Information Technology

Image: FBI
The US Department of Justice has unsealed a warrant detailing how law enforcement agencies accessed and used the encrypted communications of criminals as part of its TrojanShield investigation, a global online sting operation. The warrant [PDF] reveals that the Federal Bureau of Investigation (FBI) in 2018 commenced the investigation after it recruited a confidential human source to provide access to Anom, an encrypted communications product used by transnational criminal organisations (TCOs). The confidential human source also distributed Anom devices to their already existing network of distributors of encrypted communications devices, which all had direct links to TCOs. According to the warrant, the FBI said it recruited the source shortly after arresting Vincent Ramos, the CEO of Phantom Secure, who had sold the company’s encrypted devices exclusively to members of criminal organisations.Operation Trojan Shield was centred on exploiting Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police (AFP), to monitor the communications. In order for an Anom device to be useful for monitoring, the FBI, AFP, and the confidential human source built a master key into the existing encryption system, which surreptitiously attached to each message and enabled law enforcement to decrypt and store messages as they were transmitted. Users of Anom devices were not aware of the master key’s existence. By design, as part of the TrojanShield investigation, for devices located outside of the United States, an encrypted “BCC” of the message was routed to an “iBot” server located outside of the United States, where it would be decrypted from the confidential human source’s encryption code and then immediately re-encrypted with FBI encryption code. The newly encrypted message would then be passed to a second FBI-owned iBot server, where it was decrypted and its contents became available.   Each Anom user was assigned to a particular Jabber Identification (JID) by the source or an Anom administrator. The JID is either a fixed, unique alphanumeric identification, or for more recent devices, a combination of two English words. Anom users could select their own usernames and change their list of usernames over time. As part of the Trojan Shield investigation, the FBI maintained a list of JIDs and corresponding screen names of Anom users.

During the testing period for using Anom devices as part of the investigation, the AFP obtained a court order to legally monitor the Anom devices that were to be distributed to individuals in Australia or those that had a clear nexus to Australia. In Australia, intelligence and law enforcement agencies can request or demand assistance from communications providers to access encrypted communications under encryption laws that were passed at the end of 2018.  Approximately 50 devices were distributed as part of the test which was deemed a success, the warrant said. “Through the interception of these communications, the AFP penetrated two of the most sophisticated criminal networks in Australia. The AFP has shared generally with San Diego FBI the nature of conversations occurring over Anom, which included drug trafficking activity (including discussing the transportation of hundreds of kilograms of narcotics), firearms purchases, and other illegal activity,” the warrant detailed.After the testing in Australia, the FBI engaged a third country — which has been left unidentified — that agreed to join the TrojanShield investigation and set up its own iBot servers. The third country then agreed to obtain a court order in accordance with its own legal framework to copy an iBot server located there and provide a copy to the FBI pursuant to a Mutual Legal Assistance Treaty. From infiltrating the Anom network, the law enforcement agencies translated and catalogued more than 20 million messages from a total of 11,800 devices located in over 90 countries as part of Operation TrojanShield. The top five countries where Anom devices were used, before the encrypted product’s services were shut down on Tuesday, included Australia, Germany, the Netherlands, Spain, and Serbia. In the unsealed warrant, one example of Anom devices being used to shut down criminal activities was a shipment of cocaine from Ecuador to Spain that had been concealed within a shipping container of refrigerated fish. The FBI and law enforcement officials in Spain reviewed the messages that contained specific details regarding the shipment and distribution once it arrived in Spain. Law enforcement officials in Spain then conducted a search of the container and upon completion, located approximately 1,401 kilograms of cocaine.In addition to decrypting messages made on Anom devices, the FBI sought to seize content, including electronic mail and attachments, stored instant messages, stored voice messages, and photographs, from certain Google accounts through the warrant.The unsealing of the document comes shortly after the AFP made public the online sting operation, which has also been dubbed as Operation Ironside. Australian Home Affairs Minister Karen Andrews labelled it as the “most significant operation in policing history” in Australia.The law enforcement agencies decided to bring the online sting operation to light as the third country’s warrant expired on June 7 along with the operation itself.The TrojanShield operation led to 525 search warrants, 224 individuals being charged, 525 charges in total, six clandestine labs being taken down, and 21 threats to kill being averted. 3.7 tonnes of drugs, 104 firearms and weapons, and over AU$45 million in assets were also seized as part of the operation. Related Coverage More

AFP Commissioner Reece Kershaw addresses media following mass raids against organised crime across Australia.
Image: Getty Images
The Australian Federal Police (AFP) has made public its “most significant operation in policing history”, which primarily relied on using Australia’s encryption laws to access the encrypted communications of criminals. During a press briefing on Tuesday morning, AFP commissioner Reece Kershaw said the US Federal Bureau of Investigation (FBI) gained access to an encrypted application, named Anom, and ran it without the knowledge of the criminal underworld.With that access, the AFP helped to decrypt and read encrypted communication that was sent over Anom in real time as part of the operation.”Essentially, we have been in the back pockets of organised crime and operationalised the criminal takedown like we’ve never seen. The use of encrypted communication apps presents significant challenges to law enforcement and Anom has given law enforcement a window into the level of criminality that we have never seen before on this scale,” Kershaw said.Labelled Operation Ironside, Kershaw said the FBI took the lead on a global online sting operation while Australia provided the “technical capability” to be able to decrypt those messages. Europol was also involved in the operation. Kershaw explained that access to these encrypted messages was gained lawfully through using the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, usually referred to as the TOLA Act, in combination with legal authority from the FBI. The controversial TOLA Act allows intelligence and law enforcement agencies to request or demand assistance from communications providers to access encrypted communications.

When asked if the FBI chose to work with Australia due to the TOLA Act providing the legal capability to decrypt those messages rather than the AFP’s technical capability, Australian Prime Minister Scott Morrison deferred the question to the United States, touting the AFP’s efforts instead. In light of the operation being made public, Morrison also took the opportunity to flog various Bills currently being considered by Parliament. Among those Bills were the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 and the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill). “There are a series of pieces of legislation that we’ve been seeking to move through the Parliament, not just over this term, but in some cases, over three terms; they need these powers to do their job. The AFP and our law enforcement agencies and other agencies that support them need the support of our Parliament to continue to do the job that they do to keep Australians safe,” Morrison said at the press briefing. The first Bill, if passed, would hand the AFP and the Australian Criminal Intelligence Commission (ACIC) new warrants for dealing with online crime. The latter Bill, meanwhile, would create a framework for Australian agencies to gain access to stored telecommunications data from further foreign designated communication providers in countries that have an agreement with Australia, and vice versa. Both Bills have received criticism and currently do not have bipartisan support, with the Office of the Australian Information Commissioner (OAIC) having labelled the powers that would be given through the surveillance legislation amendment as “wide-ranging and coercive in nature”. “These powers may adversely impact the privacy of a large number of individuals, including individuals not suspected of involvement in criminal activity, and must therefore be subject to a careful and critical assessment of their necessity, reasonableness, and proportionality,” the OAIC said in March. The IPO Bill has received similar outcry, with the OAIC and Inspector-General of Intelligence and Security saying that the regime requires provision that address transparency and privacy concerns. In total, the sting operation led to 525 search warrants, 224 individuals being charged, 525 charges in total, six clandestine labs being taken down, and 21 threats to kill being averted. 3.7 tonnes of drugs, 104 firearms and weapons, and over AU$45 million in assets were also seized as part of the operation that commenced three years ago.Details of how the sting operation first commenced will be announced in San Diego, California tomorrow morning.Updated at 11:50am AEST, 8 June 2021: made clarification it was the FBI, not the AFP, that first gained access to Anom.Related Coverage More

On Friday, the Justice Department announced that it arrested 55-year-old Latvian national Alla Witte, charging her for playing a role in “a transnational cybercrime organization” that was behind “Trickbot,” one of the most well-known and widely used banking trojans and ransomware tools.Witte is now facing 19 different charges ranging from computer fraud to aggravated identity theft for the part she played in the Trickbot group, which helped disseminate the malware from Russia, Belarus, Ukraine, and Suriname. The group was made up of people who were also involved in the Dyre ransomware, according to the indictment. Deputy Attorney General Lisa Monaco, who heads up the new Ransomware and Digital Extortion Task Force, said in a statement that Trickbot was used to infect millions of computers, harvest banking credentials and deliver ransomware to organizations across the US, Europe and India. Prosecutors alleged that since 2015, Witte worked as a malware developer to “develop and deploy a digital suite of malware tools used to target businesses and individuals all over the world for theft and ransom.” She was also personally implicated in an effort to force a ransom victim to pay the group in Bitcoin in exchange for a decryption software. She wrote code “related to the control, deployment, and payments of ransomware,” according to the indictment and also provided code that “monitored and tracked authorized users of the malware and developed tools and protocols to store stolen login credentials.” She was arraigned in an Ohio district court and faces up to 87 years in prison if convicted. Witte was one of many names listed in the indictment but most of her co-conspirators’ names were blacked out, indicating more indictments are coming. The gang used Trickbot to steal online banking credentials, which then gave the group further access to victims’ credit card numbers, emails, passwords, dates of birth, social security numbers and addresses.

ZDNet reported that Witte was arrested in Miami four months ago.Cybersecurity experts said the case was an example of how cybercriminals can face consequences when private companies work with the government to address attacks. Many tied the indictment to the other recent actions by the White House and Justice Department to not only help companies hit with ransomware but impose some costs on bad actors. Charles Herring, co-founder of cybersecurity firm WitFoo, said it was the first “mature” collaboration between the financial sector and law enforcement, noting that a report from the FBI last year found that when companies work with them, stolen funds are recovered 82% of the time.On Monday the FBI announced that it was able to recover more than half of the Bitcoin Colonial Pipeline paid to a ransomware group that shut down their systems for days last month. “The potential penalty for this specific criminal is decades in prison. That not only creates deterrence for the directly impacted criminal but also sends a strong message to other criminals,” Herring said.  “The second myth disproved in this indictment is that foreign actors are untouchable by law enforcement. As governments collaborate on increasing deterrence for cybercrime, criminals are going to find very few havens.”Some cybersecurity officials said this specific arrest would do little to disrupt lucrative ransomware operations, but others noted that those involved in ransomware would definitely take notice. Cato Networks senior director of security strategy Etay Maor said that what was different about this case was that a malware developer was actually arrested. Usually, Maor explained, law enforcement can only apprehend mules and very low level accomplices that operate within the country’s jurisdiction, so arresting malware developers is generally complicated. “In the past, law enforcement officers waited for targets to go on vacation or arrive at a country that has an extradition agreement with the US. This individual was in South America then moved to Florida and Ohio, which seems atypical,” Maor said. “Why would you go to a country that is obviously looking for you and risk an arrest? A malware developer out of the game is always a good thing, but I also hope that the FBI has a chance to interview her and learn more of the technical and personal operations of these gangs. It’s not every day you have a chance like this.”New Net Technologies vice president Dirk Schrader added that Microsoft tried to take down Trickbot last year and noted that the arrest warrant for Witte is dated August 13, 2020, just a few weeks before Microsoft announced the takedown of 94% of Trickbots’ command and control servers. Schrader also said the details in the indictment are full of information about the setup of ransomware gangs, the logistics involved, and to what length they will go to have as many victims as possible. Greg Ake, senior threat researcher at Huntress, told ZDNet that there now seems to be a minimum threshold of damage that can be caused by a ransomware group before federal involvement becomes serious. “In the end, it does appear that crime doesn’t pay for some. The sad reality is that there are many more threats than there are resources for these criminal investigations,” Ake said.”There are many more that never do, and as such, do not get the adequate resources they need to fully investigate and deter. Waiting on federal support may be too late for many.” More

The Department of Justice announced on Monday that it managed to recover some of the ransom that was paid by Colonial Pipeline to the cybercriminals behind the DarkSide ransomware last month. While this is not the first time the government has been able to get some money back to victims, Deputy Attorney General Lisa Monaco said during a press conference that this was a first for the new Ransomware and Digital Extortion Task Force that was created in April to address the growing number of cyberattacks.  

ZDNet Recommends

Monaco explained that the Justice Department and FBI seized 63.7 Bitcoins — now valued at $2.3 million after a large dip in the cryptocurrency market — of the 75 Bitcoins that the CEO of Colonial Pipeline admitted to paying. Despite paying for the ransom, the encryption tools handed over did not work or help the company’s efforts to restore its systems.   The Justice Department obtained a warrant from a California district court on Monday in order to seize the money. “Following the money remains one of the most basic, yet powerful tools we have,” Monaco said. “Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”Monaco and FBI deputy director Paul Abate explained that the seizure was part of a larger effort to impose more costs on ransomware gangs, who have spent years holding hospitals, schools, businesses and government systems hostage. Both begged companies to be prepared for attacks and focus on contingencies in case of an eventual attack and reiterated much of the guidance that was handed down by the White House last week. 

“Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion. We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California,” said Stephanie Hinds, acting US Attorney for the Northern District of California.”We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.” Colonial Pipeline faced significant backlash for paying the ransom but the FBI and Justice Department said they were able to use the Bitcoin public ledger to trace the payments back to “a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.””There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” Abbate said. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”Despite the success in this instance, Abbate and Monaco stressed that they would not be able to retrieve all ransom payments from now on and urged companies to take measures to protect themselves while also notifying the FBI as soon as possible in the event of an attack.”What we are saying today is that if you come forward, as law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they’re going after here which is the proceeds of their criminal scheme,” Monaco said. “We cannot guarantee and we may not be able to do this in every instance.”

more coverage More

Brazilian government officials will be meeting their US counterparts and investors as part of a plan intended to speed up the process around Brazil’s upcoming 5G auction. The US visit starts today (7) and will end on Friday (11). The agenda is led by Brazil’s Ministry of Communications and includes representatives from the Ministry of Foreign Affairs, the Ministry of Defense, the Special Secretariat for Strategic Affairs, the National Congress, as well as senators Ciro Nogueira and Flávio Bolsonaro, president Jair Bolsonaro’s son. Other participants of the meetings in the US are representatives from the Brazilian Intelligence Agency, as well as ministers and technical staff from the Federal Court of Auditors, which is current analyzing the notice for the auction for the 5G spectrum, expected to take place in July.

The aim of the visit, according to the Ministry of Communications, is to “learn more about regulatory approaches to private communications networks and their implementation, as well as sharing experiences around cybersecurity”. During the meetings in Washington and New York, the ministers will visit the US Department of Defense, as well as the Department of National Intelligence and the Federal Communications Commission. According to Communications minister Fabio Faria, the meetings in the US are “a great solution” to expedite the 5G auction, since the Federal Court of Auditors will have the opportunity to have their questions in relation to the fifth-generation spectrum answered, especially when it comes to the implementation of the government’s private network. Another goal of the visit is to “promote the dialog with potential investors in the Brazilian telecommunications market”, the Ministry noted. The Brazilian government officials have meetings set up with Motorola, Qualcomm, IBM and AT&T, as well as investment funds and banks, as well as consulting firm Eurasia. The Brazilian government’s US visit this week follows a previous tour led by the Ministry of Communications to some of the leading countries in the 5G space. During the visit, which took place in February, government officials visited Sweden, Finland, Japan and China. At the time, the Brazilian delegation visited companies such as Nokia and Ericsson in their home countries, and new meetings with these two companies will take place during the US visit. More

Facebook is now testing out new privacy and encryption features for Messenger’s Secret Conversations. 

The tests, due to start over the course of this week, will include trials of end-to-end encrypted audio and video calling. At present, Secret Conversations only supports messages, pictures, video clips, voice recordings, and stickers being sent with end-to-end encryption, a protocol that is intended to prevent anyone other than participants from reading content, including platform providers.  Secret Conversations does not support encrypted group messages, payments, or audio/video calling, however, the social media giant has now begun testing extended encryption options for a potential rollout in the future.  Test group participants will see a phone icon at the top of the Secret Conversations window, as shown below, that can be selected to make a call. The option will be set in a similar layout to typical Messenger windows.  Facebook told ZDNet that the features will “give people more choice and controls” and that development in these areas is an “important step toward making Messenger a more secure and private experience.”The tests are expected to last several months. Potential rollouts may follow depending on the success of the trials. 

In addition, the company is trying out a new timer feature. Secret Conversations already permits users to set a timer for their messages to expire, but the bolt-on will allow participants to turn off disappearing messages entirely — or set a default timer for content to vanish based on one minute, 15 minutes, or 24-hour intervals.  The company has previously announced its plans to make chats across the platform encrypted by default, it’s likely years before such a rollout is ready. In the meantime, the trials with Secret Conversations could pave the way forward in default encryption development. “While we expect to make more progress on default end-to-end encryption for Messenger and Instagram Direct this year, it’s a long-term project and we won’t be fully end-to-end encrypted until sometime in 2022 at the earliest,” the company said.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A phishing campaign is delivering a new variant of one of the oldest forms of remote access trojan (RAT) malware in an effort to steal usernames, passwords and other sensitive information. It also aims to steal cryptocurrency from the victim.Agent Tesla first emerged in 2014 and it remains a common form of malware today. The malware is focused on stealing sensitive information from compromised Windows machines with the aid of a keylogger, which sends what the victim is typing to the attacker – allowing them to see usernames, passwords, and more.

