Mediaboss Marketing

A coalition of human rights groups have called on the government to reveal detailed information on the suspected killers of Pastor Yeremia Zanambani in Intan Jaya regency, Papua, after a state-formed fact-finding (TGPF) reportedly found indications of security forces involvement.

They demanded that the suspects' identities and motives be revealed, as well as the names of high-ranking officials who might have had a hand in the fatal shooting. None of this information was included in the report, the coalition said.

Comprising Amnesty International Indonesia, the Commission for Missing Persons and Victims of Violence (Kontras), Imparsial, the Institute for Policy Research and Advocacy (ELSAM) and the Democratic Alliance for Papua, the coalition further demanded that the authorities follow up on the fact-finding teams investigation through civil legal procedures and not the military court to ensure justice for the victims family.

If it is proven that TNI [Indonesian Military] personnel were involved in this case, we demand transparent legal proceedings through the civil court, Amnesty International Indonesia researcher Ari Pramuditya said during a webinar on Thursday.

He argued that military tribunals had not been transparent in bringing offenders to justice in the past, pointing out that only a few military personnel had stood trial at a military court despite the many cases of violence against civilians reported in Papua over the years.

Read also: PGI, Komnas HAM call for further investigation into Papuan pastor's death following report

Amnestys report revealed that 34 cases of unlawful killings occurred in Papua between 2010 until 2018, allegedly involving military personnel. However, only six were brought before the military court, Ari said.

He also criticized the government for using armed groups as scapegoats for any violence taking place in the countrys easternmost province.

Ari pointed to Col. Suriastawa, the spokesman for the Joint Regional Defense Command III in Papua, who previously said Yeremia had been shot by aseparatist group.

Even though the TGPFs report indicated the alleged involvement of security forces in the pastors shooting, Coordinating Political, Legal and Human Rights Minister Mahfud MD said there was the possibility of a third partys involvement in the crime.

We see hesitation [from the government] in the report [...] It even creates more confusion for us, Ari further said.

The groups also criticized Mahfud for suggesting that the government deploy more security personnel into vulnerable areas in Papua in order to maintain peace and safety in the region.

We encourage the government to evaluate the deployment of military personnel to Papua, where violence has grown in intensity each year, said Alif Nur Fikri from Kontras.

Read also: Papuans dont want TNI, police withdrawn from region, Mahfud MD claims

Security personnel has contributed to the many cases of violence in the restive region, he said, adding that the plan raised questions over whether the Papuan people truly felt safe with the TNIs presence.

Imparsial executive director Al Araf echoed Alifs sentiment, saying that the militarys approach had been proven ineffective in solving conflicts across Papua.

At one point, the government wanted to use the economic approach for the Papuan people, but they also wanted to escalate the military approach in the region; this would create more distrust among local communities, he added.

The Indonesian Communion of Churches, the Indonesian Evangelical Christian Church (GKII) and local media in Papua claimed Yeremia was shot by TNI personnel on his way to his pig pen on Sept. 19, at the same time a military operation was reportedly taking place.

The incident prompted the government to establish the TGPF tasked under a 14-day deadline to investigate the fatal shooting. The team concluded its fact-finding mission on Oct. 12 after conducting a crime scene investigation and questioning more than 25 eyewitnesses.

Read more:
Watchdogs demand transparent investigation, civil legal procedures on Intan Jaya shooting - The Jakarta Post - Jakarta Post

A Brick Township woman who previously plead guilty to Reckless Manslaughter has been sentenced to four years in prison for her role in the death of her fianc in Septemberof 2019,Ocean County Prosecutor Bradley Billhimer announced on Thursday.

Ciara Williams, 28, stabbed her fiance Dennis Power, 35, in the chest during an argument at their home.

She then brought him to the hospital and left him out front where hospital staff brought him in, tired to revive Power who was unconscious at the time but breathing before he passed away.

