Mediaboss Marketing

The mum of alleged murdered toddler Grace Thorpe has posted a heartbreaking message following the tragic death of her daughter.

Grace died on Thursday after suffering injuries at a home in Dale Street, New Marske on Tuesday.

In a new post on Facebook including a picture of her daughter, Grace's mum wrote: "I love you more than you will ever know."

Middlesbrough man Adam Jackson, 26, was charged with murdering the two-year-old on Friday and has made his first court appearance.

Jackson appeared at Teesside Magistrates Court on Friday afternoon after his arrest earlier this week

He was brought into courtroom, wearing a grey t-shirt and face covering. He spoke only to confirm his name, address and date of birth.

Magistrates were told during the five-minute hearing that due the severity of the alleged offence, the case must be sent to crown court.

Jackson, of Parkside, Ladgate Lane, Middlesbrough, was remanded into custody and no pleas were entered.

It is alleged Jackson murdered Grace on Tuesday.

He will next appear at Teesside Crown Court on Monday and a further plea hearing has been scheduled for December.

Flowers, cuddly toys and candles have continued to be left at the scene of the alleged murder.

Several neighbours attended the address laying flowers as a mark of respect.

One woman attended the property, laying a bunch of flowers under the police cordon, saying: We just couldn't believe it happened. So close to home as well.

Everyone lit candles in the road last night and held a one minute silence.

She added that the incident has shocked the community.

A large police presence remained at the scene on Friday morning before Jackson was charged with Grace's murder.

Crime scene investigators were spotted leaving the property with brown evidence bags as enquiries continued.

A police van, two cars and a crime scene investigation vehicle remained parked outside the house, with a police car at the rear of the property.

Police cordons were also erected across the front and back of the house.

The upstairs curtains have now been opened as net curtains hang in the front window.

Police have remained on scene since Grace was taken to hospital in a critical condition on Tuesday by emergency services.

She was taken to the Royal Victoria Infirmary for treatment, but on Thursday she tragically passed away.

Cleveland Police began an investigation into the circumstances around how the little girl came to be injured and Jackson was subsequently arrested on suspicion of murder.

Details have not yet been given about the nature and type of Grace's injuries.

The air ambulances, two road ambulance and police officers were called to the tragic incident.

Graces family are being supported by specially trained officers as inquiries continue.

Read more from the original source:
Mum's heartbreaking message to Grace Thorpe as man is accused of toddler's murder - Teesside Live

A coalition of human rights groups have called on the government to reveal detailed information on the suspected killers of Pastor Yeremia Zanambani in Intan Jaya regency, Papua, after a state-formed fact-finding (TGPF) reportedly found indications of security forces involvement.

They demanded that the suspects' identities and motives be revealed, as well as the names of high-ranking officials who might have had a hand in the fatal shooting. None of this information was included in the report, the coalition said.

Comprising Amnesty International Indonesia, the Commission for Missing Persons and Victims of Violence (Kontras), Imparsial, the Institute for Policy Research and Advocacy (ELSAM) and the Democratic Alliance for Papua, the coalition further demanded that the authorities follow up on the fact-finding teams investigation through civil legal procedures and not the military court to ensure justice for the victims family.

If it is proven that TNI [Indonesian Military] personnel were involved in this case, we demand transparent legal proceedings through the civil court, Amnesty International Indonesia researcher Ari Pramuditya said during a webinar on Thursday.

He argued that military tribunals had not been transparent in bringing offenders to justice in the past, pointing out that only a few military personnel had stood trial at a military court despite the many cases of violence against civilians reported in Papua over the years.

Read also: PGI, Komnas HAM call for further investigation into Papuan pastor's death following report

Amnestys report revealed that 34 cases of unlawful killings occurred in Papua between 2010 until 2018, allegedly involving military personnel. However, only six were brought before the military court, Ari said.

He also criticized the government for using armed groups as scapegoats for any violence taking place in the countrys easternmost province.

Ari pointed to Col. Suriastawa, the spokesman for the Joint Regional Defense Command III in Papua, who previously said Yeremia had been shot by aseparatist group.

Even though the TGPFs report indicated the alleged involvement of security forces in the pastors shooting, Coordinating Political, Legal and Human Rights Minister Mahfud MD said there was the possibility of a third partys involvement in the crime.

We see hesitation [from the government] in the report [...] It even creates more confusion for us, Ari further said.

The groups also criticized Mahfud for suggesting that the government deploy more security personnel into vulnerable areas in Papua in order to maintain peace and safety in the region.