Now researchers at Fortinet have detailed a new Agent Tesla campaign that distributes an updated version of the malware via phishing emails.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)The malicious messages are designed to look like a business email – for example, one asks the user to open a Microsoft Excel attachment titled “Order Requirements and Specs”. The document contains a macro which, if run, starts a process that executes and downloads Agent Tesla onto the machine.This is done across a number of different stages, including downloading PowerShell files, running VBScript and creating a schedule task, all to help mask the installation of the malware, allowing the attacker to secretly monitor activity on the machine. This version of Agent Tesla pings the operator every 20 minutes, sending them any new input detected.In addition to this, the attack also hijacks any bitcoin wallet on the victim’s device. By monitoring activity on the machine and the abuse of PowerShell code, the attacker can monitor for a valid bitcoin address. If this is spotted, the code modifies the bitcoin address and changes it to one owned by the attacker, allowing them to steal cryptocurrency transfers.

Despite being around since 2014, Agent Tesla remains popular with cyber criminals by remaining effective and being relatively cheap: it can cost as little as $15 to buy a license on underground forums. SEE: Network security policy (TechRepublic Premium)In addition to low cost, the authors of Agent Tesla offer 24/7 technical support, allowing it to serve as an entry point for less sophisticated cyber criminals – while still being potentially damaging to any person or organisation that falls victim to the malware.Many of the attacks continue to be distributed by phishing emails – which means if the right precautions are taken, falling victim can be avoided. Cybersecurity researchers recommend using antivirus software to detect suspicious activity, while users should be careful when it comes to opening attachments from unknown sources with unexpected emails.MORE ON CYBERSECURITY More

Microsoft-owned GitHub has updated its policies on sharing malware and exploits on the site to better support security researchers sharing so-called “dual-use” software – or software that can be used for security research but which might be used to attack networks. It admits the language it previously used was “overly broad”. 

“We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits,” says Michael Hanley, chief security officer of GitHub, in a blogpost. SEE: Network security policy (TechRepublic Premium)Dual-use technologies include tools like the Metasploit framework and Mimikatz, which are used by defenders, ransomware attackers and state-sponsored threat actors to compromise networks and move around networks after they’re compromised. “While many of these tools can be abused, we do not intend or want to adjudicate intent or solve the question of abuse of dual-use projects that are hosted on GitHub,” the company said in its pull request regarding exploit and malware policies. “Many of the projects cited in this ongoing discussion, such as mimikatz, metasploit, and others are all incredibly valuable tools and the goal is to further protect from what we felt was overly broad language in our existing [Acceptable Use Policies] that could be viewed as hostile toward these projects as-written.”

GitHub has also clarified when it may disrupt ongoing attacks that are using GitHub as a content delivery network (CDN) to distribute exploits or malware. GitHub acknowledged its language around the term “harm” was too broad.”We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss,” notes Hanley. It also updated sections of the policy that ask researchers working on dual-use projects to provide a point of contact, but this is not mandatory. The policy update follows a review that GitHub initiated in April after it took down code from researcher Nguyen Jang in March. Jang had posted proof-of-concept (PoC) exploit code targeting two of four zero-day vulnerabilities – dubbed ProxyLogon – affecting on-premise Exchange servers. Microsoft released patches for the bugs on March 2, but warned that a Chinese state-sponsored group Hafnium had been exploiting the flaws before it released patches. Microsoft also warned that the bugs could be quickly exploited by other threat actors before customers applied patches. On March 9, Jang shared his proof-of-concept exploit on GitHub, as reported by The Record. While being just a PoC for two of Exchange flaws, the code could be tweaked with little effort to exploit vulnerable Exchange email servers and gain remote code execution, according to experts.And at that point, many organizations still hadn’t patched affected Exchange servers. SEE: Cloud computing: Microsoft sets out new data storage options for European customersPer Motherboard, GitHub took Jang’s PoC down a few hours after he posted it because of the potential damage it could cause, but acknowledged that PoC exploit code could be helpful to the security community for research purposes. GitHub came under fire from security researchers because it looked like it was making an exception for PoC exploit code affecting parent Microsoft’s software while allowing researchers to share PoC code for non-Microsoft products on the site, as Google security researcher Tavis Ormandy pointed out on Twitter.  The other policy option is to ban sharing PoC exploit code, but Ormandy argued this would be a bad outcome for defenders. “I’m saying that security pros benefit from openly sharing research and access to tools, and they make us safer. We could say “no sharing”, so there is only black market access to exploits. I don’t think that’s a win,” wrote Ormandy.  More