last 20 years.

Other studies have found that social media has no effect on mental health. In a study published last year, Plackett and her colleagues surveyed 3,228 children in the UK to see how their social media use and mental well-being changed over time. The children were first surveyed when they were aged between 12 and 13, and again when they were 14 to 15 years old.

Plackett expected to find that social media use would harm the young participants. But when she conducted the second round of questionnaires, she found that was not the case. “Time spent on social media was not related to mental-health outcomes two years later,” she tells me.

Other research has found that social media use can be beneficial to young people, especially those from minority groups. It can help some avoid loneliness, strengthen relationships with their peers, and find a safe space to express their identities, says Plackett. Social media isn’t only for socializing, either. Today, young people use these platforms for news, entertainment, school, and even (in the case of influencers) business.

“It’s such a mixed bag of evidence,” says Plackett. “I’d say it’s hard to draw much of a conclusion at the minute.”

In his article, Murthy calls for a warning label to be applied to social media platforms, stating that “social media is associated with significant mental-health harms for adolescents.”

But while Murthy draws comparisons to the effectiveness of warning labels on tobacco products, bingeing on social media doesn’t have the same health risks as chain-smoking cigarettes. We have plenty of strong evidence linking smoking to a range of diseases, including gum disease, emphysema, and lung cancer, among others. We know that smoking can shorten a person’s life expectancy. We can’t make any such claims about social media, no matter what was written in that Daily Mail article.

Health warnings aren’t the only way to prevent any potential harms associated with social media use, as Murthy himself acknowledges. Tech companies could go further in reducing or eliminating violent and harmful content, for a start. And digital literacy education could help inform children and their caregivers how to alter the settings on various social media platforms to better control the content children see, and teach them how to assess the content that does make it to their screens.

I like the sound of these measures. They might even help me put an end to the early-morning Christmas songs. 

Now read the rest of The Checkup

Read more from MIT Technology Review’s archive:

Bills designed to make the internet safer for children have been popping up across the US. But individual states take different approaches, leaving the resulting picture a mess, as Tate Ryan-Mosley explored.

Dozens of US states sued Meta, the parent company of Facebook, last October. As Tate wrote at the time, the states claimed that the company knowingly harmed young users, misled them about safety features and harmful content, and violated laws on children’s privacy.  

China has been implementing increasingly tight controls over how children use the internet. In August last year, the country’s cyberspace administrator issued detailed guidelines that include, for example, a rule to limit use of smart devices to 40 minutes a day for children under the age of eight. And even that use should be limited to content about “elementary education, hobbies and interests, and liberal arts education.” My colleague Zeyi Yang had the story in a previous edition of his weekly newsletter, China Report.

Last year, TikTok set a 60-minute-per-day limit for users under the age of 18. But the Chinese domestic version of the app, Douyin, has even tighter controls, as Zeyi wrote last March.

One way that social media can benefit young people is by allowing them to express their identities in a safe space. Filters that superficially alter a person’s appearance to make it more feminine or masculine can help trans people play with gender expression, as Elizabeth Anne Brown wrote in 2022. She quoted Josie, a trans woman in her early 30s. “The Snapchat girl filter was the final straw in dropping a decade’s worth of repression,” Josie said. “[I] saw something that looked more ‘me’ than anything in a mirror, and I couldn’t go back.”

From around the web

Could gentle shock waves help regenerate heart tissue? A trial of what’s being dubbed a “space hairdryer” suggests the treatment could help people recover from bypass surgery. (BBC)

“We don’t know what’s going on with this virus coming out of China right now.” Anthony Fauci gives his insider account of the first three months of the covid-19 pandemic. (The Atlantic)

Microplastics are everywhere. It was only a matter of time before scientists found them in men’s penises. (The Guardian)

Is the singularity nearer? Ray Kurzweil believes so. He also thinks medical nanobots will allow us to live beyond 120. (Wired)

On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The subjects of that piece are threatening to sue KrebsOnSecurity for defamation unless the story is retracted. Meanwhile, their attorney has admitted that the person Radaris named as the CEO from its inception is a fabricated identity.

Radaris is just one cog in a sprawling network of people-search properties online that sell highly detailed background reports on U.S. consumers and businesses. Those reports typically include the subject’s current and previous addresses, partial Social Security numbers, any known licenses, email addresses and phone numbers, as well as the same information for any of their immediate relatives.

Radaris has a less-than-stellar reputation when it comes to responding to consumers seeking to have their reports removed from its various people-search services. That poor reputation, combined with indications that the true founders of Radaris have gone to extraordinary lengths to conceal their stewardship of the company, was what prompted KrebsOnSecurity to investigate the origins of Radaris in the first place.

On April 18, KrebsOnSecurity received a certified letter (PDF) from Valentin “Val” Gurvits, an attorney with the Boston Law Group, stating that KrebsOnSecurity would face a withering defamation lawsuit unless the Radaris story was immediately retracted and an apology issued to the two brothers named in the story as co-founders.

That March story worked backwards from the email address used to register radaris.com, and charted an impressive array of data broker companies created over the past 15 years by Massachusetts residents Dmitry and Igor Lubarsky (also sometimes spelled Lybarsky or Lubarski). Dmitry goes by “Dan,” and Igor uses the name “Gary.”

Those businesses included numerous websites marketed to Russian-speaking people who are new to the United States, such as russianamerica.com, newyork.ru, russiancleveland.com, russianla.com, russianmiami.com, etc. Other domains connected to the Lubarskys included Russian-language dating and adult websites, as well as affiliate programs for their international calling card businesses.

A mind map of various entities apparently tied to Radaris and the company’s co-founders. Click to enlarge.

The story on Radaris noted that the Lubarsky brothers registered most of their businesses using a made-up name — “Gary Norden,” sometimes called Gary Nord or Gary Nard.

Mr. Gurvits’ letter stated emphatically that my reporting was lazy, mean-spirited, and obviously intended to smear the reputation of his clients. By way of example, Mr. Gurvits said the Lubarskys were actually Ukrainian, and that the story painted his clients in a negative light by insinuating that they were somehow associated with Radaris and with vaguely nefarious elements in Russia.

But more to the point, Mr. Gurvits said, neither of his clients were Gary Norden, and neither had ever held any leadership positions at Radaris, nor were they financial beneficiaries of the company in any way.

“Neither of my clients is a founder of Radaris, and neither of my clients is the CEOs of Radaris,” Gurvits wrote. “Additionally, presently and going back at least the past 10 years, neither of my clients are (or were) officers or employees of Radaris. Indeed, neither of them even owns (or ever owned) any equity in Radaris. In intentional disregard of these facts, the Article implies that my clients are personally responsible for Radaris’ actions. Therefore, you intentionally caused all negative allegations in the Article made with respect to Radaris to be imputed against my clients personally.”

Dan Lubarsky’s Facebook page, just prior to the March 8 story about Radaris, said he was from Moscow.

We took Mr. Gurvits’ word on the ethnicity of his clients, and adjusted the story to remove a single mention that they were Russian. We did so even though Dan Lubarsky’s own Facebook page said (until recently) that he was from Moscow, Russia.