The investigation by the Ocean County Prosecutors Office Major Crime Unit, Brick Police and the Ocean County Sheriffs Office Crime Scene Investigation Unit led police and detectives to the evidencethat Williams stabbed Power in the chest, and was responsible for the injuries which ultimately led to his death.

Williams originally faced more significant charges with greater sentencing exposure, but legitimate self-defense claims arose during the course of the investigation which we were compelled to take into account in evaluating this very difficult case, Prosecutor Billhimer said in a statement.The claims of self-defense, coupled with considerable proof problems, led to a resolution which we believe to be fair and just after careful consideration of all the facts and circumstances. Williams has been made to answer for her crime, and will be required to spend the next few years in state prison as a result. We hope this prison sentence provides some level of peace and closure to the family of Mr. Powers."

You can follow Vin Ebenau on Twitter and Instagram and email news tips to vin.ebenau@townsquaremedia.com.

More FromTownsquare Media Monmouth-Ocean:

See the original post:
Brick woman sentenced to four years for manslaughter in death of fianc - wobm.com

Turkey:Hopes of justice for assassinatedhuman rightslawyeras three police officers go on trial

The trial of three police officers accused of killingprominent human rightslawyerTahirElipresents a long overdue chance for justice,Amnesty International saidtoday.On 28 November 2015,TahirEliwas shot in the headshortly after giving astatementat a press conferencein the city ofDiyarbakr, where the first trial hearing ofthree ofthe accused begins today.

A 2019 report byForensic Architecture concluded,by a process ofelimination,that TahirEliwas most likely killed by one of threepoliceofficers present at the scene.Theseofficersface charges ofcausing death by culpable negligence, which carry a prison sentence of two to six years.

Almost five years after the bullet that killed Tahir Eli was fired, there is hope that the person who pulled the trigger will finally face justice. Tahir Eli worked to help victims of human rights violations get justice, campaigning for an end to violence and respect for the rights of the Kurdish people.

It isa bitter irony that TahirElislife was cut short by the very violence he was campaigning to end.Justice forTahirEliwould be a glimmer of hope in a country where impunity is sadly endemic.

In the weeks preceding TahirElisbrutal killing, hehad beenvilifiedand detained and a bogus prosecution was opened against him. He also received multiple death threatswhich he openly spoke about, but the authorities did not put in place any measures to protect him.

This campaign of intimidationfollowed comments he made during a TV programmein which he statedthat the Kurdistan Workers Party (PKK)wasnot a terrorist organisation but an armed political movement with popular support. Justbeforehis murderTahirElihad told the press:"Wedont want guns here, clashes, or [police] operations".

TrkanEli, TahirEliswidow saidA gaping wound has opened in societys consciousness when a lawyer who believed in the struggle against war and violence wasgunned downin full view of everyone.Although the prosecution has been delayed by five years, weremainhopefulthat justice will be done. We have notgivenup on our belief in the law.

BACKGROUND

The first hearing in the trial of three police officers and an alleged PKK militant is starting on 21 October at theDiyarbakir Heavy Penal Court No 10.

Amnesty International Turkey will be present to observe the start of the long-awaited trial,along with dozens of human rights lawyers, activists and others.

In2015, Diyarbakrs iconic four-legged minaret was damaged during armed clashes between the Turkish security forces and members of the armed PKK.Two days,TahirElispoke at a press conference at the site, calling for an end to the violence. As the press conference ended, police officers present at the scene fired at two suspected members of the armed PKK,who were running down the street where TahirEliwas standing by the monument.

The investigation into his killingwas flawed:the area was not securedimmediately,and a thorough crime scene investigation was not carried outfor almost four months.The police officers present at the time were only interviewed as witnesses.

At the time of his assassination, TahirEliwas the President of Diyarbakr Bar Association,whichcommissioned UK-based researchorganizationForensic Architecture to examinethe case.Forensic Architecturesreport andtheaccompanying video are availablehereandweresubmitted to theprosecuting authorities in 2019, forming part of the indictment that was accepted in March 2020. It was afterthe authorities reviewedthis evidence that thethree police officers who had fired shots on the day were interviewed as suspects. Theyarenowindicted in the prosecution.

