Information Technology

Getty Images
The US Department of Justice (DOJ) has shut down Hydra Market, one of the world’s largest darknet marketplaces. On Tuesday, the DOJ and German federal police seized Hydra’s servers and cryptocurrency wallets containing $25 million worth of bitcoin. Hydra was an online criminal marketplace where primarily Russian users bought and sold illicit goods and services, including illegal drugs, stolen financial information, fraudulent identification documents, and money laundering and mixing services. Transactions on Hydra were conducted in cryptocurrency with the operators earning revenue by charging a commission for every transaction conducted on the market. In 2021, Hydra accounted for an estimated 80% of all darknet market-related cryptocurrency transactions, and since 2015, the marketplace has received approximately $5.2 billion in cryptocurrency, the DOJ said. “The successful seizure of Hydra, the world’s largest darknet marketplace, dismantled digital infrastructures which had enabled a wide range of criminals — including Russian cybercriminals, the cryptocurrency tumblers, and money launderers that support them and others, and drug traffickers,” said FBI director Christopher Wray.    Along with shutting down Hydra’s servers, the DOJ also issued criminal charges against Russian resident Dmitry Olegovich Pavlov for conspiracy to distribute narcotics and conspiracy to commit money laundering in connection with his operation and administration of the servers used to run Hydra. Pavlov is allegedly the administrator of Hydra’s servers. According to the DOJ, Pavlov administered the servers through a shell company called Promservice, which was also known as Hosting Company Full Drive, All Wheel Drive, and 4x4host.ru. As an active administrator in hosting Hydra’s servers, Pavlov allegedly conspired with the other operators of Hydra to further the site’s success by providing the critical infrastructure that allowed Hydra to operate and thrive in a competitive darknet market environment. A day prior to the Hydra shutdown, the DOJ also arrested a man based in Florida and seized $34 million worth of cryptocurrency from him as part of a dark web bust, which the department said is one of its largest to date. The Florida man allegedly earned millions by using an online alias to make over 100,000 sales of illicit items and hacked online account information on several of the world’s largest dark web marketplaces. Among the illicit items he sold were hacked online account information for popular services such as HBO, Netflix, and Uber, among others. The unnamed Florida man allegedly utilised tumblers and illegal dark web money transmitter services to launder one cryptocurrency for another — a technique called chain hopping — in violation of federal money laundering statutes. A tumbler is a dark web mixing service that pools together multiple cryptocurrency transactions before distributing the cryptocurrency to a designated cryptocurrency wallet at random times, and in random increments. Related Coverage More

Image: Getty Images
The Australian Department of Home Affairs has commenced work on a new national data security action plan as part of the federal government’s wider digital economy strategy. According to Home Affairs Minister Karen Andrews, the action plan will look to protect citizens’ data — information collected, processed, and stored on digital systems and networks — from those who would undermine security. “In the 21st century, data is a strategic commodity. The Morrison government is committed to ensuring that the data of Australians is stored securely, so it can’t be stolen, hacked, or held to ransom,” Andrews said. “As increasing volumes of data continue to flow between all levels of government, industry and across the community — the Morrison government is committed is building a national approach to ensure data protection, wherever it is stored or accessed.” In a newly-released discussion paper, Home Affairs laid out its vision for the plan, which includes establishing data security settings and requirements for governments, businesses, and individuals that will operate under a framework focusing on security, accountability, and control. As part of the action plan’s development, Home Affairs is also seeking the views of state and territory governments, businesses, and the Australian public on how federal government can improve the nation’s data security. Among the items up for public consultation are how the federal government should align with international data protection and security frameworks; how legislative and policy measures relating to data security can be streamlined to allow companies to meet their obligations in international jurisdictions; whether Australia needs an explicit approach to data localisation; how can data security policy be better harmonised across all levels of government; and how can the government further support businesses to understand the value of data and uplift their data security postures; among others. The action plan is another cybersecurity item announced by the federal government ahead of the federal election, with the Coalition pledging AU$9.9 billion for a new cybersecurity program that is primarily focused on upping the Australian Signal Directorate’s resources. Related Coverage More

One of the most regular articles I write is advice on keeping your Android phone secure. The reason I cover this topic so frequently is that I find consumers and other user types often need a friendly reminder of how they can avoid falling victim to malicious actors who want nothing more than to either steal their data or drain their bank accounts.Throughout the years, the advice rarely changes, but it’s always important to keep the reminder at the front of every user’s mind. I’ve seen it too many times where a user forgets to follow these best practices and winds up having their phone breached or locked up with ransomware.Trust me when I say you don’t want that. And given it’s not all that difficult to avoid such problems, you shouldn’t worry that these tips will be even remotely challenging. In fact, they’re quite simple to follow.But follow them you must.