KrebsOnSecurity asked Mr. Gurvits to explain precisely which other details in the story were incorrect, and replied that we would be happy to update the story with a correction if they could demonstrate any errors of fact or omission.

We also requested specifics about several aspects of the story, such as the identity of the current Radaris CEO — listed on the Radaris website as “Victor K.” Mr. Gurvits replied that Radaris is and always has been based in Ukraine, and that the company’s true founder “Eugene L” is based there.

While Radaris has claimed to have offices in Massachusetts, Cyprus and Latvia, its website has never mentioned Ukraine. Mr. Gurvits has not responded to requests for more information about the identities of “Eugene L” or “Victor K.”

Gurvits said he had no intention of doing anyone’s reporting for them, and that the Lubarskys were going to sue KrebsOnSecurity for defamation unless the story was retracted in full. KrebsOnSecurity replied that journalists often face challenges to things that they report, but it is more than rare for one who makes a challenge to take umbrage at being asked for supporting information.

On June 13, Mr. Gurvits sent another letter (PDF) that continued to claim KrebsOnSecurity was defaming his clients, only this time Gurvits said his clients would be satisfied if KrebsOnSecurity just removed their names from the story.

“Ultimately, my clients don’t care what you say about any of the websites or corporate entities in your Article, as long as you completely remove my clients’ names from the Article and cooperate with my clients to have copies of the Article where my clients’ names appear removed from the Internet,” Mr. Gurvits wrote.

MEET THE FAKE RADARIS CEO

The June 13 letter explained that the name Gary Norden was a pseudonym invented by the Radaris marketing division, but that neither of the Lubarsky brothers were Norden.

This was a startling admission, given that Radaris has quoted the fictitious Gary Norden in press releases published and paid for by Radaris, and in news media stories where the company is explicitly seeking money from investors. In other words, Radaris has been misrepresenting itself to investors from the beginning. Here’s a press release from Radaris that was published on PR Newswire in April 2011:

A press release published by Radaris in 2011 names the CEO of Radaris as Gary Norden, which was a fake name made up by Radaris’ marketing department.

In April 2014, the Boston Business Journal published a story (PDF) about Radaris that extolled the company’s rapid growth and considerable customer base. The story noted that, “to date, the company has raised less than $1 million from Cyprus-based investment company Difive.”

“We live in a world where information becomes much more broad and much more available every single day,” the Boston Business Journal quoted Radaris’ fake CEO Gary Norden, who by then had somehow been demoted from CEO to vice president of business development.

A Boston Business Journal story from April 2014 quotes the fictitious Radaris CEO Gary Norden.

“We decided there needs to be a service that allows for ease of monitoring of information about people,” the fake CEO said. The story went on to say Radaris was seeking to raise between $5 million and $7 million from investors in the ensuing months.

THE BIG LUBARSKY

In his most recent demand letter, Mr. Gurvits helpfully included resumes for both of the Lubarsky brothers.

Dmitry Lubarsky’s resume states he is the owner of Difive.com, a startup incubator for IT companies. Recall that Difive is the same company mentioned by the fake Radaris CEO in the 2014 Boston Business Journal story, which said Difive was the company’s initial and sole investor.

Difive’s website in 2016 said it had offices in Boston, New York, San Francisco, Riga (Latvia) and Moscow (nothing in Ukraine). Meanwhile, DomainTools.com reports difive.com was originally registered in 2007 to the fictitious Gary Norden from Massachusetts.

Archived copies of the Difive website from 2017 include a “Portfolio” page indexing all of the companies in which Difive has invested. That list, available here, includes virtually every “Gary Norden” domain name mentioned in my original report, plus a few that escaped notice earlier.

Dan Lubarsky’s resume says he was CEO of a people search company called HumanBook. The Wayback machine at archive.org shows the Humanbook domain (humanbook.com) came online around April 2008, when the company was still in “beta” mode.

By August 2008, however, humanbook.com had changed the name advertised on its homepage to Radaris Beta. Eventually, Humanbook simply redirected to radaris.com.

Archive.org’s record of humanbook.com from 2008, just after its homepage changed to Radaris Beta.

Astute readers may notice that the domain radaris.com is not among the companies listed as Difive investments. However, passive domain name system (DNS) records from DomainTools show that between October 2023 and March 2024 radaris.com was hosted alongside all of the other Gary Norden domains at the Internet address range 38.111.228.x.

That address range simultaneously hosted every domain mentioned in this story and in the original March 2024 report as connected to email addresses used by Gary Norden, including radaris.com, radaris.ru, radaris.de, difive.com, privet.ru, blog.ru, comfi.com, phoneowner.com, russianamerica.com, eprofit.com, rehold.com, homeflock.com, humanbook.com and dozens more. A spreadsheet of those historical DNS entries for radaris.com is available here (.csv).

Image: DomainTools.com

The breach tracking service Constella Intelligence finds just two email addresses ending in difive.com have been exposed in data breaches over the years: dan@difive.com, and gn@difive.com. Presumably, “gn” stands for Gary Norden.

A search on the email address gn@difive.com via the breach tracking service osint.industries reveals this address was used to create an account at Airbnb under the name Gary, with the last four digits of the account’s phone number ending in “0001.”

Constella Intelligence finds gn@difive.com was associated with the Massachusetts number 617-794-0001, which was used to register accounts for “Igor Lybarsky” from Wellesley or Sherborn, Ma. at multiple online businesses, including audiusa.com and the designer eyewear store luxottica.com.

The phone number 617-794-0001 also appears for a “Gary Nard” user at russianamerica.com. Igor Lubarsky’s resume says he was the manager of russianamerica.com.

DomainTools finds 617-794-0001 is connected to registration records for three domains, including paytone.com, a domain that Dan Lubarsky’s resume says he managed. DomainTools also found that number on the registration records for trustoria.com, another major consumer data broker that has an atrocious reputation, according to the Better Business Bureau.

Dan Lubarsky’s resume says he was responsible for several international telecommunications services, including the website comfi.com. DomainTools says the phone number connected to that domain — 617-952-4234 — was also used on the registration records for humanbook.net/biz/info/mobi/us, as well as for radaris.me, radaris.in, and radaris.tel.

Two other key domains are connected to that phone number. The first is barsky.com, which is the website for Barsky Estate Realty Trust (PDF), a real estate holding company controlled by the Lubarskys. Naturally, DomainTools finds barsky.com also was registered to a Gary Norden from Massachusetts. But the organization listed in the barsky.com registration records is Comfi Inc., a VOIP communications firm that Dan Lubarsky’s resume says he managed.

The other domain of note is unipointtechnologies.com. Dan Lubarsky’s resume says he was the CEO of Wellesley Hills, Mass-based Unipoint Technology Inc. In 2012, Unipoint was fined $179,000 by the U.S. Federal Communications Commission, which said the company had failed to apply for a license to provide international telecommunications services.

A pandemic assistance loan granted in 2020 to Igor Lybarsky of Sherborn, Ma. shows he received the money to an entity called Norden Consulting.

Notice the name on the recipient of this government loan for Igor Lybarsky from Sherborn, Ma: Norden Consulting. 