TahirElirepresented families of victims of human rights violationsatthe hands ofTurkishsecurity force-including enforced disappearances and suspected unlawful killings by government agents. Over many years, he played a key role in representing victims of these crimes before domestic courts and the European Court of Human Rights,helpedto establishscores of human rights organizations in Turkey,and worked closely with international human rights groups, including Amnesty International.

For more information or to arrange an interview contactat the court: -Tark Beyhan,Amnesty International Turkey - Campaigns and Communications Director,+90 533 921 10 11tarik.beyhan@amnesty.org.trORpress@amnesty.orgalison.abrahams@amnesty.org +32 (0) 483 680 812

See more here:
Turkey: Hopes of justice for assassinated human rights lawyer as three police officers go on trial - Amnesty International

Introduction

Being in a research team exposes us to a variety of attacks on different platforms, of different types, scope, and volume. It also gives us the opportunity to select particularly interesting attacks that target our customers and to analyze them.This blog will give you a taste of the CrimeOps (criminal operations) behind one of these attacks the KashmirBlack botnet.

In the following sections well describe the DevOps behind the KashmirBlack botnet, discuss the purpose of the botnet, and the journey we took during our research. For the bits-and-bytes about the entities, the operation and the infection technique of the KashmirBlack botnet, please wait for our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.In order to make this magic work properly, with minimal interruptions, there should be a proper architecture design and stable infrastructure, with a solid DevOps implementation to overcome the challenges of the delivery process.

Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.

It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 mostly innocent surrogate servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.

Well inspect the evolution and version deployment of the botnet during the research period, from November 2019 until the end of May 2020. And well see how it uses cloud-based services such as Github, Pastebin and Dropbox as ways to hide and control the botnet operation, and show how it has entered new domains such as cryptominers and site defacement.

In the Appendix you can find indicators of compromise (IOC).

According to Wikipedia, DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from Agile methodology .

Simply put, CrimeOps is the utilization of DevOps practices to facilitate crime the DevOps behind the KasmirBlack botnet and its infrastructure support continuous delivery processes to enable an agile software development cycle. Well show how those are being accomplished in conjunction with a CrimeOps strategy.

Figure 1 below offers a hint to the complexity of the botnet and the different entities that play a role in this operation. The color of the entities reflect their characteristics: red for malicious services created by the owner of the botnet, orange for victims used by the botent, green for innocente.

Heres a high-level description of the entities:

Figure 1: KashmirBlack botnet flow diagram

To better understand this diagram weve broken down the flow into pieces in our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

Security research investigation can sometimes be like a crime scene investigation. However, our crime scene will be spread all over the network, with no body in place. We, therefore, need to collect the clues and fingerprints that will allow us to construct a picture of the virtual crime.Here is the journey of our research.

We started our surveillance on the KashmirBlack botnet in January 2020 and began to uncover the operation piece by piece, by answering three main questions: When? How? And What?

The KashmirBlack botnet operation, as we know it, started in around November 2019. We have two pieces of evidence that support this timeline. The first, found in our data lake, shows the earliest exploitation attempts of PHPUnit RCE vulnerability (CVE-2017-9841) to infect our customers with the KashmirBlack malicious script. The other is the date of one of the exploits in repository B November 6, 2019.

This question is answered in our next week blog The CrimeOps of the KashmirBlack Botnet Part II.

To answer this question we had to take a more active approach to the investigation. We went undercover and impersonated a spreading bot in the botnet and, without actually attacking any targets, started to collect information about the botnets victims. Then, in order to understand the purpose of those victims as pending bots, we had to become a victim ourselves. We created a CMS honeypot and attacked it with our spreading bot, as such we became a pending bot in the KashmirBlack botnet.

We witnessed five types of purposes for the botnet: crypto mining, spamming, defacement, spreading and pending bot.The next section will describe more deeply some of the purposes mentioned above.