We encourage the government to evaluate the deployment of military personnel to Papua, where violence has grown in intensity each year, said Alif Nur Fikri from Kontras.

Read also: Papuans dont want TNI, police withdrawn from region, Mahfud MD claims

Security personnel has contributed to the many cases of violence in the restive region, he said, adding that the plan raised questions over whether the Papuan people truly felt safe with the TNIs presence.

Imparsial executive director Al Araf echoed Alifs sentiment, saying that the militarys approach had been proven ineffective in solving conflicts across Papua.

At one point, the government wanted to use the economic approach for the Papuan people, but they also wanted to escalate the military approach in the region; this would create more distrust among local communities, he added.

The Indonesian Communion of Churches, the Indonesian Evangelical Christian Church (GKII) and local media in Papua claimed Yeremia was shot by TNI personnel on his way to his pig pen on Sept. 19, at the same time a military operation was reportedly taking place.

The incident prompted the government to establish the TGPF tasked under a 14-day deadline to investigate the fatal shooting. The team concluded its fact-finding mission on Oct. 12 after conducting a crime scene investigation and questioning more than 25 eyewitnesses.

Read more:
Watchdogs demand transparent investigation, civil legal procedures on Intan Jaya shooting - The Jakarta Post - Jakarta Post

A Brick Township woman who previously plead guilty to Reckless Manslaughter has been sentenced to four years in prison for her role in the death of her fianc in Septemberof 2019,Ocean County Prosecutor Bradley Billhimer announced on Thursday.

Ciara Williams, 28, stabbed her fiance Dennis Power, 35, in the chest during an argument at their home.

She then brought him to the hospital and left him out front where hospital staff brought him in, tired to revive Power who was unconscious at the time but breathing before he passed away.

The investigation by the Ocean County Prosecutors Office Major Crime Unit, Brick Police and the Ocean County Sheriffs Office Crime Scene Investigation Unit led police and detectives to the evidencethat Williams stabbed Power in the chest, and was responsible for the injuries which ultimately led to his death.

Williams originally faced more significant charges with greater sentencing exposure, but legitimate self-defense claims arose during the course of the investigation which we were compelled to take into account in evaluating this very difficult case, Prosecutor Billhimer said in a statement.The claims of self-defense, coupled with considerable proof problems, led to a resolution which we believe to be fair and just after careful consideration of all the facts and circumstances. Williams has been made to answer for her crime, and will be required to spend the next few years in state prison as a result. We hope this prison sentence provides some level of peace and closure to the family of Mr. Powers."

You can follow Vin Ebenau on Twitter and Instagram and email news tips to vin.ebenau@townsquaremedia.com.

More FromTownsquare Media Monmouth-Ocean:

See the original post:
Brick woman sentenced to four years for manslaughter in death of fianc - wobm.com

Turkey:Hopes of justice for assassinatedhuman rightslawyeras three police officers go on trial

The trial of three police officers accused of killingprominent human rightslawyerTahirElipresents a long overdue chance for justice,Amnesty International saidtoday.On 28 November 2015,TahirEliwas shot in the headshortly after giving astatementat a press conferencein the city ofDiyarbakr, where the first trial hearing ofthree ofthe accused begins today.

A 2019 report byForensic Architecture concluded,by a process ofelimination,that TahirEliwas most likely killed by one of threepoliceofficers present at the scene.Theseofficersface charges ofcausing death by culpable negligence, which carry a prison sentence of two to six years.

Almost five years after the bullet that killed Tahir Eli was fired, there is hope that the person who pulled the trigger will finally face justice. Tahir Eli worked to help victims of human rights violations get justice, campaigning for an end to violence and respect for the rights of the Kurdish people.

It isa bitter irony that TahirElislife was cut short by the very violence he was campaigning to end.Justice forTahirEliwould be a glimmer of hope in a country where impunity is sadly endemic.

In the weeks preceding TahirElisbrutal killing, hehad beenvilifiedand detained and a bogus prosecution was opened against him. He also received multiple death threatswhich he openly spoke about, but the authorities did not put in place any measures to protect him.

This campaign of intimidationfollowed comments he made during a TV programmein which he statedthat the Kurdistan Workers Party (PKK)wasnot a terrorist organisation but an armed political movement with popular support. Justbeforehis murderTahirElihad told the press:"Wedont want guns here, clashes, or [police] operations".