PATENTLY REMARKABLE

The 2011 Radaris press release quoting their fake CEO Gary Norden said the company had four patents pending from a team of computer science PhDs. According to the resume shared by Mr. Gurvits, Dan Lubarsky has a PhD in computer science.

The U.S. Patent and Trademark Office (PTO) says Dan Lubarsky/Lubarski has at least nine technology patents to his name. The fake CEO press release from Radaris mentioning its four patents was published in April 2011. By that time, the PTO says Dan Lubarsky had applied for exactly four patents, including, “System and Method for a Web-Based People Directory.” The first of those patents, published in 2009, is tied to Humanbook.com, the company Dan Lubarsky founded that later changed its name to Radaris.

If the Lubarskys were never involved in Radaris, how do they or their attorney know the inside information that Gary Norden is a fiction of Radaris’ marketing department? KrebsOnSecurity has learned that Mr. Gurvits is the same attorney responding on behalf of Radaris in a lawsuit against the data broker filed earlier this year by Atlas Data Privacy.

Mr. Gurvits also stepped forward as Radaris’ attorney in a class action lawsuit the company lost in 2017 because it never contested the claim in court. When the plaintiffs told the judge they couldn’t collect on the $7.5 million default judgment, the judge ordered the domain registry Verisign to transfer the radaris.com domain name to the plaintiffs.

Mr. Gurvits appealed the verdict, arguing that the lawsuit hadn’t named the actual owners of the Radaris domain name — a Cyprus company called Bitseller Expert Limited — and thus taking the domain away would be a violation of their due process rights.

The judge ruled in Radaris’ favor — halting the domain transfer — and told the plaintiffs they could refile their complaint. Soon after, the operator of Radaris changed from Bitseller to Andtop Company, an entity formed (PDF) in the Marshall Islands in Oct. 2020. Andtop also operates the aforementioned people-search service Trustoria.

Mr. Gurvits’ most-publicized defamation case was a client named Aleksej Gubarev, a Russian technology executive whose name appeared in the Steele Dossier. That document included a collection of salacious, unverified information gathered by the former British intelligence officer Christopher Steele during the 2016 U.S. presidential campaign at the direction of former president Donald Trump’s political rivals.

Gubarev, the head of the IT services company XBT Holding and the Florida web hosting firm Webzilla, sued BuzzFeed for publishing the Steele dossier. One of the items in the dossier alleged that XBT/Webzilla and affiliated companies played a key role in the hack of Democratic Party computers in the spring of 2016. The memo alleged Gubarev had been coerced into providing services to Russia’s main domestic security agency, known as the FSB.

In December 2018, a federal judge in Miami ruled in favor of BuzzFeed, saying the publication was protected by the fair report privilege, which gives news organizations latitude in reporting on official government proceedings.

Radaris was originally operated by Bitseller Expert Limited. Who owns Bitseller Expert Limited? A report (PDF) obtained from the Cyprus business registry shows this company lists its director as Pavel Kaydash from Moscow. Mr. Kaydash could not be reached for comment.

• Black Cloud Rising (David Wright Falade, Grove Atlantic, historical fiction about the African Brigade in the civil war: Amazon; Bookshop)
• Beyond "Passing": The Further Writings of Nella Larsen (Nella Larsen, CSRC Storytelling, an autobiographical novel and several short stories: Amazon; Bookshop)
• and The Emancipation Circuit: Black Activism Forging a Culture of Freedom (Thulani Davis, Duke UP, a "sweeping rethinking of Reconstruction": Amazon; Bookshop).

• Juneteenth Is (Natasha Tripplett, ill. Daniel J. O'Brien, Chronicle Books, a children's book celebrating Black American history: Amazon; Bookshop)
• The Juneteenth Cookbook: Recipes and Activities for Kids and Families to Celebrate (Alliah L. Agostini, Becker & Mayer kids: Amazon; Bookshop)
• We Are the Leaders We Have Been Looking For (The W.E.B. Du Bois Lectures) (Eddie S. Glaude Jr., Harvard University Press: Amazon; Bookshop).

• The Journey of Kamau Miller: HipHop Composite Counterstories for Black Men Teachers (Dawn N. Hicks Tafari: Amazon; Bookshop)
• Media Racism: The Impact of Media Injustice on Black Women's Lives (Marquita M. Gammage: Amazon; Bookshop)
• Revolutionary Pedagogy: Primer for Teachers of Black Children, Second Edition (Molefi Kete Asante: Amazon; Bookshop)

• A Kind of Madness (Uche Okonkwo, Tin House Books, 2024, 10 short stories concerned with literal madness but also those private feelings that, when left unspoken, can feel like a type of madness: Amazon; Bookshop)
• Like Water Like Sea (Olumide Popoola, Cassava Republic, 2024, follows Nia, a queer, bi/pansexual naturopath in London, as her life unfolds across three pivotal moments, spanning from her 28th year to a life-altering realisation at the age of 50: Amazon)
• Womb City (Tlotlo Tsamaase, Erewhon Books*, 2024, Afrofuturism set in a dark and deadly future Botswana: Amazon; Bookshop)

• Angry Queer Somali Boy: A Complicated Memoir (Mohamed Abdulkarim Ali, U Regina Press: Amazon; Bookshop)
• Butter Honey Pig Bread (Francesca Ekwuyasi, Arsenal Pulp Press, an intergenerational saga about three Nigerian women: Amazon; Bookshop)
• Dominoes at the Crossroads (Kaie Kellough, Esplanade Books/Véhicule Press, linked portraits from the Caribbean diaspora: Amazon; Bookshop)
• Finding Edward (Sheila Murray, Cormorant Books, a lonely Jamaican student follows his obsession with the Depression-era life of an itinerant Black boy: Amazon; Bookshop)
• From My Mother's Back: A Journey from Kenya to Canada (Njoki Wane, Wolsak & Wynn, memoir: Amazon)
• I Am Still Your Negro: An Homage to James Baldwin (Valerie Mason-John, U Alberta Press, Social Justice Poetry Spoken-word poet Valerie Mason-John unsettles readers with potent images of ongoing trauma from slavery and colonization: Amazon; Bookshop)
• Junie (Chelene Knight, Bookhug Press, mother-daughter relationships in 1930s Vancouver; longlisted for CBC Canada Reads 2024: Amazon; Bookshop)
• The Sleeping Car Porter (Suzette Mayr, Coach House, a queer Black man works as a porter on a sleeper train in 1929, winner of the 2022 Giller Prize: Amazon; Bookshop)
• Until We Are Free: Reflections on Black Lives Matter in Canada (Rodney Diverlus, Sandy Hudson and Syrus Marcus Ware, eds., U Regina Press: Amazon; Bookshop)

• Black Matters (Halifax's Poet Laureate Afua Cooper & photographer Wilfried Raussert, Roseway Publishing: Amazon; Bookshop)
• Dream of No One But Myself (David Bradford, Brick Books: Amazon; Bookshop)
• eat salt | gaze at the ocean (Junie Désil, Talonbooks: Amazon; Bookshop)
• Finish this Sentence (Leslie Roach, Mawenzi House: Amazon; Bookshop)
• The Gospel of Breaking (Jillian Christmas, Arsenal Pulp Press: Amazon; Bookshop)
• Mother Muse (Lorna Goodison, Véhicule Press: Amazon; Bookshop)
• The Response of Weeds: A Misplacement of Black Poetry on the Prairies (Bertrand Bickersteth, NeWest Press: Amazon; Bookshop)
• Word Problems (Ian Williams, Coach House Books: Amazon; Bookshop)

