Information Technology

Law enforcement agencies around the world have arrested 179 people involved in buying and selling illicit goods and services on the dark web as part of a coordinated international take down operation involving agencies in nine countries – and police have warned cyber criminals that “the golden age of the dark web is over”.
The coordinated campaign was led by the German Federal Criminal Police, with support from the Dutch National Police, the UK’s National Crime Agency, US government agencies including the Department of Justice and FBI, Europol and others.
Known as Operation Disruptor, it follows last year’s take down of Wall Street Market, which was at the time the second largest illegal online marketplace on the dark web.
Law enforcement managed to identify users of Wall Street Market which led to the identification of users of other dark web marketplaces including AlphaBay, Dream Nightmare, Empire, White House, DeepSea, Dark Market and others – which has resulted in 179 arrests.
The highest number of arrests were made in the US, with 121, followed by 42 arrests in Germany. Eight arrests have been made in The Netherlands, with four in the UK, three in Austria and one in Sweden.
Those arrested are suspected to involved in selling illegal items and services including drugs and firearms, with large amounts of produce being seized by law enforcement. Over $6.5 million in cash and cryptocurrencies has also been seized following the arrests.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
“The golden age of dark web marketplace is over. Operations such as these highlight the capability of law enforcement to counter encryption and anonymity of dark web market places. Police no longer only takes down such illegal marketplaces – they also chase down the criminals buying and selling illegal goods through such sites,” said European law enforcement agency Europol in a statement. “The dark web is not a fairy tale – vendors and buyers are no longer hidden in the shadow,” it said.
“Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” said Edvardas Šileris head of Europol’s European Cybercrime Centre (EC3)
“Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen,” he added.
Authorities from Austria, Cyprus, Germany, the Netherlands, Sweden, Australia, Canada, the UK and the US all took part in the operation leading to the arrests. Investigations are still ongoing, with law enforcement hoping to make further arrests in future.
READ MORE ON CYBER CRIME More

Facebook has used its submission to the Australian Select Committee on Foreign Interference through Social Media to outline the steps it has taken to stop the spread of misinformation, or at least highlight when something might be a bit on the nose.
As the submission [PDF] highlights, pre-pandemic, Facebook was faced with the dilemma of providing people with freedom of speech at the expense of allowing misinformation to spread. This was exemplified when false coronavirus “advice” spread like wildfire.
Must read: Facebook comments manifest into real world as neo-luddites torch 5G towers
“Since the very beginning of the crisis, we have been displaying on Facebook and Instagram prompts to direct users to official sources of information, including from the Australian government and the World Health Organization (WHO),” Facebook wrote.
“These have been seen by every Facebook and Instagram user in Australia multiple times, either in their feeds or when they search for coronavirus-related terms.”
While it previously launched its own Coronavirus Information Centre and points users to the WHO or government health sites, Facebook has also started showing messages about COVID-19 misinformation on the News Feed to people who have liked, reacted, or commented on this type of harmful content.
“These messages will connect people to COVID-19 myths debunked by the WHO, including ones we’ve removed from our platform for leading to imminent physical harm,” the social media giant wrote.
Facebook has also made “significant” donations of free advertising credits on its services to the Australian government and state governments.
It’s also started rolling out a new notification to give people more context about COVID-19 related links when they are about to share them.
On the topic of vaccines, Facebook said it has been taking a range of steps to make anti-vaccination misinformation harder to find and elevate authoritative information about vaccines.
This includes removing groups and pages that spread vaccine misinformation from recommendations or predictions when a user types the words into the search bar; rejecting ads and fundraisers that include anti-vaccination misinformation; and inserting authoritative notices at the top of groups and pages that are discussing anti-vax misinformation, directing people to authoritative sources.
But the social media giant isn’t removing the groups altogether, however.
See also: Facebook pulls video from Trump’s page labelling it as COVID-19 misinformation
Providing more context around messages that are forwarded multiple times, Facebook said it has seen an increase in the amount of forwarding, which can contribute to the spread of misinformation.
In April, Facebook added new labels to indicate when a message on WhatsApp has been forwarded many times already. It also introduced a limit so a highly-forwarded message can only be sent to one chat at a time.
“This resulted in a 70% reduction in the number of highly forwarded messages on WhatsApp,” Facebook said.
This month, it implemented similar messaging forwarding limits in Messenger.
Alongside Google, the pair will also be piloting a “magnifying glass” icon next to highly-forwarded messages on WhatsApp for users to verify the truthfulness of the content.
As the submission was provided in an Australian context, the company touched on the work it undertook with the federal government’s Digital Transformation Agency, Atlassian, and service provider Turn.io to bring the Australian coronavirus WhatsApp chat capability to life.
“Across the globe, chatbots such as the Australian government chatbot and the fact-checking Chabot on WhatsApp have sent hundreds of millions of messages directly to people with official information and advice,” it said.
Facebook also partnered with the Poynter Institute’s International Fact-Checking Network in May to launch a fact-checking chatbot on WhatsApp. Similarly, it joined forces with the WHO in March to launch a WhatsApp chatbot, expanding that as an alert service powered by Messenger.
Within days of the recent artificial intelligence upgrades, the WHO Health Alert service saw over 500,000 messages sent through and data on specific countries was requested more than 430,000 times. To date, the WHO Health Alert has received almost 4 million messages from over 540,000 users worldwide.
RELATED COVERAGE More

Image: Nathan Shively
A company that provides software for sports leagues to manage referees and game officials has disclosed a security incident that impacted around 540,000 of its registered members — consisting of referees, league officials, and school representatives.
ArbiterSports, the official software provider for the NCAA (National Collegiate Athletic Association) and many other leagues, said it fended off a ransomware attack in July this year.
In a data breach notification letter filed with multiple states across the US [1, 2], the company said that despite detecting and blocking the hackers from encrypting its files, the intruders managed to steal a copy of its backups.
This backup contained data from ArbiterGame, ArbiterOne, and ArbiterWorks — three of the web applications used by schools and sports leagues to assign and manage the schedules and training programs of referees and game officials.

Image via ArbiterSports website
ArbiterSports said the backups contained sensitive information about users who registered on these web apps, such as account usernames, passwords, real names, addresses, dates of birth, email addresses, and Social Security numbers.
“The passwords and Social Security numbers were encrypted in the file, but the unauthorized party was able to decrypt the data,” the company said.
ArbiterSports said that after blocking the attempt to encrypt its local data, the hackers reached out and demanded payment in exchange for deleting the files that they obtained.
The company said it paid the ransom demand and “obtained confirmation that the unauthorized party deleted the files.”
However, there is no guarantee that the hackers haven’t made a copy of the data before deleting ArbiterSport’s data. Sources in the incident response (IR) community have told ZDNet about cases where ransomware gangs did not delete the data.
An ArbiterSports spokesperson was not immediately available for additional comments, despite repeated attempts.
The ArbiterSports incident is reminiscent of a similar incident disclosed by Blackbaud, a provider of cloud-based software to universities and non-profits. Blackbaud also avoided having its files encrypted, but eventually had to pay hackers to delete files they stole before being detected.
The Blackbaud incident triggered a wave of second-hand breach notifications from universities, schools, and colleges all over the world, all who had to inform their own customers of the incident. More

A UK national pleaded guilty today to extorting tens of companies across the world as a member of an infamous hacking group known as The Dark Overlord (TDO).
Nathan Francis Wyatt, 39, was sentenced to five years in prison and ordered to pay $1,467,048 in restitution to victims.
According to court documents, Wyatt was part of the TDO hacker group since 2016. The group operated by hacking into large companies, stealing their sensitive data, and then asking for huge ransoms.
If victims didn’t pay, the hackers would sell their data on hacking forums, leak it on the public internet, or tip journalists about the breach in order to generate negative press for the hacked company.
Wyatt’s role in the scheme was to contact victims and demand ransom payments. He was connected to the group after he used phone numbers registered in his name to contact some of the victims.
Wyatt was arrested in 2017 in the UK and extradited to the US in December 2019 to face charges.
Prior to his arrest for TDO-related charges, Wyatt previously investigated for hacking the iCloud account of Pippa Middleton, the sister of the Duchess of Cambridge.
Most of the other members of the TDO group remain at large.
In May 2018, Serbian authorities arrested a 39-year-old man in Belgrade on charges of being one of the TDO members; however, it’s unclear how he was connected to the group as authorities only shared the man’s initials (S.S.) and birth year (1980), which made tracking his case harder.
The TDO group has a long and prodigious hacking history. The group has taken credit or has been linked to tens of hacks, such as:
Hacked three healthcare organizations and sold 651,894 patient records on the Dark Web
Sold over 9.3 million patient records from an unnamed healthcare insurance provider
Hacked and extorted the Cancer Services of East Central Indiana-Little Red Door center
Hacked Netflix and leaked episodes from season 5 of “Orange Is The New Black”
Hacked ABC and leaked episodes from “Steve Harvey’s Funderdome” TV show
Hacked Larson Studios, Inc., a Hollywood audio post-production studio, and stole a large collection of unreleased TV show episodes
Hacked H-E Parts International Morgan
Hacked Line 204, a provider of sound stages for Hollywood studios
Hacked Austin Manual Therapy Associates
Hacked SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy
Hacked Hand Rehabilitation Specialists
Hacked Gorilla Glue
Hacked and released data from multiple companies, such as Pre-Con Products, G.S. Polymers, PcWorks, International Textiles & Apparel, and UniQoptic
Hacked Caribbean Island Properties, a real estate company
Hacked Prime Staff Inc., an HR firm
Hacked Channel Ship Services, a sea shipping company
Hacked Sterling National Financial Group, an insurance firm
Hacked AZ Plastic Surgery Center More

Microsoft has suffered a rare cyber-security lapse earlier this month when the company’s IT staff accidentally left one of Bing’s backend servers exposed online.
The server was discovered by Ata Hakcil, a security researcher at WizCase, who exclusively shared his findings with ZDNet last week.
According to Hakcil’s investigation, the server is believed to have exposed more than 6.5 TB of log files containing 13 billion records originating from the Bing search engine.
The Wizcase researcher was able to verify his findings by locating search queries he performed in the Bing Android app in the server’s logs.

Image: WizCase (supplied)
Hakcil said the server was exposed online from September 10 to September 16, when he notified the Microsoft Security Response Center (MSRC), and the server was secured again with a password.
Reached out for comment last week, Microsoft admitted to the mistake.
“We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed,” a Microsoft spokesperson told ZDNet in an email last week.
“After analysis, we’ve determined that the exposed data was limited and de-identified.”
ZDNet, which was granted access to the server while it was exposed online without a password, can confirm that no personal user information was exposed.
Instead, the server exposed technical details, such as search queries, details about the user’s system (device, OS, browser, etc.), geo-location details (where available), and various tokens, hashes, and coupon codes.

Image: WizCase (supplied)
The leaky server was identified as an Elasticsearch system. Elasticsearch servers are high-grade systems where companies aggregate large quantities of data to easily search and filter through billions of records.
Over the course of the past four years, Elasticsearch servers have often been the source of many accidental data leaks.
The reasons vary and can range from administrators forgetting to set a password; firewalls or VPN systems suddenly going down and exposing a company’s normally-internal servers; or companies copying production data to test systems that aren’t always secured as thoroughly as their primary infrastructure. More

Ransomware attacks are getting more aggressive according to a senior figure at Europe’s law enforcement agency, but there are simple steps which organisations can follow to protect themselves – and their employees – from falling victim to attacks.
“Ransomware is one of the main threats,” Fernando Ruiz head of operations at Europol’s European Cybercrime Centre (EC3) told ZDNet. Europol supports the 27 EU member states in their fight against terrorism, cybercrime and other serious and organised forms of crime.
“Criminals behind ransomware attacks are adapting their attack vectors, they’re more aggressive than in the past – they’re not only encrypting the files, they’re also exfiltrating data and making it available,” he explained. “From a law enforcement perspective we have been monitoring this evolution.”
This year has seen a rise in ransomware attacks where cyber criminals aren’t just encrypting the networks of victims and demanding six-figure bitcoin payment to return the files, but they’re also threatening to publish sensitive corporate information and other stolen data if the victim doesn’t pay the ransom.
However, Europol’s No More Ransom project is attempting to take the fight to cyber criminals by offering free decryption tools for hundreds of different families of ransomware, something which is estimated to have stopped over four million victims from giving into ransom demands.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The scheme is based on collaboration between Europol and over 150 partners organisations in law enforcement, cybersecurity and academic around the world and the portal is regularly updated with new decryption tools to help victims of ransomware attacks.
“We’re constantly reaching out to partners involved in the project and asking them to keep us updated on the possibility of new tools to mitigate the damage by the newest ransomware families,” Ruiz explained.
But the best way to protect against the potential damage of a ransomware attack is to make sure organisations, businesses and individuals have the necessary cybersecurity measures in place to avoid falling victim to ransomware in the first place.
“Prevention is the key,” said Ruiz. “The main advice is keep backups of your data and keep them offline. Also it’s essential that all the operating systems and anti-virus are properly updated; implement any available patch as soon as possible in order to mitigate any vulnerabilities”. It’s also important that organisations teach employees how to spot a potential cyber attack.
“There are minimum security measures they can adapt, not only at the company but also at home – don’t download software from non-reliable sources, don’t open attachments if you think they’re suspicious,” Ruiz explained.
“A number of these essential security measures can prevent most of the successful ransomware attacks we’ve seen,” he added. The full interview with Ruiz is available on ZDNet’s Security Update video series.
READ MORE ON CYBERSECURITY More

Image: Sebastian Herrmann

Security and phishing awareness programs wear off in time, and employees need to be re-trained after around six months, according to a paper presented at the USENIX SOUPS security conference last month.
The purpose of the paper was to analyze the effectiveness of phishing training in time.
Also: Phishing campaigns, from first to last victim, take 21h on average 
Taking advantage of the fact that organizations in the German public administration sector must go through mandatory phishing awareness training programs, academics from several German universities surveyed 409 of 2,200 employees of the State Office for Geoinformation and State Survey (SOGSS).
Researchers tested the effectiveness of the phishing training over time, with periodic tests at regular intervals, to determine when SOGSS employees would lose their ability to detect phishing emails.
Employees were split into multiple groups and tested four, six, eight, ten, and twelve months, respectively, after receiving an on-site phishing training course.
The research team found that while the survey takers were able to correctly identify phishing emails even after four months following the initial training, this was not the case after six months and beyond, with a new training being recommended.
Video and interactive training works best
Researchers also developed their own “reminders” in order to “replenish the employees’ phishing awareness and knowledge,” which they used to re-train employees after taking their survey, and again six and twelve months later.
“We developed four different ones,” academics said.
“Four reminder measures were distributed to four groups (one per group): (a) text, (b) video measure, (c) interactive examples, and (d) a short text.
“Twelve months after the tutorial, we compared the knowledge retention of the four reminder groups […]. Among the four reminder measures, the video measure and the interactive examples measure performed best, with their impact lasting at least six months after being rolled-out.”
Academics concluded that while training employees in detecting phishing emails might help organizations fend off some attacks, this training needs to be cyclical, with training sessions repeated, optimally every six months and using interactive or video training measures.
Additional details about the research team’s work can be found in a paper named “An investigation of phishing awareness and education over time: When and how to best remind users” [PDF here or here]. More

The threat landscape is under a constant state of evolution, with enterprise players hard-pressed to keep up with a frequent barrage of vulnerability disclosures, security updates, and the occasional zero-day. 

Analysts estimate that by 2021, 3.5 million cybersecurity roles will be unfulfilled, and so not only do existing security professionals need to deal with a seemingly endless fight against cyberattackers, they may also have to do so while short-staffed — not to mention the disruption caused by COVID-19. 
See also: Cloud security: ‘Suspicious superhumans’ behind rise in attacks on online services
There are tools out there to help with the strain. Automatic scanners, artificial intelligence (AI) and machine learning (ML)-based algorithms and software that can manage endpoint security and risk assessments, feeds providing real-time threat data, and more. 
Frameworks also exist, such as MITRE ATT&CK, which provides a free knowledge base compiling tactics and techniques observed in current, real-world attacks.
It is this data repository that Cisco has examined in a new report describing current attack trends against enterprise endpoints and networks. 
On Monday, Cisco published a data set based on MITRE ATT&CK classifications combined with Indicators of Compromise (IoCs) experienced by organizations that receive alerts through the company’s security solutions within specific time frames. 
According to the company, over the first half of 2020, fileless threats were the most common attack vector used against the enterprise. Fileless attacks include process injections, registry tampering, and threats such as Kovter, a fileless Trojan; Poweliks, a code injector that operates on the back of legitimate processes; and Divergent, fileless Node.js malware. 
In second are dual-use tools including Metasploit, PowerShell, CobaltStrike, and Powersploit. Legitimate penetration testing tools such as Metasploit are of benefit to cybersecurity as a whole, but unfortunately, cyberattackers may also abuse these solutions for criminal gain. 
Tools such as Mimikatz, a legitimate authentication and credentials management system, come in third place — as weaponized software turned toward credential stuffing attacks. 
Over the first half of 2020, Cisco says these attack vectors make up roughly 75% of critical severity IoCs observed. 
If you apply these threats to MITRE ATT&CK classifications, this means defense evasion appears in 57% of all IoC alerts, and execution comes in at 41%. 
CNET: Lawsuit accuses Instagram of peeping with iPhone camera
As modern malware will often include obfuscation, movement, and concealment techniques — as well as the ability to launch payloads and tamper with existing processes — this is hardly a surprise, and IoCs may relate to more than one overall classification. 
“For example, an attacker that has established persistence using a dual-use tool may follow up by downloading and executing a credential dumping tool or ransomware on the compromised computer,” Cisco notes. 
When it comes to critical severity alerts, however, the top three categories — defense evasion, execution, and persistence — undergo a reshuffle. 
Execution stole the top spot away from defense evasion in critical severity attacks, with a bump of 14%, bringing total IoC alerts to 55%. Defense evasion dropped by 12% to 45%, whereas persistence, lateral movement, and credential access spiked by 27%, 18%, and 17%, respectively. 

TechRepublic: CISOs top traits revealed in report: Improvement needed
In addition, some classifications dropped off the list entirely or accounted for less than one percent of critical IoC alerts, including initial access, privilege escalation, and discovery — otherwise known as reconnaissance — revealing a shift in focus when it comes to critical attacks in comparison to overall IoCs.  
To protect against high-level threats, Cisco recommends that administrators use group policies or whitelists for file execution, and if dual-use tools are required by an organization, temporary access policies should be implemented. In addition, connections made between endpoints should be frequently monitored. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More