TrkanEli, TahirEliswidow saidA gaping wound has opened in societys consciousness when a lawyer who believed in the struggle against war and violence wasgunned downin full view of everyone.Although the prosecution has been delayed by five years, weremainhopefulthat justice will be done. We have notgivenup on our belief in the law.

BACKGROUND

The first hearing in the trial of three police officers and an alleged PKK militant is starting on 21 October at theDiyarbakir Heavy Penal Court No 10.

Amnesty International Turkey will be present to observe the start of the long-awaited trial,along with dozens of human rights lawyers, activists and others.

In2015, Diyarbakrs iconic four-legged minaret was damaged during armed clashes between the Turkish security forces and members of the armed PKK.Two days,TahirElispoke at a press conference at the site, calling for an end to the violence. As the press conference ended, police officers present at the scene fired at two suspected members of the armed PKK,who were running down the street where TahirEliwas standing by the monument.

The investigation into his killingwas flawed:the area was not securedimmediately,and a thorough crime scene investigation was not carried outfor almost four months.The police officers present at the time were only interviewed as witnesses.

At the time of his assassination, TahirEliwas the President of Diyarbakr Bar Association,whichcommissioned UK-based researchorganizationForensic Architecture to examinethe case.Forensic Architecturesreport andtheaccompanying video are availablehereandweresubmitted to theprosecuting authorities in 2019, forming part of the indictment that was accepted in March 2020. It was afterthe authorities reviewedthis evidence that thethree police officers who had fired shots on the day were interviewed as suspects. Theyarenowindicted in the prosecution.

TahirElirepresented families of victims of human rights violationsatthe hands ofTurkishsecurity force-including enforced disappearances and suspected unlawful killings by government agents. Over many years, he played a key role in representing victims of these crimes before domestic courts and the European Court of Human Rights,helpedto establishscores of human rights organizations in Turkey,and worked closely with international human rights groups, including Amnesty International.

For more information or to arrange an interview contactat the court: -Tark Beyhan,Amnesty International Turkey - Campaigns and Communications Director,+90 533 921 10 11tarik.beyhan@amnesty.org.trORpress@amnesty.orgalison.abrahams@amnesty.org +32 (0) 483 680 812

See more here:
Turkey: Hopes of justice for assassinated human rights lawyer as three police officers go on trial - Amnesty International

Introduction

Being in a research team exposes us to a variety of attacks on different platforms, of different types, scope, and volume. It also gives us the opportunity to select particularly interesting attacks that target our customers and to analyze them.This blog will give you a taste of the CrimeOps (criminal operations) behind one of these attacks the KashmirBlack botnet.

In the following sections well describe the DevOps behind the KashmirBlack botnet, discuss the purpose of the botnet, and the journey we took during our research. For the bits-and-bytes about the entities, the operation and the infection technique of the KashmirBlack botnet, please wait for our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.In order to make this magic work properly, with minimal interruptions, there should be a proper architecture design and stable infrastructure, with a solid DevOps implementation to overcome the challenges of the delivery process.

Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.

It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 mostly innocent surrogate servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.

Well inspect the evolution and version deployment of the botnet during the research period, from November 2019 until the end of May 2020. And well see how it uses cloud-based services such as Github, Pastebin and Dropbox as ways to hide and control the botnet operation, and show how it has entered new domains such as cryptominers and site defacement.

In the Appendix you can find indicators of compromise (IOC).

According to Wikipedia, DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from Agile methodology .

Simply put, CrimeOps is the utilization of DevOps practices to facilitate crime the DevOps behind the KasmirBlack botnet and its infrastructure support continuous delivery processes to enable an agile software development cycle. Well show how those are being accomplished in conjunction with a CrimeOps strategy.

Figure 1 below offers a hint to the complexity of the botnet and the different entities that play a role in this operation. The color of the entities reflect their characteristics: red for malicious services created by the owner of the botnet, orange for victims used by the botent, green for innocente.

Heres a high-level description of the entities:

Figure 1: KashmirBlack botnet flow diagram

To better understand this diagram weve broken down the flow into pieces in our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

Security research investigation can sometimes be like a crime scene investigation. However, our crime scene will be spread all over the network, with no body in place. We, therefore, need to collect the clues and fingerprints that will allow us to construct a picture of the virtual crime.Here is the journey of our research.

We started our surveillance on the KashmirBlack botnet in January 2020 and began to uncover the operation piece by piece, by answering three main questions: When? How? And What?