Ransomware Attack on AJE Group: Ransom Demand and Countdown

MEDUSA Ransomware: A Rising Threat

History and Modus Operandi of MEDUSA

The Broader Impact of Ransomware Attacks

Conclusion

Akira Ransomware Group Targets Panasonic Australia

Xbox One Kernel Exploit Discovered: Tinkering with Game Script App

Over 8,000 at VIT Bhopal University Potentially Exposed in Data Breach

Energy Giant Potentially Breached: Hacker Selling Alleged SGCC Data

Deepfakes Target Australian Politicians in Investment Scams

Get Ready to Switch? Apple Unveils Passwords Manager at WWDC

Monti Ransomware Targets West After Conti's Demise

TCE Cyberwatch: Wrap Up

Arid Viper APT group Leveraging AridSpy to Target Victims

Reverse-Engineering Apps 

Source: www.databreachtoday.com – Author: 1 Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime Also: Personal Data Theft From OKX; Terraform-SEC Settlement Terms Rashmi Ramesh (rashmiramesh_) • June 13, 2024     Image: Shutterstock Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, the Norwegian government froze […]

La entrada Cryptohack Roundup: Norway Freezes Hacked Ronin Funds – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

New module content (5)

Telerik Report Server Auth Bypass

Authors: SinSinology and Spencer McIntyre
Type: Auxiliary
Pull request: #19242 contributed by zeroSteiner
Path: scanner/http/telerik_report_server_auth_bypass
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-4358 which is an authentication bypass in Telerik Report Server versions up to and including 10.0.24.305.

Cacti Import Packages RCE

Authors: Christophe De La Fuente and Egidio Romano
Type: Exploit
Pull request: #19196 contributed by cdelafuente-r7
Path: multi/http/cacti_package_import_rce
AttackerKB reference: CVE-2024-25641

Description: This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file.

VSCode ipynb Remote Development RCE

Authors: Zemnmez and h00die
Type: Exploit
Pull request: #18998 contributed by h00die
Path: multi/misc/vscode_ipynb_remote_dev_exec
AttackerKB reference: CVE-2022-41034

Description: VSCode allows users to open a Jypiter notebook (.ipynb) file. Versions v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. This vulnerability is tracked as CVE-2022-41034.

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

Authors: Arseniy Sharoglazov and sfewer-r7
Type: Exploit
Pull request: #19240 contributed by sfewer-r7
Path: windows/http/rejetto_hfs_rce_cve_2024_23692
AttackerKB reference: CVE-2024-23692

Description: Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).

Telerik Report Server Auth Bypass and Deserialization RCE

Authors: SinSinology, Soroush Dalili, Spencer McIntyre, and Unknown
Type: Exploit
Pull request: #19243 contributed by zeroSteiner
Path: windows/http/telerik_report_server_deserialization
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-1800 which is an authenticated RCE in Telerik Report Server. To function without authentication it chains CVE-2024-4358 to create a new administrator account before launching the authenticated RCE.

Enhancements and features (4)

• #19191 from adfoster-r7 - Adds support for Ruby 3.4.0-preview1.
• #19197 from sjanusz-r7 - Updates the new PostgreSQL, MSSQL, and MySQL session types to track the history of commands that the user has entered.
• #19199 from cgranleese-r7 - Updates brute force modules to output a summary of the credential discovered. This functionality is currently opt-in with the feature set show_successful_logins true msfconsole command.
• #19225 from h00die - This adds a link to android payload issues to increase visibility.

Bugs fixed (3)

• #19235 from cgranleese-r7 - Fixes an issue where Java payloads zip paths were not being created properly.
• #19239 from e2002e - Updates the modules/auxiliary/gather/zoomeye_search module to work again.
• #19248 from zgoldman-r7 - This removes an extra rescue clause added in error and allows the actual rescue clause to rescue exceptions properly in the event a staged http[s] payload calls back to a stageless http[s] listener.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.12...6.4.13
• Full diff 6.4.12...6.4.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here. 

The outbreak of avian influenza on US dairy farms has started to make milk seem a lot less wholesome. Milk that’s raw, or unpasteurized, can actually infect mice that drink it, and a few dairy workers have already caught the bug. 

The FDA says that commercial milk is safe because it is pasteurized, killing the germs. Even so, it’s enough to make a person ponder a life beyond milk—say, taking your coffee black or maybe drinking oat milk.

But for those of us who can’t do without the real thing, it turns out some genetic engineers are working on ways to keep the milk and get rid of the cows instead. They’re doing it by engineering yeasts and plants with bovine genes so they make the key proteins responsible for milk’s color, satisfying taste, and nutritional punch.

The proteins they’re copying are casein, a floppy polymer that’s the most abundant protein in milk and is what makes pizza cheese stretch, and whey, a nutritious combo of essential amino acids that’s often used in energy powders.

It’s part of a larger trend of replacing animals with ingredients grown in labs, steel vessels, or plant crops. Think of the Impossible burger, the veggie patty made mouthwatering with the addition of heme, a component of blood that’s produced in the roots of genetically modified soybeans.

One of the milk innovators is Remilk, an Israeli startup founded in 2019, which has engineered yeast so it will produce beta-lactoglobulin (the main component of whey). Company cofounder Ori Cohavi says a single biotech factory of bubbling yeast vats feeding on sugar could in theory “replace 50,000 to 100,000 cows.” 

Remilk has been making trial batches and is testing ways to formulate the protein with plant oils and sugar to make spreadable cheese, ice cream, and milk drinks. So yes, we’re talking “processed” food—one partner is a local Coca-Cola bottler, and advising the company are former executives of Nestlé, Danone, and PepsiCo.

But regular milk isn’t exactly so natural either. At milking time, animals stand inside elaborate robots, and it looks for all the world as if they’re being abducted by aliens. “The notion of a cow standing in some nice green scenery is very far from how we get our milk,” says Cohavi. And there are environmental effects: cattle burp methane, a potent greenhouse gas, and a lactating cow needs to drink around 40 gallons of water a day. 

“There are hundreds of millions of dairy cows on the planet producing greenhouse waste, using a lot of water and land,” says Cohavi. “It can’t be the best way to produce food.”  

For biotech ventures trying to displace milk, the big challenge will be keeping their own costs of production low enough to compete with cows. Dairies get government protections and subsidies, and they don’t only make milk. Dairy cows are eventually turned into gelatin, McDonald’s burgers, and the leather seats of your Range Rover. Not much goes to waste.

At Alpine Bio, a biotech company in San Francisco (also known as Nobell Foods), researchers have engineered soybeans to produce casein. While not yet cleared for sale, the beans are already being grown on USDA-sanctioned test plots in the Midwest, says Alpine’s CEO, Magi Richani. 

