Trojan Shield: FBI punks crims with faux app—and international help – TechBeacon

trojan alex grant cc by ProxyEgg Trojan Shield: FBI punks crims with faux app—and international help - TechBeacon

Police forces around the world are arresting more suspects of organized crime. They’re unsealing evidence gathered over the past two to three years via a private-messaging app, Anom (styled ΛNØM).

Agencies from at least 15 countries didn’t merely have a secret back door into the messaging service—they basically ran it. The idea came to them, as the Australian police like to put it, “over a couple of beers.”

This is madness. In this week’s Security Blogwatch, this is Sparta.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Marcus explains all.

Cops did WHAT?

What’s the craic? Joseph Cox reports—How the FBI Secretly Ran a Phone Network for Criminals:

For years the FBI has secretly run an encrypted communications app used by organized crime in order to surreptitiously collect its users’ messages and monitor criminals’ activity on a massive scale. … The elaborate operation netted more than 20 million messages from over 11,800 devices used by suspected criminals.

In 2018, the FBI arrested Vincent Ramos, the CEO of Phantom Secure, which provided custom, privacy-focused devices to organized criminals. In the wake of that arrest, a confidential human source (CHS) who previously sold phones on behalf of Phantom … was developing their own encrypted communications product. This CHS then “offered this next generation device … to the FBI to use in … investigations,” the court document reads.

While criminals left Phantom, they flocked to other offerings. One of those was Anom … effectively operated [by] the FBI. … Messages include discussions around drug smuggling, corruption, and other high-level organized criminal activities.

It all started in Australia, where they called it Operation Ironside. Say g’day to Aussie-Aunty’s Alison Xiao—Australian Federal Police and FBI nab criminal underworld figures in worldwide sting:

As part of a three-year collaboration between the Australian Federal Police (AFP) and the … FBI, underworld figures were tricked into communicating via an encrypted app designed by police. Authorities say … they uncovered 21 murder plots and seized more than 3,000 kilograms of drugs and $45 million in cash and assets.

There have been arrests across 18 countries, including the United States, UK, Germany and New Zealand, with more expected. Police said the plan to use an encrypted app was hatched overseas over a few beers with FBI agents in 2018. … The AFP built a capability to access decrypted communications between customised mobile phones.

The app was unwittingly distributed by [a] fugitive Australian drug trafficker … after he was given a handset by undercover agents. [He] recommended the app to criminal associates who would purchase the handset pre-loaded with AN0M.

AFP Commissioner Reece Kershaw said … agents had been in the “back pockets” of criminals: … “The FBI had the lead on this. We provided the technical capability to decrypt those messages.”

“Some of the best ideas come over a couple of beers.”

How did it work? Catalin Cimpanu expandifies—FBI and Australian police ran an encrypted chat platform:

All data on the device was encrypted, and no phone number was required to use the app, which relayed all its messages via An0m’s central platform. … All An0m devices located outside the US were configured to send a blind carbon copy (BCC) of all their messages to a third-party XMPP bot, [which] would decrypt the messages and then re-encrypt them using encryption keys managed by the FBI.

It was mostly Australian authorities who reviewed these messages, due to jurisdiction issues, as it was easier for AFP officials to obtain all the necessary paperwork, and then pass the information to the US three times a week. … The scheme was so successful that a third unnamed country, believed to be in the EU, hosted another … server and helped sift through more than 26 million encrypted messages.

Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, criminal gangs found refuge on the network, which eventually amassed more than 12,000 users from 300+ criminal syndicates across 100+ countries.

Why reveal this now? A clue might be in this now-deleted blog post, by canyouguess67, indicating people might have started to notice:

Upon a visual display of … connections I was quite concerned to see the amount of IP addresses relating to … the 5 eyes Governments (Australia, USA, Canada, UK, NZ who share information with one another). … To make matters worse they were direct connections to the actual proxy servers etc giving me the ability to locate their remote offshore Romanian Server with an IP of 193.27.15.41.

In other, totally unrelated news, Iain Thomson notes Uncle Sam recovers 63.7 of 75 Bitcoins Colonial Pipeline paid to ransomware crew:

A ransom of about $5m or 75 BTC was paid to the Darkside crew behind the attack. It turns out the Feds were able to trace this payment through multiple transactions to “a specific address, for which the FBI has the ‘private key’,” the DoJ said.

How the FBI had this private key is not entirely clear. It could be that the Feds were able to gain access to a system hosting the key. It could be that someone gave them the key, or that the bureau got the key from them.

Hmm, could be. Or it could be a psychological operation, muses @aris_jewels:

I’m feeling like we’re being psyoped from each side, I don’t know who to trust anymore. Ironside, AN0M, … the “recovered” bitcoin, … possible black Swan events. Something is boiling behind the scenes.

Or, as gweihir suggests, there are other ways the feds could have cracked the wallet:

This is pretty easy if you have the “five eyes” support you:
1. Find the computer the wallet is on by large-scale network traffic analysis. Sounds impressive, but it is not. I have done this (in a research context) in the past.
2. Hack that computer. The NSA TAO may have risked a zero-day for that. More likely the computer had just shoddy security.
3. Change the wallet code to send you the key when opened.
4. Wait for anybody to log in and access the wallet.
And then you have the key.

And Alex Thorn—@intangiblecoins—adds color:

We looked on-chain & found a pattern that seems to show the funds ultimately flowed to a trading desk or exchange willing to comply with a US warrant. There’s no evidence of a bitcoin or bitcoin wallet security vulnerability. … This looks like a standard trace and trap with the illicit funds identified in the custody of a compliant party.

But back to Trojan Shield. Here’s cromka’s analysis:

Looking at the seal of the operation, [the] following countries participated in the operation: Canada, Australia, US, Sweden, The Netherlands, Lithuania, Finland, Hungary, Norway, Austria, UK, New Zealand, Estonia, … Germany, Denmark.

I expect this to be bigger than Panama Papers. Way bigger. I expect a few prominent politicians to be soon either arrested or “convinced” to step down. I expect the US to have gained a lot of intel and leverage over those from the countries who did NOT participate in this.

We will absolutely NOT learn about everything they discovered. CIA will and the respective intelligence agencies will.

Meanwhile, ukeandhike ain’t in awe of Aussie app algorithms: [You’re fired—Ed.]

Any sufficiently advanced crowbar is indistinguishable from magic.

The moral of the story?

Active threat response is key. How far will you go to root out bad actors?

And finally

MalwareTech bursts some bubbles

[embedded content]

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Alex Grant (cc:by)

Keep learning

Source of this news: https://techbeacon.com/security/trojan-shield-fbi-punks-crims-faux-app-international-help

Related posts:

5 Common Instagram proxy misconceptions and how to fix them - TG Daily
Have you ever considered using private proxies to connect your Instagram account? If you are a regular Insta user, you most probably didn’t consider or you didn’t even know that Instagram proxies exi...
Microsoft Buys Peer5 To Bolster Teams Video Streaming - Redmondmag.com
News Microsoft Buys Peer5 To Bolster Teams Video Streaming By Kurt Mackie08/11/2021 Microsoft announced on Tuesday the acquisition of Peer5 with the aim of improving "large-scale live video strea...
Will likely ISPs, Websites, and Your Master Tell If You’re Using a VPN? - Lifehacker Australia
VPNs keep your internet service activity hidden, but if a player knows what they’re attempting to, they can tell when you happen to be using one. That might solid alarming, but as long in the for...
Eagles Schedule Released - Garry Cobb
The NFL finally released their 2021 schedule last night. The opponents list has been known for some time know, meaning we knew who and where the Eagles were laying in 2021, we just didn’t know when. ...
FamousSparrow: A suspicious hotel guest - We Live Security
Yet another APT group that exploited the ProxyLogon vulnerability in March 2021 ESET researchers have uncovered a new cyberespionage group targeting hotels, governments, and private companies world...
Microsoft Exchange server being hacked by the new LockFile ransomware - Illinoisnewstoday.com
A new ransomware gang, known as LockFile, uses a recently published ProxyShell vulnerability to encrypt a Windows domain after hacking into a Microsoft Exchange server. ProxyShell is the name of an ...
CTV Fraud Made Headlines Again, But It Shouldn’t Have - Forbes
Yesterday, the Wall Street Journal covered a “New Ad Fraud Scheme” in CTV called StreamScam. Dozens of other outlets covered the same story with the headline “Largest CTV Ad Fraud Exposed.” And the o...
Using DW and Psiphon to circumvent internet censorship - Deutsche Welle
One of the main missions of DW is to advocate for freedom of expression and free access to information around the world. One of the growing threats to these tenets is internet censorship. Countries a...
Tips to Connect a Proxy Hardware on Windows 10 important BollyInside
In this tutorial is about the You'll be able to Connect a Proxy Hardware on Windows 10. I will try our best so that you understand this book. I hope you like this blog How to Link up a Proxy Se...
How to Install VS Code-Server on AlmaLinux | Rocky Linux 8 - H2S Media
Install Code-Server on Almalinux 8 or Rocky Linux 8 server to run VS Code using Web browser with the help of command terminal and script. Microsoft Visual Studio Code is a free editor for various...
Nets Summer League roster highlighted by their NBA draft picks - New York Post
LAS VEGAS — With free agency winding down and the Spencer Dinwiddie trade done and dusted, Nets fans will turn their eyes toward Las Vegas and focus their attention on NBA Summer League. Yes, Kevi...
iCloud Private Relay flaw coolant leaks users' IP addresses exactly what you need AppleInsider
Hacia flaw discovered in Apple's newbie iCloud Private Relay failures the feature's raison d'etre by exposing a user's IP address when certain the weather is met. As detailed basically researc...
Deposit - proxy utility by just STASH NETWORKS LIMITED instant AppAdvice
Put is a rule-based proxy program with multiple proxy method support. tutorial Handle TCP / UDP / ICMP traffic and simply forward to any proxy - Native UI dash to display HTTP / HTTPS / TCP re...
Capitol, symbol of democracy, off-limits on Independence Day on the list of New York Daily News
“What has become heartbreaking about it is that the Capitol has been forever our symbol of democracy — going through through the Civil War, implies of world wars, through strife of all kinds, ” s...
Use and Use Curl via Debian 11 Bullseye Linux - H2S Media
cURL is an open-source command-line program integrated into Linux systems for a long time. It probable files to be transferred beyond or to a server while avoiding user interaction. In addition...
Blizzard Launcher Not Working - 9 Ways To Fix It - Tech News Today
Blizzard’s launcher, Battle.net has mostly positive feedbacks. Battle.net doesn’t experience a lot of downtime, and problems that do occur are usually easy to resolve. When it’s down, though, you ca...
12 Private Search Engines that Do Not Track You 2021 Tips - BollyInside
This blog is about the 12 Private Search Engines that Do Not Track You. We will try our best so that you understand this guide . I hope you like this blog 12 Private Search Engines that Do Not Track ...
A sad day for TKPing in the work computer - The answer Play
In modern times is a day that will have infamy. Great work computer pushed plenty of updates over the weekend and I can no longer log in to my TKPC bank account on TKP. It at least ...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30