The KashmirBlack botnet operation, as we know it, started in around November 2019. We have two pieces of evidence that support this timeline. The first, found in our data lake, shows the earliest exploitation attempts of PHPUnit RCE vulnerability (CVE-2017-9841) to infect our customers with the KashmirBlack malicious script. The other is the date of one of the exploits in repository B November 6, 2019.

This question is answered in our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

To answer this question we had to take a more active approach to the investigation. We went undercover and impersonated a spreading bot in the botnet and, without actually attacking any targets, started to collect information about the botnets victims. Then, in order to understand the purpose of those victims as pending bots, we had to become a victim ourselves. We created a CMS honeypot and attacked it with our spreading bot, as such we became a pending bot in the KashmirBlack botnet.

We witnessed five types of purposes for the botnet: crypto mining, spamming, defacement, spreading and pending bot.The next section will describe more deeply some of the purposes mentioned above.

According to Wikipedia, Monero is actively encouraged to those seeking financial privacy, since payments and account balances remain entirely hidden, which is not the standard for most cryptocurrencies.The KashmirBlack botnet uses the XMRig miner to mine Monero coins to a remote wallet on a HashVault pool.Examining its code gave us a glimpse into the wallet from where we could see that the mining operation started on March 31, 2020.

The attacker payment address is: 44qSPEgLnC5CF7ajChi4UZK5Z89tiaXiwcU8BGJ1yNB8NcrwhuiSrRRb3gSmhaGLAB8ERuJs3FhdmAgJfiGjHA9mM21DHE8

Taking into account that the mining operation was limited to a maximum of 50% of the infected hosts CPU, with a hash rate of 16,000 hashes per second, we could conclude that there were around 80 infected victim hosts.

Figure 2: The attacker mining activity

Infected by the KashmirBlack botnet, our honeypot was converted into a spamming bot.When trying to access the honeypots login page, the visitor was redirected to: hxxp://134.249.116.78 which performed an additional redirection to one of many clickbait sites.

Figure 3: One of spamming bot redirection to clickbait site

One important piece of evidence we collected from the KashmirBlack botnet concerned the identity of the attacker behind the operation.Below we can see the defacement signature:

Figure 4: KashmirBlack Defacing attack signature

We suspect the owner of the KashmirBlack botnet is the hacker Exect1337 a member of the Indonesian hacker crew PhantomGhost.Figure 5 below is a screenshot of another defacement attack performed by the PhantomGhost crew:

Figure 5: Site that was hacked by the Indonesian hackers crew PhantomGhost

In the Appendix you can find Appendix C IOC to check if your site has been infected.

The KashmirBlack botnet has a massive infrastructure that gives it the ability to transform very quickly and easily.Once the infrastructure is in place, minor modifications can change the entire botnets purpose. Every component is independent and can be easily replaced by another of the same type without interfering with the botnet operation. In this section well describe the evolution of the botnet over the research period and the DevOps strategy that enables it to carry out its crimes.

The evolution of the botnet focuses on two main domains: the botnet expansion process in terms of exploits and payloads deployment, and the other on the infrastructure to make it more agile.

Exploits & Payloads Deployment Process

November 2019, repository B contained 15 exploits and payloads, in comparison for today where the repository contains more than 20.Our assumption is that until March 2020, the maintainer of the botnet focused only on expansion, the build phase. Once the botnet becomes big enough new payloads start emerging.

On March 15, 2020, we noticed a new payload had been added under repository B. This payload downloads a cryptominer into the spreading bot machine to start mining for Monero coins. Later, on May 1, 2020, another exploit and payload bundle was added, and used for site defacement. Further updates with minor changes inside the exploit code were conducted on May 11, 2020.

Each deployment to repository B, triggered a process that cloned all the bundles into the repository. This indicates some sort of CI/CD process used by the KashmirBlack botnet maintainer.

Infrastructure Changes

The earliest record of KashmirBlack botnet included one server used as repository A and one server used as repository B.

May 15, 2020, saw the start of a more significant change.Infrastructure changes were carried out over the next week and a half, including:

There were three main reasons behind these changes:

As the botnet size increased, so too did the load on the repositories, as more bots fetched files from these repositories. Secondly, since some of the repositories were actually legitimate sites, they couldnt be considered to be permanent entities in which to store payloads and exploits. By increasing the number of repositories, the botnet achieved two important features redundancy and load balancing.

Repository A had been scaled from a single server to at least seven servers.Repository B had been scaled from a single server to 74 domains, hosted on 53 different hosts.

The addition of a new entity, repository A load balancer, allowed scalability. A request to the load balancer returned the address of one of the multiple repositories in repository A. To integrate this change into the botnet operation, an additional change in the botnet malicious script was required.Figure 6 below shows this infrastructure change.

Figure 6: The infrastructure change of repository A load balancer

The C&C is the most sensitive and important component in the entire operation. Securing it is vital.Two internal changes were made in order to avoid interfering with the C&C:

As described above, we impersonated a spreading bot and triggered a fake reporting request to the C&C with our honeypot details. One and a half hours later, the attacker visited our honeypot and tried to infect it with the botnet malicious script.We assume the attacker grew suspicious and, as a result, decided to change the logic of communication with C&C.

On May 8, 2020, three days after our honeypot was infected, we saw an update of the reporting address from hxxps:///adeliap/404.php to hxxps:///adeliap/405.php.

On May 26, 2020, the botnet malicious script was updated with a bot tracking mechanism designed to achieve two goals. The first was to secure the botnet and the second was to manage the deployment process of malicious script updates.At the time we interrupted the botnet operations natural flow with our honeypot, the botnet had no measures in place to know which bot performed which attack.But the simple architecture change of adding the registration of a bots IP and country while it communicated with the C&C allowed the C&C to track the operation of each bot in the botnet. Figures 7 and 8 show the previous version vs. the current version of the C&C communication.

Figure 7: Previous C&C communication

Figure 8: Current C&C communication

In the next section well show how this change allowed the C&C to manage the deployment process of new versions of the malicious script to the bots.

The above infrastructure changes created a situation where some spreading bots were communicating with the botnet entities by using the new infrastructure while others were only aware of the old one. In order to align them all, a new payload was added under repository B with the updated malicious script. Now, the C&C could instruct all old spreading bots to fetch a new malicious script and register it in the C&C. This step helped to manage the deployment process of new versions of the malicious script to all spreading bots.

Figure 9 below shows the spreading bot transformation.The orange entities represent the old infrastructure while the blue represent the new infrastructure.

Figure 9: Botnet Malicious Script Deployment

Another interesting infrastructure emerged during a regular monitoring activity on September 24, 2020. The KashmirBlack botnet entered a new evolutionary stage by using a cloud-based service, Dropbox, to replace the C&C. We saw evidence that the Dropbox API is being used to fetch attack instructions and upload attack reports from spreading bots.Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services. It is yet another step towards camouflaging the botnet traffic, securing the C&C operation and, most importantly, making it difficult to trace the botnet back to the hacker behind the operation.

Figure 10 below shows the current flow diagram of the KashmirBlack botnet.

Figure 10: KashmirBlack botnet flow diagram

KashmirBlack botnet evolution timeline:

Figure 11 below shows the events of the botnet evolution on a timeline.Purple indicates activities that are related to the expansion process (exploit and payload bundle deployment), Green indicates activities that are related to infrastructure changes,Orange indicates our interference with the botnet activity,Gray indicates general activities.

Figure 11: KashmirBlack botnet evolution timeline

This blog describes a complex and constantly evolving botnet operation; only possible with a well-designed infrastructure.

During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.

We saw how building and maintaining a botnet is very similar to an application development process. It requires code maintenance, version control, infrastructure, and deployment cycles.The hacker behind the botnet needs to act as architect, developer, and DevOps. To create a stable botnet that will carry out the intended CrimeOps, the hacker needs to design both the operation and its entities. In addition, he needs to think about factors such as backups, failover, redundancy, scalability, and more.

The KashmirBlack botnet consists of many entities. There are several traces that indicate a server is compromised and taking part in the botnet. Each entity in the botnet has different indications of infection. For additional details about IoC see the Appendix.

Imperva WAF customers are protected and are not affected by the botnet operation. The WAF has a layered approach to block such activity.The Bad Bots policy will detect the malicious traffic of the bots to the site and the Malicious File Upload policy will block webshell upload. In addition Remote Code Execution signatures will prevent the payloads execution and the Backdoor Protection mechanism will prevent backdoor usage by the attacker.

Be safe & secure,Imperva.

Read: CrimeOps of the KashmirBlack Botnet Part II >

The post CrimeOps of the KashmirBlack Botnet Part I appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Ofir Shaty. Read the original post at: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/

Read the original:
CrimeOps of the KashmirBlack Botnet Part I - Security Boulevard