Richani chose soybeans because they’re already a major commodity and the cheapest source of protein around. “We are working with farmers who are already growing soybeans for animal feed,” she says. “And we are saying, ‘Hey, you can grow this to feed humans.’ If you want to compete with a commodity system, you have to have a commodity crop.”

Alpine intends to crush the beans, extract the protein, and—much like Remilk—sell the ingredient to larger food companies.

Everyone agrees that cow’s milk will be difficult to displace. It holds a special place in the human psyche, and we owe civilization itself, in part, to domesticated animals. In fact, they’ve  left their mark in our genes, with many of us carrying DNA mutations that make cow’s milk easier to digest.  

But that’s why it might be time for the next technological step, says Richani. “We raise 60 billion animals for food every year, and that is insane. We took it too far, and we need options,” she says. “We need options that are better for the environment, that overcome the use of antibiotics, and that overcome the disease risk.”

It’s not clear yet whether the bird flu outbreak on dairy farms is a big danger to humans. But making milk without cows would definitely cut the risk that an animal virus will cause a new pandemic. As Richani says: “Soybeans don’t transmit diseases to humans.”

Now read the rest of The Checkup

Read more from MIT Technology Review’s archive

Hungry for more from the frontiers of fromage? In the Build issue of our print magazine, Andrew Rosenblum tasted a yummy brie made only from plants. Harder to swallow was the claim by developer Climax Foods that its cheese was designed using artificial intelligence.

The idea of using yeast to create food ingredients, chemicals, and even fuel via fermentation is one of the dreams of synthetic biology. But it’s not easy. In 2021, we raised questions about high-flying startup Ginkgo Bioworks. This week its stock hit an all-time low of $0.49 per share as the company struggles to make … well, anything.

This spring, I traveled to Florida to watch attempts to create life in a totally new way: using a synthetic embryo made in a lab. The action involved cattle at the animal science department of the University of Florida, Gainesville.

From around the web

How many human bird flu cases are there? No one knows, because there’s barely any testing. Scientists warn we’re flying blind as US dairy farms struggle with an outbreak. (NBC)  

Moderna, one of the companies behind the covid-19 shots, is seeing early success with a cancer vaccine. It uses the same basic technology: gene messages packed into nanoparticles. (Nature)

It’s the covid-19 theory that won’t go away. This week the New York Times published an op-ed arguing that the virus was the result of a lab accident. We previously profiled the author, Alina Chan, who is a scientist with the Broad Institute. (NYTimes)

Sales of potent weight loss drugs, like Ozempic, are booming. But it’s not just humans who are overweight. Now the pet care industry is dreaming of treating chubby cats and dogs, too. (Bloomberg)

The fear of AI replacing human jobs in B2B SaaS is a myth. AI excels at automating repetitive tasks, allowing your team to focus on strategic initiatives.

The post AI-Powered Transformation: Optimizing B2B SaaS for Efficiency and Growth (Without Sacrificing Your Team) appeared first on Security Boulevard.

Government, Financial Sites Attacked by CyberDragon Hacking Group

Previous Operations by CyberDragon Hacking Group

Monti Ransomware Group and Change in Ownership

A Deeper Dive into Monti Ransomware Group

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team.

La entrada 7 Steps to your SOC Analyst Career se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Cryptor Developer Worked with Conti, LockBit

LockBit Remains Active Despite Repeated Enforcement Activities

MEDUSA Ransomware Attack: The Latest Victims

Background of MEDUSA Ransomware Group

Previous Ransomware Attacks

Operational Impact of Findlay Automotive Cybersecurity Issue

Rising Cyber Threats in the Industrial Sector

In the ever-evolving landscape of cyberthreats, email remains a prime target for malicious actors, with zero-hour Business Email Compromise (BEC) and advanced phishing attacks posing significant risks to organizations. A recent independent study by The Tolly Group, commissioned by SlashNext, highlights the company’s Gen AI powered Integrated Cloud Email Security (ICES) solution, demonstrating its superior […]

The post The Tolly Group Report Highlights SlashNext’s Gen AI-Powered Email Security Prowess first appeared on SlashNext.

The post The Tolly Group Report Highlights SlashNext’s Gen AI-Powered Email Security Prowess appeared first on Security Boulevard.

TCE Cyberwatch: Weekly Round-Up

Free Office Suite Turns Malicious: Pirated Downloads Spreading Malware in South Korea

Spanish Police Bust Illegal Streaming Network Serving 14,000 Subscribers

Millions at Risk: Ticketmaster Confirms Huge Data Breach

COVID Relief Fraud Busted: $5.9 Billion Botnet Scheme Unraveled

Poland Boosts Cybersecurity with $760 Million Investment After Suspected Russian Attack

Russia Accused of Spreading Misinformation Ahead of European Parliament Elections

Deepfakes Target Businesses: $25 Million Scam Exposes AI's Dark Side

Up to 7 Years Jail for Deepfake Porn in Australia: New Laws Crack Down on Online Abuse

Zero-Click Hack Hits TikTok: High-Profile Accounts Hijacked

Wrap Up

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Patient Care, Including Transplants, Still Disrupted at London Hospitals, Clinics Marianne Kolbasuk McGee (HealthInfoSec) • June 7, 2024     Image: Synnovis A ransomware attack on a pathology services vendor earlier in the week continues to disrupt patient care, including transplants, […]

La entrada Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Akira Ransomware Group Attack on Panasonic Australia

Cyber Security Agency of Singapore Issues Advisory

• Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
• Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
• Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
• Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
• Migrate from unsupported applications to newer alternatives.
• Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
• Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
• Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
• Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.

New OSX payloads:ARMed and Dangerous

In addition to an RCE leveraging CVE-2024-5084 to gain RCE through a WordPress Hash form, this release features the addition of several new binary OSX stageless payloads with aarch64 support: Execute Command, Shell Bind TCP, and Shell Reverse TCP.

The new osx/aarch64/shell_bind_tcp payload opens a listening port on the target machine, which allows the attacker to connect to this open port to spawn a command shell using the user provided command using the execve system call on Apple silicon laptops.

The new osx/aarch64/shell_reverse_tcp payload that can connect back to the configured attacker’s RHOST and RPORT to spawn a command shell using the execve system call on Apple silicon laptops.
The new osx/aarch64/exec payload can execute arbitrary user provided commands using the execve system call on Apple silicon laptops, for example:

msf6 payload(osx/aarch64/exec) > generate -f macho cmd="/bin/bash -c 'echo 123 && echo abc && whoami && echo 🔥'" -o shell
[*] Writing 50072 bytes to shell…

And executing:

$ chmod +x ./shell
$ ./shell
123
abc
user
🔥

New module content (4)

WordPress Hash Form Plugin RCE

Authors: Francesco Carlucci and Valentin Lobstein
Type: Exploit
Pull request: #19208 contributed by Chocapikk
Path: multi/http/wp_hash_form_rce
AttackerKB reference: CVE-2024-5084

Description: This adds an exploit module that leverages a vulnerability in the WordPress Hash Form – Drag & Drop Form Builder plugin (CVE-2024-5084) to achieve remote code execution. Versions up to and including 1.1.0 are vulnerable. This allows unauthenticated attackers to upload arbitrary files, including PHP scripts, due to missing file type validation in the file_upload_action function.