According to Wikipedia, Monero is actively encouraged to those seeking financial privacy, since payments and account balances remain entirely hidden, which is not the standard for most cryptocurrencies.The KashmirBlack botnet uses the XMRig miner to mine Monero coins to a remote wallet on a HashVault pool.Examining its code gave us a glimpse into the wallet from where we could see that the mining operation started on March 31, 2020.

The attacker payment address is: 44qSPEgLnC5CF7ajChi4UZK5Z89tiaXiwcU8BGJ1yNB8NcrwhuiSrRRb3gSmhaGLAB8ERuJs3FhdmAgJfiGjHA9mM21DHE8

Taking into account that the mining operation was limited to a maximum of 50% of the infected hosts CPU, with a hash rate of 16,000 hashes per second, we could conclude that there were around 80 infected victim hosts.

Figure 2: The attacker mining activity

Infected by the KashmirBlack botnet, our honeypot was converted into a spamming bot.When trying to access the honeypots login page, the visitor was redirected to: hxxp://134.249.116.78 which performed an additional redirection to one of many clickbait sites.

Figure 3: One of spamming bot redirection to clickbait site

One important piece of evidence we collected from the KashmirBlack botnet concerned the identity of the attacker behind the operation.Below we can see the defacement signature:

Figure 4: KashmirBlack Defacing attack signature

We suspect the owner of the KashmirBlack botnet is the hacker Exect1337 a member of the Indonesian hacker crew PhantomGhost.Figure 5 below is a screenshot of another defacement attack performed by the PhantomGhost crew:

Figure 5: Site that was hacked by the Indonesian hackers crew PhantomGhost

In the Appendix you can find Appendix C IOC to check if your site has been infected.

The KashmirBlack botnet has a massive infrastructure that gives it the ability to transform very quickly and easily.Once the infrastructure is in place, minor modifications can change the entire botnets purpose. Every component is independent and can be easily replaced by another of the same type without interfering with the botnet operation. In this section well describe the evolution of the botnet over the research period and the DevOps strategy that enables it to carry out its crimes.

The evolution of the botnet focuses on two main domains: the botnet expansion process in terms of exploits and payloads deployment, and the other on the infrastructure to make it more agile.

Exploits & Payloads Deployment Process

November 2019, repository B contained 15 exploits and payloads, in comparison for today where the repository contains more than 20.Our assumption is that until March 2020, the maintainer of the botnet focused only on expansion, the build phase. Once the botnet becomes big enough new payloads start emerging.

On March 15, 2020, we noticed a new payload had been added under repository B. This payload downloads a cryptominer into the spreading bot machine to start mining for Monero coins. Later, on May 1, 2020, another exploit and payload bundle was added, and used for site defacement. Further updates with minor changes inside the exploit code were conducted on May 11, 2020.

Each deployment to repository B, triggered a process that cloned all the bundles into the repository. This indicates some sort of CI/CD process used by the KashmirBlack botnet maintainer.

Infrastructure Changes

The earliest record of KashmirBlack botnet included one server used as repository A and one server used as repository B.

May 15, 2020, saw the start of a more significant change.Infrastructure changes were carried out over the next week and a half, including:

There were three main reasons behind these changes:

As the botnet size increased, so too did the load on the repositories, as more bots fetched files from these repositories. Secondly, since some of the repositories were actually legitimate sites, they couldnt be considered to be permanent entities in which to store payloads and exploits. By increasing the number of repositories, the botnet achieved two important features redundancy and load balancing.

Repository A had been scaled from a single server to at least seven servers.Repository B had been scaled from a single server to 74 domains, hosted on 53 different hosts.

The addition of a new entity, repository A load balancer, allowed scalability. A request to the load balancer returned the address of one of the multiple repositories in repository A. To integrate this change into the botnet operation, an additional change in the botnet malicious script was required.Figure 6 below shows this infrastructure change.