With that said, let’s make with the advice.Only install apps you must haveThis first piece of advice is a tough one for many to swallow. However, you should ask yourself if you really need that random, untrusted game found in the Google Play Store. The answer is probably not. I follow a very strict rule of only installing applications that I absolutely must have and I never break that rule. Why is this so important? Because you never know what kind of malicious code is to be found lurking within an app or an ad framework for an app. In a perfect world, the stock apps found on your device should be enough. Of course, the reality is we all need third-party apps (for work, play, and communication). So when you do have to install an app, make sure it’s an app from a trusted source (such as a large company that has a vested interest in ensuring the apps they release are reliable and trustworthy). If you get the itch for installing a particular application, make sure to do a bit of research before tapping Install. Google the app name or the app developer and see if anything suspicious is presented in the results.Only install apps from the Google Play StoreThis should go without saying, but don’t install applications from anywhere outside the Google Play Store. This is not to say every app on Google’s market can be trusted (see above), but at least know when you install from the official store those apps have been carefully vetted. Of course, malicious code still slips through the cracks, but the likelihood of installing malicious code from a third-party source is significantly higher. Even if you find that must-have application on a site you believe you can trust, you never know if that site has been hijacked and whether or not the version of the available software compromised. Also: Fake versions of real smartphone apps are being used to spread malware. Here’s how to stay safeDo not tap links from SMS messages from unknown sourcesNever, ever, ever tap a link in an SMS from a source you do not know. Any time you receive an SMS from an unknown source, assume it is an attempt to access your data or insert malicious code onto your device. And even if that SMS message seems to come from a reputable source, chances are still good it’s a phishing attempt or worse. Again, do not ever tap those links.At the same time, don’t reply to those messages. When I receive SMS messages from unknown sources 99% of the time I block them and report the sender as spam. Malicious SMS links are one of the most widely-used methods of hacking Android devices.Update, update, update

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Google releases regular security patches to the Android operating system and it’s absolutely crucial that you install them. Those updates don’t just contain new and exciting features, but patch security vulnerabilities to keep you safe. If you don’t apply the upgrade, your device is at risk. That is why it’s imperative that you always check for updates and apply them immediately. To check for an OS upgrade, go to Settings > System > System update.But this doesn’t just apply to the operating system. You also must regularly check for app updates (which can be done from the Google Play Store tap your profile image > Manage apps & device > Update all). Make sure to check for updates (both the OS and apps) daily or weekly.Also: How to find and remove advanced spyware from your phoneDo not connect to unsecured networks without a VPNIf you find yourself in a situation where you think you need to connect to a wireless network that doesn’t have a secure password, do not do it. Use your carrier data instead. If that’s not an option, make sure to be using a trusted VPN service that can encrypt and randomize the data you send. If I’m given the choice of using carrier data or connecting to an unprotected wireless network, I will always go with the carrier data. The second you connect to an unsecured wireless network, you open yourself up to the possibility of having your packets sniffed or your device compromised. Don’t do it.ConclusionYou may think it impossible to follow this guidance but you’d be surprised at just how easy it actually is. If you do believe this is too much to accept, remember the consequences of not securing your Android device could mean a data breach, a ransomware attack, or someone spying on you via the phone’s microphone or camera. The time you’ll spend reversing that kind of damage is considerably more challenging than simply using your phone with an eye on security. More

Did you know your Android device retains your Google searches such that numerous sites and services can use that data to personalize ads and other types of recommendations? For many that’s fine and that level of personalization makes using the platform even easier. There are others, however, that view this as an invasion of privacy. Such users like to retain control over how much of their search history is saved and when it’s deleted.Fortunately, for those who like more control over their mobile platforms, Google makes it possible to not only manually delete that data but set devices to auto-delete the search cache.