OSX aarch64 Execute Command

Author: alanfoster
Type: Payload (Single)
Pull request: #18646 contributed by AlanFoster
Path: osx/aarch64/exec

Description: Add osx aarch64 exec payload.

OS X x64 Shell Bind TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18776 contributed by AlanFoster
Path: osx/aarch64/shell_bind_tcp

Description: Add osx aarch64 bind tcp payload.

OSX aarch64 Shell Reverse TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18652 contributed by AlanFoster
Path: osx/aarch64/shell_reverse_tcp

Description: Add osx aarch64 shell reverse tcp payload.

Enhancements and features (0)

None

Bugs fixed (3)

• #19209 from zgoldman-r7 - Updates multiple file format exploits to show the default settings to users when running show options.
• #19211 from sjanusz-r7 - Fixes an issue were the database management logic would default a model's updated_at value to incorrectly be set to the created_at value.
• #19217 from zgoldman-r7 - Fixes path tab completion for modules when using Ruby 3.2+.
• #19227 from bcoles - Fixed an issue in Moodle::Login.moodle_login that reported a false negative when logging in with user's credentials.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.11...6.4.12
• Full diff 6.4.11...6.4.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” - Wyden.

MFA Could Have Stopped Change Healthcare Attack

“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history.” - Wyden

Wyden’s Proposed Cybersecurity Measures for HHS

• Mandatory Minimum Standards: Establish mandatory cybersecurity standards, including MFA, for critical healthcare infrastructure.
• Rapid Recovery Capabilities: Ensure that organizations can rebuild their IT infrastructure within 48 to 72 hours following an attack.
• Regular Audits: Conduct regular audits of healthcare organizations to assess and improve their cybersecurity practices.
• Technical Assistance: Provide technical security support to healthcare providers.

The State of Ransomware in Healthcare

“In 2023, 46 hospital systems with a total of 141 hospitals were impacted by ransomware, and at least 32 of the 46 had information, including protected health information, stolen.” - Emsisoft

HHS Cybersecurity Response

Akira Ransomware: Previous Track Record

Enlarge (credit: Getty Images | NurPhoto /)

T-Mobile is hoping that home Internet customers who suffer from frequent service outages will pay $30 a month for a "backup" 5G plan. T-Mobile's new "Home Internet Backup," announced today, is intended to be used only when a user's primary home Internet service goes down.

One big drawback is that T-Mobile clearly intends for customers to subscribe to the $30 monthly plan indefinitely, even though a user likely wouldn't need it during some months and might need it for just a day or two in other months. The pricing terms make it so that canceling and resubscribing as needed is not feasible.

T-Mobile said the plan provides 130GB of 5G data each month, "enough to keep a typical household connected with Wi-Fi for up to seven days a month when their primary internet service goes down." After 130GB, speeds will be reduced to "up to" 600kbps.

Read 10 remaining paragraphs | Comments

Quis dīrumpet ipsos dīrumpēs

In this release, we feature a double-double: two exploits each targeting two pieces of software. The first pair is from h00die targeting the Jasmine Ransomeware Web Server. The first uses CVE-2024-30851 to retrieve the login for the ransomware server, and the second is a directory traversal vulnerability allowing arbitrary file read. The second pair from Dave Yesland of Rhino Security targets Progress Flowmon with CVE-2024-2389 and it pairs well like wine with the additional and accompanying Privilege Escalation module.

New module content (4)

Jasmin Ransomware Web Server Unauthenticated Directory Traversal

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_dir_traversal
AttackerKB reference: CVE-2024-30851

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Jasmin Ransomware Web Server Unauthenticated SQL Injection

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_sqli

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Flowmon Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19150 contributed by DaveYesland
Path: linux/http/progress_flowmon_unauth_cmd_injection
AttackerKB reference: CVE-2024-2389

Description: Unauthenticated Command Injection Module for Progress Flowmon CVE-2024-2389.

Progress Flowmon Local sudo privilege escalation

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19151 contributed by DaveYesland
Path: linux/local/progress_flowmon_sudo_privesc_2024

Description: Privilege escalation module for Progress Flowmon unpatched feature.

Enhancements and features (3)

• #19195 from adfoster-r7 - Updates msfconsole to support risc-v platforms.
• #19198 from adfoster-r7 - Add support for Ruby 3.3.x.
• #19200 from adfoster-r7 - Updates Metasploit's gemspec file to work with additional static analysis tools.

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.10...6.4.11
• Full diff 6.4.10...6.4.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here. 

Here in the US, bird flu has now infected cows in nine states, millions of chickens, and—as of last week—a second dairy worker. There’s no indication that the virus has acquired the mutations it would need to jump between humans, but the possibility of another pandemic has health officials on high alert. Last week, they said they are working to get 4.8 million doses of H5N1 bird flu vaccine packaged into vials as a precautionary measure. 

The good news is that we’re far more prepared for a bird flu outbreak than we were for covid. We know so much more about influenza than we did about coronaviruses. And we already have hundreds of thousands of doses of a bird flu vaccine sitting in the nation’s stockpile.

The bad news is we would need more than 600 million doses to cover everyone in the US, at two shots per person. And the process we typically use to produce flu vaccines takes months and relies on massive quantities of chicken eggs. Yes, chickens. One of the birds that’s susceptible to avian flu. (Talk about putting all our eggs in one basket. #sorrynotsorry)

This week in The Checkup, let’s look at why we still use a cumbersome, 80-year-old vaccine production process to make flu vaccines—and how we can speed it up.

The idea to grow flu virus in fertilized chicken eggs originated with Frank Macfarlane Burnet, an Australian virologist. In 1936, he discovered that if he bored a tiny hole in the shell of a chicken egg and injected flu virus between the shell and the inner membrane, he could get the virus to replicate.  

Even now, we still grow flu virus in much the same way. “I think a lot of it has to do with the infrastructure that’s already there,” says Scott Hensley, an immunologist at the University of Pennsylvania’s Perelman School of Medicine. It’s difficult for companies to pivot. 

The process works like this: Health officials provide vaccine manufacturers with a candidate vaccine virus that matches circulating flu strains. That virus is injected into fertilized chicken eggs, where it replicates for several days. The virus is then harvested, killed (for most use cases), purified, and packaged. 

Making flu vaccine in eggs has a couple of major drawbacks. For a start, the virus doesn’t always grow well in eggs. So the first step in vaccine development is creating a virus that does. That happens through an adaptation process that can take weeks or even months. This process is particularly tricky for bird flu: Viruses like H5N1 are deadly to birds, so the virus might end up killing the embryo before the egg can produce much virus. To avoid this, scientists have to develop a weakened version of the virus by combining genes from the bird flu virus with genes typically used to produce seasonal flu virus vaccines. 

And then there’s the problem of securing enough chickens and eggs. Right now, many egg-based production lines are focused on producing vaccines for seasonal flu. They could switch over to bird flu, but “we don’t have the capacity to do both,” Amesh Adalja, an infectious disease specialist at Johns Hopkins University, told KFF Health News. The US government is so worried about its egg supply that it keeps secret, heavily guarded flocks of chickens peppered throughout the country. 