Figure 6: The infrastructure change of repository A load balancer

The C&C is the most sensitive and important component in the entire operation. Securing it is vital.Two internal changes were made in order to avoid interfering with the C&C:

As described above, we impersonated a spreading bot and triggered a fake reporting request to the C&C with our honeypot details. One and a half hours later, the attacker visited our honeypot and tried to infect it with the botnet malicious script.We assume the attacker grew suspicious and, as a result, decided to change the logic of communication with C&C.

On May 8, 2020, three days after our honeypot was infected, we saw an update of the reporting address from hxxps:///adeliap/404.php to hxxps:///adeliap/405.php.

On May 26, 2020, the botnet malicious script was updated with a bot tracking mechanism designed to achieve two goals. The first was to secure the botnet and the second was to manage the deployment process of malicious script updates.At the time we interrupted the botnet operations natural flow with our honeypot, the botnet had no measures in place to know which bot performed which attack.But the simple architecture change of adding the registration of a bots IP and country while it communicated with the C&C allowed the C&C to track the operation of each bot in the botnet. Figures 7 and 8 show the previous version vs. the current version of the C&C communication.

Figure 7: Previous C&C communication

Figure 8: Current C&C communication

In the next section well show how this change allowed the C&C to manage the deployment process of new versions of the malicious script to the bots.

The above infrastructure changes created a situation where some spreading bots were communicating with the botnet entities by using the new infrastructure while others were only aware of the old one. In order to align them all, a new payload was added under repository B with the updated malicious script. Now, the C&C could instruct all old spreading bots to fetch a new malicious script and register it in the C&C. This step helped to manage the deployment process of new versions of the malicious script to all spreading bots.

Figure 9 below shows the spreading bot transformation.The orange entities represent the old infrastructure while the blue represent the new infrastructure.

Figure 9: Botnet Malicious Script Deployment

Another interesting infrastructure emerged during a regular monitoring activity on September 24, 2020. The KashmirBlack botnet entered a new evolutionary stage by using a cloud-based service, Dropbox, to replace the C&C. We saw evidence that the Dropbox API is being used to fetch attack instructions and upload attack reports from spreading bots.Moving to Dropbox allows the botnet to hide illegitimate criminal activity behind legitimate web services. It is yet another step towards camouflaging the botnet traffic, securing the C&C operation and, most importantly, making it difficult to trace the botnet back to the hacker behind the operation.

Figure 10 below shows the current flow diagram of the KashmirBlack botnet.

Figure 10: KashmirBlack botnet flow diagram

KashmirBlack botnet evolution timeline:

Figure 11 below shows the events of the botnet evolution on a timeline.Purple indicates activities that are related to the expansion process (exploit and payload bundle deployment), Green indicates activities that are related to infrastructure changes,Orange indicates our interference with the botnet activity,Gray indicates general activities.

Figure 11: KashmirBlack botnet evolution timeline

This blog describes a complex and constantly evolving botnet operation; only possible with a well-designed infrastructure.

During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.

We saw how building and maintaining a botnet is very similar to an application development process. It requires code maintenance, version control, infrastructure, and deployment cycles.The hacker behind the botnet needs to act as architect, developer, and DevOps. To create a stable botnet that will carry out the intended CrimeOps, the hacker needs to design both the operation and its entities. In addition, he needs to think about factors such as backups, failover, redundancy, scalability, and more.

The KashmirBlack botnet consists of many entities. There are several traces that indicate a server is compromised and taking part in the botnet. Each entity in the botnet has different indications of infection. For additional details about IoC see the Appendix.

Imperva WAF customers are protected and are not affected by the botnet operation. The WAF has a layered approach to block such activity.The Bad Bots policy will detect the malicious traffic of the bots to the site and the Malicious File Upload policy will block webshell upload. In addition Remote Code Execution signatures will prevent the payloads execution and the Backdoor Protection mechanism will prevent backdoor usage by the attacker.

Be safe & secure,Imperva.