I’m going to walk you through the process of both — manually deleting that search cache and configuring Android to auto-delete saved data.To do this, you’ll need an Android device that is connected to your Google account. I’ll be demonstrating on my go-to Pixel 6 Pro running Android 12 with the April security patch applied.Let’s get to work.How to manually clear the Google search cacheFrom your Android App Drawer, open the Google app. In the resulting window (Figure A), tap your profile image in the top-right corner.Figure AThe Google app running on a Pixel 6 Pro.From the resulting menu, tap Search history (Figure B).Figure BThe Google app menu makes it easy to quickly delete the last 15 minutes of your search history.If you tap Delete last 15 minutes, you’ll immediately clear anything you’ve searched for in the past fifteen minutes. If you need to delete more than that, tap Search history. In the next window (Figure C), tap Verify at the bottom of the screen.Figure CYou must first verify it’s you before continuing.To complete the verification process, you’ll be prompted for either your PIN, pattern, password, fingerprint, or face scan (depending on how you have Android configured for the unlocking process).After a successful verification, you should then see a Delete drop-down (Figure D).Figure DUpon successful verification, the Delete drop-down is made available.Tap the Delete drop-down to reveal the available options (Figure E).Figure EThe available cache delete options for Android 12 on a Pixel 6 Pro.Select the time frame for which you want to delete (today, custom, or all-time) and Android will empty the cache for that specified range. You will not be prompted to okay the deletion, it will just happen. Once deleted, that cache is gone.Auto-deletion setupIf you prefer to have things done automagically, Google has made it possible to set the cache to be auto-deleted. To do this, go back to the same place you ran the manual deletion and tap the Auto-delete (Off) entry. In the resulting window (Figure F), tap to enable Auto-delete activity older than and then, from the drop-down, select the date range to be deleted.Figure FEnabling auto-delete so you don’t have to worry about manually taking care of the process.You can choose from 3 months, 18 months, and 36 months. Once you’ve made your selection, tap Next and then tap Confirm to finish the setup.And that’s all there is to deleting your Google search cache (either manually or automatically). If you’re concerned about your online privacy, consider this a must-do. And remember, since you can only set auto-delete for a minimum of 3 months, you might want to regularly go back to the screen and manually delete your cache (to keep your Android device from saving cached items that are not more than 3 months old). More

Credit: Microsoft

Microsoft officials are using the company’s April 5 Windows hybrid work virtual event to showcase Windows 11 features they believe will be important to business users. Unsurprisingly, that means security and management capabilities, such as the new Remote Help add-on for Intune. It also means a handful of other Windows 11 features already in testers’ hands. Microsoft has not been willing to disclose how many of the combined 1.4 billion Windows 10 and 11 customers are currently running Windows 11. But some company watchers estimate as many as 80 percent of these people are still using Windows 10 — especially business customers who don’t see Windows 11’s features to be must-haves and/or don’t have PCs that meet the minimum CPU/TPU requirements.Microsoft Executive Vice President and Chief Device Officer Panos Panay highlighted a number of “experiences” coming soon to Windows 11 customers in his April 5 blog post timed for the event. Microsoft officials have been using the term “experiences” to refer to features that the team has decided to deliver ahead of the once-yearly feature update to Windows 11 (which this year will be Windows 11 22H2, expected around October). In February 2022, Microsoft rolled out the first cumulative update featuring a number of new Windows 11 experiences. Officials have declined to say when the next group of Windows 11 experiences will roll out to mainstream users.Among the Windows 11 experiences Panay and Co. touted are:Microsoft also highlighted at today’s event a number of existing and upcoming features in the Endpoint Manager/Intune system-management arena. These include Remote Help, an Intune feature akin to the “Quick Assist” remote help technology that’s already integrated with Endpoint Manager. Remote Help is meant to allow help desk professionals to view and/or take control of users’ PCs to provide assistance.

Remote Help is not free; it’s the first of the premium “add-ons” coming to Endpoint Manager. Officials said they will be introducing these individually as optional add-ons to users’ Microsoft 365 enterprise plans that include licenses for Microsoft Intune. Once there are enough of them, Microsoft plans to bundle them and make them available as a suite. Update: Remote Help is a $3.50 per user per month add-on for E3 or E5.IT can send targeted messages to employees on their Windows 11 desktops or right above the taskbar with an Organizational Messages feature — another potential boon to help desk admins. And Application Management for Edge will provide access to organizational resources from unmanaged devices, giving IT control over the conditions that access is allowed. Last year, officials said that Endpoint Manager would add management and compliance checks for Linux workstations, in addition to the other endpoints it already protects, with a preview due in early 2022.Microsoft execs also talked up today a new Windows Autopatch service that can automate updates for Windows, Microsoft Edge, and Office. Officials said they will make Windows Autopatch available to Windows Enterprise E3 subscribers for no additional cost. At press time, there were no details on what Autopatch will do, how it will work, or when it will be available. Update: Microsoft execs say this is coming in July 2022 (not clear if as a preview or generally available feature). It looks like an updated version of Windows Update for Business, scheduling updates via rings. Prerequisites: Intune, Windows 10 and 11 devices; Configuration Manager version 2010 or later and more.Last week, Microsoft announced general availability of System Center 2022 and many of its component parts: System Center Operations Manager (SCOM), Virtual Machine Manager (VMM), System Center Orchestrator (SCORCH), and Service Manager (SM). Data Protection Manager (DPM) is coming next month.

Windows 11 More

The FIN7 hacking group is back with a campaign that shows off a novel backdoor and other new malicious tools. FIN7 is considered a key threat actor today and has severely impacted countless financial organizations worldwide.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

This money-motivated cyberattack group, also tracked as Carbanak, specializes in Business Email Compromise (BEC) scams and point-of-sale (PoS) system intrusions. The group attempts to steal consumer payment card data and, in recent years, has continued to innovate and refine its intrusion methods. Active since at least 2015, FIN7 has a range of custom malware in its toolset, including backdoors, information stealers, the SQLRat SQL script dropper, the Loudout downloader, and has even used mailed USB drives sent to businesses in the past to infect its victims with malware. Recently, cybersecurity researchers tied FIN7 to ransomware operators, including REvil, Darkmatter, and Alphv.Despite arrests and the sentencing of high-level FIN7 members, the attack waves continue, with the latest including the “use of novel malware, incorporation of new initial access vectors, and likely shift in monetization strategies,” according to Mandiant.In a deep dive on the threat actor’s latest activities, Mandiant said that FIN7 had continued to evolve its initial intrusion methods beyond BEC scams and phishing attempts. Now, the group is also leveraging supply chains, RDP, and stolen credentials to infiltrate enterprise networks. Mandiant researchers said that a new ‘novel’ backdoor is being favored in recent attacks. Dubbed Powerplant, the PowerShell-based backdoor — also known as KillACK — is delivered via Griffon, a lightweight Java implant, and is used to maintain persistent access to a target system and steal information, including credentials. Powerplant also facilitates the deployment of other malicious modules, including the Easylook reconnaissance tool and the Birdwatch downloader. New variants of the .NET Birdwatch downloader, tracked as Crowview and Fowlgaze by the research team, are being used to grab malicious payloads via HTTP, write them to disk, and then execute them. The malware can also package and send reconnaissance information to its command-and-control (C2) server, such as network configuration data, web browser usage, running process lists, and more. Crowview is slightly different as it also includes a self-destruct mechanism, configuration changes, and unlike the original, can house a payload embedded in its code. Another backdoor malware variant, Beacon, may be used in attacks as a backup entry mechanism. Other malicious tools include the Powertrash dropper, the Termite shellcode loader, Weirdloop, Diceloader, Pillowmint, and Boatlaunch.Boatlaunch is of particular note as it is a utility used to patch existing PowerShell processes to bypass Window’s antimalware scanning software, AntiMalware Scan Interface (AMSI), and will also act as a “helper” module during intrusions, according to the cybersecurity researchers. Mandiant has also tied several campaigns together as the work of FIN7. In total, eight separate, uncategorized (UNC) threat groups have been merged into FIN7 activities, and a further 17 are suspected of links with the cybercriminal outfit. “Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground,” Mandiant said.See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A cyber attack has forced arts, crafts, toys, books and stationery retailer The Works to temporarily close several stores, and caused disruption to stock resupplies and delayed deliveries of online orders. The retailer, which has over 500 stores across the UK, says it has been subjected to a “cybersecurity incident involving unauthorised access to its computer systems”. As a result of the cyber attack, some stores have been forced to close because of issues with tills, while replenishment of stock has been temporarily suspended. Customers who order items online are experiencing longer waits for their deliveries because of the incident. SEE: A winning strategy for cybersecurity (ZDNet special report) The retailer says customer payment details haven’t been accessed by intruders because credit and debit card details are stored securely outside of store systems by third-parties.The Works has moved to assure customers that they can “continue to shop safely” both in stores and online. Store deliveries are expected to resume “imminently” and normal online services are gradually being restored. After being alerted to the incident, the company disabled all internal and external access to its systems, including email, whilst it worked to evaluate and rectify the situation. External cybersecurity experts have been appointed to aid with the investigation into the incident and aid with recovery. “To protect customers and the business, the company has made some immediate protective changes to further strengthen its security position,” The Works said in a statement about the cybersecurity incident. “The company does not currently anticipate that this incident will have a material adverse impact on its forecasts or financial position,” it added.  MORE ON CYBERSECURITY More

Electricity, oil and gas and other critical infrastructure vital to our everyday lives is increasingly at risk from cyber attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services. A report from cybersecurity company Dragos details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe – and it’s warned that this activity is likely to grow in the next 12 months. The list includes several state-backed hacking operations, such as Electrum – also known as Sandworm – which is linked to the Russian military, Covellite, which is linked to North Korea’s Lazarus Group, and Vanadinite, which is lined to APT 41, a hacking operation working on behalf of China. As more critical infrastructure is connected to the internet or accessible to staff by remote desktop protocols and VPNs, it’s increasingly becoming a target for nation-state backed hackers and cyber criminal gangs interested in breaching and examining OT networks to lay the groundwork for future campaigns. “A lot of this is increasing appetite to be in those places – typically from state-sponsored operations – where they want capability where they could have an impact in future,” Magpie Graham, principal adversary hunter and technical director at Dragos told ZDNet. After hackers enter industrial networks, it’s unlikely to have an immediate impact on the systems controlling operational processes because it could take years for attackers to understand everything – but it’s about laying the foundations for this for the future.  SEE: A winning strategy for cybersecurity (ZDNet special report) The campaigns being tracked by Dragos have a variety of aims – some are around stealing information, or there could potentially be plans to cause disruption – for example, cyber criminals looking to launch ransomware attacks. The nature of operational technology and a reliance on older software and protocols means any evidence of compromise can be missed, proving hackers with ample time to move around, understand and gain control of networks. It’s this what researchers describe as “the biggest cybersecurity weakness” facing industrial networks, because without having a full picture of what needs to be protected from cyber attacks, it’s not possible to fully defend networks from hackers. Cybersecurity weaknesses in industrial networks aren’t necessarily new, but as more threat groups become interested in infiltrating them, it could lead to significant problems. The also paper warns that activity related to cyber attacks targeting industrial infrastructure has been observed since Russia’s invasion of Ukraine and western cybersecurity agencies have issued warnings on the need to protect networks from attacks.In addition to having a good understanding of what’s on the network, many standard cybersecurity practices can help secure OT networks. These include applying security updates to patch known vulnerabilities in software, and applying multi-factor authentication whenever possible.  It’s hoped that by drawing attention to the hacking groups, campaigns and the risk to the industrial sector, that organisations involved will heed the warnings and apply the necessary protections to protect themselves from cyber espionage, disruptive attacks and other potential cybersecurity threats. “It can work in a more positive light, where we have seen these attacks, it can work just a reminder for organisations to protect themselves,” said Graham. According to Dragos, the most active threat groups targeting critical infrastructure are:Parasite: a group which targets utilities, aerospace and oil and gas in Europe, the Middle East and North America. Thee group uses open source tools and known vulnerabilities for initial access. Parasite is suspected to be linked to Iran.Xenotime: a group which targets oil & gas companies in Europe, the United States and Australia. It’s believed the group is linked to Russia.Magnallium: a group which initially targeted oil and gas and aircract companies in Saudi Arabia, which has expanded targeted to Europe and North America. It’s thought to be related to APT 33, a state-sponsored Iranian hacking group.Dymalloy: a group which targets electric utilities, oil and gas and other advanced industrial entities across Europe, Turkey and North America. Described as “highly aggressive”, Dymalloy looks for long-term persistence in networks and is thought to be linked to Russia.Electrum: this group is capable of developing malware that can modify and control OT procedures and Dragos researchers say this operation was responsible for Crash Override – also known as Industroyer – a malware attack on Ukraine’s power grid in December 2016. Electrum is associated with Sandworm, an offensive hacking operation that’s part of Russia’s GRU military intelligence agency. Allanite: a group which targets enterprise and OT networks in the UK and US elecricity sectors, as well as German industrial infrastructure and uses access to conduct reconnaissance on networks to potentially stage future disruptive events. It’s believed Allanite is linked to Russia.Chrysene: Active since at least 2017, this group has targeted industrial organisations in Europe and the Middle East, and mainly conducts intelligence gathering operations to potentially facilitate further attacks. Chrysense is suspected to be linked to Iran.Kamacite: a group which has been active since at least 2014 and believed to be responsible for cyber attacks against Ukrainian power facilities in 2015 and 2016. The group is linked to Sandworm.Covellite: a group which has targeted electric utilities in Europe, the US and East Asia using malicious attachments in phishing emails. The group is thought to be linked to the Lazarus Group, a state-backed hacking group working out of North Korea.Vanadinite: A hacking group which targets external-facing, vulnerable software in industrial organisations around the world. It’s thought to be linked to APT 41, a state-sponsored Chinese hacking operation.  MORE ON CYBERSECURITY More