Most of the flu virus used in vaccines is grown in eggs, but there are alternatives. The seasonal flu vaccine Flucelvax, produced by CSL Seqirus, is grown in a cell line derived in the 1950s from the kidney of a cocker spaniel. The virus used in the seasonal flu vaccine FluBlok, made by Protein Sciences, isn’t grown; it’s synthesized. Scientists engineer an insect virus to carry the gene for hemagglutinin, a key component of the flu virus that triggers the human immune system to create antibodies against it. That engineered virus turns insect cells into tiny hemagglutinin production plants.   

And then we have mRNA vaccines, which wouldn’t require vaccine manufacturers to grow any virus at all. There aren’t yet any approved mRNA vaccines for influenza, but many companies are fervently working on them, including Pfizer, Moderna, Sanofi, and GSK. “With the covid vaccines and the infrastructure that’s been built for covid, we now have the capacity to ramp up production of mRNA vaccines very quickly,” says Hensley. This week, the Financial Times reported that the US government will soon close a deal with Moderna to provide tens of millions of dollars to fund a large clinical trial of a bird flu vaccine the company is developing.

There are hints that egg-free vaccines might work better than egg-based vaccines. A CDC study published in January showed that people who received Flucelvax or FluBlok had more robust antibody responses than those who received egg-based flu vaccines. That may be because viruses grown in eggs sometimes acquire mutations that help them grow better in eggs. Those mutations can change the virus so much that the immune response generated by the vaccine doesn’t work as well against the actual flu virus that’s circulating in the population. 

Hensley and his colleagues are developing an mRNA vaccine against bird flu. So far they’ve only tested it in animals, but the shot performed well, he claims. “All of our preclinical studies in animals show that these vaccines elicit a much stronger antibody response compared with conventional flu vaccines.”

No one can predict when we might need a pandemic flu vaccine. But just because bird flu hasn’t made the jump to a pandemic doesn’t mean it won’t. “The cattle situation makes me worried,” Hensley says. Humans are in constant contact with cows, he explains. While there have only been a couple of human cases so far, “the fear is that some of those exposures will spark a fire.” Let’s make sure we can extinguish it quickly. 

Now read the rest of The Checkup

Read more from MIT Technology Review’s archive

In a previous issue of The Checkup, Jessica Hamzelou explained what it would take for bird flu to jump to humans. And last month, after bird flu began circulating in cows, I posted an update that looked at strategies to protect people and animals.

I don’t have to tell you that mRNA vaccines are a big deal. In 2021, MIT Technology Review highlighted them as one of the year’s 10 breakthrough technologies. Antonio Regalado explored their massive potential to transform medicine. Jessica Hamzelou wrote about the other diseases researchers are hoping to tackle. I followed up with a story after two mRNA researchers won a Nobel Prize. And earlier this year I wrote about a new kind of mRNA vaccine that’s self-amplifying, meaning it not only works at lower doses, but also sticks around for longer in the body. 

From around the web

Researchers installed a literal window into the brain, allowing for ultrasound imaging that they hope will be a step toward less invasive brain-computer interfaces. (Stat) 

People who carry antibodies against the common viruses used to deliver gene therapies can mount a dangerous immune response if they’re re-exposed. That means many people are ineligible for these therapies and others can’t get a second dose. Now researchers are hunting for a solution. (Nature)

More good news about Ozempic. A new study shows that the drug can cut the risk of kidney complications, including death in people with diabetes and chronic kidney disease. (NYT)

Microplastics are everywhere. Including testicles. (Scientific American)

Must read: This story, the second in series on the denial of reproductive autonomy for people with sickle-cell disease, examines how the US medical system undermines a woman’s right to choose. (Stat)

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here. 

This week, I wrote about an external stimulator that delivers electrical pulses to the spine to help improve hand and arm function in people who are paralyzed. This isn’t a cure. In many cases the gains were relatively modest. One participant said it increased his typing speed from 23 words a minute to 35. Another participant was newly able to use scissors with his right hand. A third used her left hand to release a seatbelt.

The study didn’t garner as much media attention as previous, much smaller studies that focused on helping people with paralysis walk. Tech that allows people to type slightly faster or put their hair in a ponytail unaided just doesn’t have the same allure. “The image of a paralyzed person getting up and walking is almost biblical,” Charles Liu, director of the Neurorestoration Center at the University of Southern California, once told a reporter. 

For the people who have spinal cord injuries, however, incremental gains can have a huge impact on quality of life. 

So today in The Checkup, let’s talk about this tech and who it serves.

In 2004, Kim Anderson-Erisman, a researcher at Case Western Reserve University, who also happens to be paralyzed, surveyed more than 600 people with spinal cord injuries. Wanting to better understand their priorities, she asked them to consider seven different functions—everything from hand and arm mobility to bowel and bladder function to sexual function. She asked respondents to rank these functions according to how big an impact recovery would have on their quality of life. 

Walking was one of the functions, but it wasn’t the top priority for most people. Most quadriplegics put hand and arm function at the top of the list. For paraplegics, meanwhile, the top priority was sexual function. I interviewed Anderson-Erisman for a story I wrote in 2019 about research on implantable stimulators as a way to help people with spinal cord injuries walk. For many people, “not being able to walk is the easy part of spinal cord injury,” she told me. “[If] you don’t have enough upper-extremity strength or ability to take care of yourself independently, that’s a bigger problem than not being able to walk.” 

One of the research groups I focused on was at the University of Louisville. When I visited in 2019, the team had recently made the news because two people with spinal cord injuries in one of their studies had regained the ability to walk, thanks to an implanted stimulator. “Experimental device helps paralyzed man walk the length of four football fields,” one headline had trumpeted.

But when I visited one of those participants, Jeff Marquis, in his condo in Louisville, I learned that walking was something he could only do in the lab. To walk he needed to hold onto parallel bars supported by other people and wear a harness to catch him if he fell. Even if he had extra help at home, there wasn’t enough room for the apparatus. Instead, he gets around his condo the same way he gets around outside his condo: in a wheelchair. Marquis does stand at home, but even that requires a bulky frame. And the standing he does is only for therapy. “I mostly just watch TV while I’m doing that,” he said.  

That’s not to say the tech has been useless. The implant helped Marquis gain some balance, stamina, and trunk stability. “Trunk stability is kind of underrated in how much easier that makes every other activity I do,” he told me. “That’s the biggest thing that stays with me when I have [the stimulator] turned off.”  

What’s exciting to me about this latest study is that the tech gave the participants skills they could use beyond the lab. And because the stimulator is external, it is likely to be more accessible and vastly cheaper. Yes, the newly enabled movements are small, but if you listen to the palpable excitement of one study participant as he demonstrates how he can move a small ball into a cup, you’ll appreciate that incremental gains are far from insignificant. That’s according to Melanie Reid, one of the participants in the latest trial, who spoke at a press conference last week. “There [are] no miracles in spinal injury, but tiny gains can be life-changing.”