Read: CrimeOps of the KashmirBlack Botnet Part II >

The post CrimeOps of the KashmirBlack Botnet Part I appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Ofir Shaty. Read the original post at: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/

Read the original:
CrimeOps of the KashmirBlack Botnet Part I - Security Boulevard

For nine seasons, the television series Touched By An Angel inspired viewers in its stories centered around angels helping people in their everyday lives. The CBS drama series was centered on an angel named Monica (Roma Downey) and her supervisor Tess (Della Reese) as they passed along messages from God to those needing help.

Since its first season debuted in 1994, the show was nominated for eleven Primetime Emmy Awards as well as three Golden Globes. The TV show, created by John Masius and perfected by Executive producer Martha Williamson was so popular, there was even a spinoff series, Promised Land, that ran for three seasons.

Touched By An Angel was one of those shows that it seems like everyone was on. Some of their most notable guest stars over the years included Wynonna Judd, Rue McClanahan, Maya Angelou, Angela Lansbury, Ann-Margret, Carol Burnett, Celine Dion, Kirk Douglas and Jack Black.

Here's what all of your favorite cast members have been up to since the show wrapped in 2003.

The Irish actress has been very busy since her days playing the kindhearted angel Monica. She's appeared on numerous made for TV films as well as the show The Division and miniseries The Bible,in which she played Mary, mother of Jesus. She is also a producer, producing many of her own Biblical themed TV shows and films including Messiah and A.D. The Bible Continues. Downey has been married to TV producer Mark Burnett since 2007 and they share his two children from his previous marriage as well as her daughter from her previous marriage.

Tess was a bit tough and at times sarcastic, but she always played a meaningful role in Monica's cases throughout the series. Following her time on the show, Reese appeared on TV shows like That's So Raven, The Young and the Restlessand Signed, Sealed, Delivered on the Hallmark Channel in addition to numerous seasonal made for TV films. Reese, who was an ordained minister in the '80s, retired from acting in 2014. She passed away in 2017 at the age of 86.

Andrew, the Angel of Death, became a regular on the series after first appearing in a recurring role in season 2. In addition to playing his Touched By An Angel role in the spinoff series Promised Land, he only acted in a few more roles, including holiday films Once Upon a Christmas and Twice Upon a Christmas. Dye passed away in San Fransisco, California in 2011 reportedly due to heart problems.

Oh, Gloria. The accident-prone but well meaning angel that becomes a main cast member in the last two seasons of the show. Bertinelli was married to rocker Eddie Van Halen until 2007 and they share a child, Wolfgang. She has gone on to appear in numerous additional TV shows, including her main role on Hot in Cleveland as well as become a Food Network star with her own series, Valerie's Home Cooking.

Read More:'Designing Women' Cast: Then and Now

The country star appeared on five episodes of the show as Sheriff Wayne Machulis and one episode as Jed Winslow. Travis has continued making the occasional acting appearance over the years, including the holiday film Christmas on the Bayou. In 2013, he suffered a viral upper respiratory infection and massive stroke and wasn't sure if he would recover let alone sing again. After years of rehabilitation and therapy, he is not only able to sing and perform again, but he sang live at his own induction into the Country Music Hall of Fame in 2016.

Cruz appeared as the angel Rafael for 16 episodes throughout the series run. He is still acting, booking roles on shows like CSI: Crime Scene Investigation, Shark, Eagleheart, Castle, Love Lifeand the film Drag Me to Hell.

Academy Award winner Cloris Leachman had a recurring role on the series as the archangel Ruth. She is still an incredibly active actor even later in life. She had a main role on Raising Hope, competed on Dancing With The Starsand has appeared on numerous other shows including Malcolm in the Middle and Thanks.

Jasmine Guy played the role of fallen angel Kathleen for 3 episodes. Guy has been on a number of shows since her arc on Touched By An Angel, including Grey's Anatomy, Dead Like Me, The Vampire Diaries, and Drop Dead Diva.

Read the original here:
'Touched By An Angel' Cast: Where Are They Now? - Wide Open Country