Now read the rest of The Checkup

Read more from MIT Technology Review’s archive

In 2017, we hailed as a breakthrough technology electronic interfaces designed to reverse paralysis by reconnecting the brain and body. Antonio Regalado has the story. 

An implanted stimulator changed John Mumford’s life, allowing him to once again grasp objects after a spinal cord injury left him paralyzed. But when the company that made the device folded, Mumford was left with few options for keeping the device running. “Limp limbs can be reanimated by technology, but they can be quieted again by basic market economics,” wrote Brian Bergstein in 2015. 

In 2014, Courtney Humphries covered some of the rat research that laid the foundation for the technological developments that have allowed paralyzed people to walk. 

From around the web

Lots of bird flu news this week. A second person in the US has tested positive for the illness after working with infected livestock. (NBC)

The livestock industry, which depends on shipping tens of millions of live animals, provides some ideal conditions for the spread of pathogens, including bird flu. (NYT)

Long read: How the death of a nine-year-old boy in Cambodia triggered a global H5N1 alert. (NYT)

You’ve heard about tracking viruses via wastewater. H5N1 is the first one we’re tracking via store-bought milk. (STAT) 

The first organ transplants from pigs to humans have not ended well, but scientists are learning valuable lessons about what they need to do better. (Nature) 

Another long read that’s worth your time: an inside look at just how long 3M knew about the pervasiveness of “forever chemicals.” (New Yorker) 

The homepage of Stark Industries Solutions.

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).”

This graphic comes from a recent report from NETSCOUT about DDoS attacks from Russian hacktivist groups.

As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes.

The NoName DDoS group advertising on Telegram. Image: SentinelOne.com.

A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.

PROXY WARS

Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes.

Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system into a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone.

Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses available for rent across the globe.

Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS.

Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists.

“We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.”

Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine.

“How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed.

CLOUDY WITH A CHANCE OF BULLETS

Richard Hummel is threat intelligence lead at NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list.

“The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,'” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.”

Hummel said NoName will typically launch their attacks using a mix of resources rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks.

Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services.

“What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.”

But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said.

“There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.”

MERCENARIES TEAM

Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries.

Ivan Neculiti, as pictured on LinkedIn.

Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.”

“PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.”

Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks.

“It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.”

DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war.

An ad for war.md, circa 2009.

Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain.

DON CHICHO & DFYZ

The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM.

Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers.

DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records.

Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru.

The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com.

Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru.

Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users.

Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates.

Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho.

“I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said.

Below is a mind map that shows the connections between the accounts mentioned above.

A mind map tracing the history of the user Dfyz. Click to enlarge.

Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.”

“Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Team wrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.”

CORRECTIV ACTION

The German independent news outlet Correctiv.org last week published a scathing investigative report on Stark Industries and MIRhosting, which notes that Ivan Neculiti operates his hosting companies with the help of his brother, Yuri.

Image credit: correctiv.org.

The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites.

“The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote.

“After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.”

Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack.

PEACE HOSTING?

Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age.

DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.

This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.

Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers.

“Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.”

“We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.”

In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials.

Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM.

Mr. Nesterenko took exception to a story on that report from The Record, which is owned by Recorded Future.

“We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.”

Recorded Future said they updated their story with comments from Mr. Neculiti, but that they stand by their reporting.

Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting.

In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting.

Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting.

“We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said.

A February 2024 report from security firm ESET found Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites.

PEERING INTO THE VOID

A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com).

Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications.

A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent.

Proxyline dot net.

Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases.

Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment.

EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT.

Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline.

Image: Interisle Consulting.

A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve.

The anti-spam organization SpamHaus reports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters.

It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”).

For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.”

A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service.

Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd.

According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ru — is the seventh-oldest domain in the entire history of the Runet.

Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting.

“We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.”

Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory.

The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States.

Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network.

“Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”

On April 30, the security firm Malwarebytes explored an extensive malware operation that targets corporate Internet users with malicious ads. Among the sites used as lures in that campaign were fake Wall Street Journal and CNN websites that told visitors they were required to install a WSJ or CNN-branded browser extension (malware). Malwarebytes found a domain name central to that operation was hosted at Internet addresses owned by Stark Industries.

Image: threatdown.com

Infiltrate the Broadcast!

A new module from Chocapikk allows the user to perform remote code execution on vulnerable versions of streaming platform AVideo (12.4 - 14.2). The multi/http/avideo_wwbnindex_unauth_rce module leverages CVE-2024-31819, a vulnerability to PHP Filter Chaining, to gain unauthenticated and unprivileged access, earning it an attacker value of High on AttackerKB.

New module content (8)

Chaos RAT XSS to RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19104 contributed by h00die
Path: linux/http/chaos_rat_xss_to_rce
AttackerKB reference: CVE-2024-30850

Description: Adds an exploit for HAOS v5.0.8, which contains a remote command execution vulnerability which
can be triggered through one of three routes: credentials, JWT token from an agent, an agent executable can be provided, or the JWT token can be extracted.

AVideo WWBNIndex Plugin Unauthenticated RCE

Author: Valentin Lobstein
Type: Exploit
Pull request: #19071 contributed by Chocapikk
Path: multi/http/avideo_wwbnindex_unauth_rce
AttackerKB reference: CVE-2024-31819

Description: Adds a module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE.

NorthStar C2 XSS to Agent RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19102 contributed by h00die
Path: windows/http/northstar_c2_xss_to_agent_rce
AttackerKB reference: CVE-2024-28741

Description: Adds an exploit for CVE-2024-28741 which exploits an XSS vulnerability in Northstar C2.

Adi IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19169 contributed by The-Pink-Panther
Path: windows/gather/credentials/adi_irc

Description: This adds a gather module leveraging Packrat targeting Adi IRC client.

CarotDAV credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19173 contributed by The-Pink-Panther
Path: windows/gather/credentials/carotdav_ftp

Description: This adds a gather module leveraging Packrat targeting the CarotDAV FTP client.

Halloy IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19165 contributed by The-Pink-Panther
Path: windows/gather/credentials/halloy_irc

Description: This adds a module leveraging Packrat to gather credentials against the Halloy IRC client.

Quassel IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19166 contributed by The-Pink-Panther
Path: windows/gather/credentials/quassel_irc

Description: This adds a gather module leveraging Packrat targeting Quassel IRC client.

Sylpheed email credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19171 contributed by The-Pink-Panther
Path: windows/gather/credentials/sylpheed

Description: This adds a gather module leveraging Packrat targeting Sylpheed Email client.

Enhancements and features (1)

• #19189 from adfoster-r7 - Updates Metasploit framework's default Ruby version to 3.1.5; newer Ruby versions are also supported.

Bugs fixed (4)

• #19002 from adfoster-r7 - Fixed persistent jobs not working when rebooting MSF console.
• #19170 from sjanusz-r7 - Fixes the smb_lookupsid module hanging with STATUS_PENDING when running against Samba targets.
• #19186 from dwelch-r7 - Fixes a bug were the show advanced command could show normal options.
• #19192 from adfoster-r7 - Fix crashing mipsel modules when running Ruby 3.3.0.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.9...6.4.10
• Full diff 6.4.9...6.4.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro