Zoom patches zero‑day flaw in Windows client

The vulnerability exposed Zoom users running Windows 7 or earlier OS versions to remote attacks

The Zoom videoconferencing platform was affected by a zero-day vulnerability that could have allowed attackers to remotely execute commands on affected machines. The flaw impacted devices running the Windows operating system, specifically Windows 7 and earlier.

The company has since addressed the issue and released a patch on Friday, with the release notes of version 5.1.3  (28656.0709) stating that the patch “fixes a security issue affecting users running Windows 7 and older.”

Technical details about are sparse about the vulnerability, which hasn’t been assigned a Common Vulnerabilities and Exposures (CVE) identifier and was first described by ACROS Security on its 0patch blog:

“The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file. No security warning is shown to the user in the course of an attack,” said ACROS.

However, the company also noted that the hole was “only exploitable on Windows 7 and older Windows systems”, as well as “likely also exploitable on Windows Server 2008 R2 and earlier”. By contrast, Windows 10 and Windows 8 are not affected.

RELATED READING: Windows 7 end of life: Time to move on

ACROS was tipped off to the flaw by a researcher who wanted to remain anonymous. The company then ran an analysis of the researcher’s claims and tried out a number of attack scenarios before forwarding its findings to Zoom along with a proof of concept and recommendations on how to fix the issue. There is no word of attackers exploiting the bug in the wild.

ACROS also released a quick micropatch last Thursday that removed the vulnerability in the code before Zoom addressed the issue with a patch of their own. The micropatch was made available to everyone for free, with the company releasing a demonstration of how a user could easily trigger the vulnerability.



The COVID-19 pandemic has led many companies to switch to remote work and people to socially distance from one another, with videoconferencing apps swiftly becoming de rigueur for work and social life alike.

In Zoom’s case, the unexpected limelight also helped reveal a slew of security and privacy lapses affecting the platform, ultimately prompting its CEO Eric S. Yuan to announce a 90-day feature freeze to remedy the issues. The self-imposed pause on feature updates elapsed earlier this month.

At any rate, Zoom users would be well advised to apply the latest patch to mitigate the risk of a malicious actor attacking their devices. Should you want to strengthen your videoconferencing security, ESET Chief Security Evangelist Tony Anscombe had some thoughtful advice to share in a pair of recent articles – one general article about videoconferencing with security in mind and the other devoted specifically to getting your Zoom settings right.

13 Jul 2020 – 08:51PM

Week in security with Tony Anscombe

Up close with the Evilnum group and its eponymous malware – A severe flaw in networking gear – Router firmware under the microscope

ESET researchers have published their deep-dive analysis of the shenanigans of Evilnum, a relatively little-known threat actor that targets fintech companies across the world. Users of F5 Networks’ BIG-IP line of networking devices are urged to install a patch fixing a critical vulnerability in the products, as evidence shows that miscreants are attempting to exploit the security hole. Also this week, we looked at ways to reduce the risks of ‘sharenting’, as many parents find it hard to resist (over)sharing content involving their children on social media. All this – and more – on WeLiveSecurity.com.

Popular home routers plagued by critical security flaws

A study paints a dim picture of router security, as none of the 127 devices tested was free of severe vulnerabilities

A recent study of more than 100 consumer-grade routers from seven, mostly large vendors has found that nearly all tested routers are affected by scores of unpatched and often severe security flaws that leave the devices – and their users – at risk of cyberattacks.

“[T]here is not a single device without known critical vulnerabilities,” says the damning study, called Home Router Security Report 2020. It was conducted by Germany’s Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) and looked at 127 router models from ASUS, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel.

“Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely,” said the researchers, who tallied the average length of time since the latest update at 378 days. A total of 46 routers did not receive any security update within the last year.

The routers were found to be affected by 53 critical-rated vulnerabilities on average; even the device that came out top was affected “only” by 21 such CVEs. No specific vulnerabilities were listed, however.

At any rate, the issues don’t stop with vulnerabilities that are hardly ever patched. “Some routers have easily crackable or even well-known passwords that cannot be changed by the user,” reads the study. More precisely, 50 routers came with hardcoded admin credentials, including 16 with well-known or easy-to-guess login details.

RELATED READING: At least 15% of home routers are unsecured

The study rated some router models higher than the rest, although by no means is this to say that their owners have a reason to rejoice. “AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel,” said the researchers.

Unsurprisingly, 90 percent of the devices were running Linux, but often one of the operating system’s ancient versions. More than one-third of the routers was still powered with the 2.6.36 Linux kernel version, which received its latest update in 2011.

“Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities. Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should,” said the study’s co-author, Johannes vom Dorp from FKIE’s Cyber Analysis & Defense department.

The research used FKIE’s Firmware Analysis and Comparison Tool (FACT) to examine the devices’ latest firmware versions as available on March 27th, 2020. The methodology and results are described in detail in the aforementioned paper. A full list of the tested models and their respective firmware versions is available on GitHub.

Overall, the study’s results are not too dissimilar from what other studies have found in recent years, including this test by Independent Security Evaluators last year and another review by the American Consumer Institute in 2018.

Additional reading

We’ve covered the subject of router security extensively in recent years, and especially in the work-from-home era this subject is even more important than ever. For starters, you may want to read our general article on how to boost your router security or peruse our tips for reviewing your router’s configuration settings. Another article – prompted by the FBI’s advice for everybody to reboot their routers following reports that hundreds of thousands of routers worldwide had fallen victim to VPNFilter malware – also offers practical guidance on this subject and might be best read in conjunction with this follow-up piece on the same topic.

9 Jul 2020 – 08:46PM

Billions of stolen passwords for sale on the dark web

While logins to music and video streaming services sell for less than ten dollars each, domain admin access is being offered for US$120,000

More than 15 billion stolen account credentials are up for grabs on cybercrime forums, with 5 billion of them considered unique, meaning that they haven’t been offered for sale more than once, according to research by Digital Shadows.

The usernames and passwords found on cybercriminal marketplaces, especially on the dark web, come from over 100,000 separate data breaches and include access credentials for financial accounts and streaming services, and even for admin accounts providing access to organizations’ key systems.

The researchers spent a year and a half analyzing the tactics that crooks use to exploit pilfered account information and found that the amount of misappropriated credentials has risen by 300% since 2018.

Most of the stolen login information belongs to consumers and while many are often offered for free, those that do go on sale have an average asking price of approximately US$15 per account. However, depending on the type of access they provide the price might go up or down, with financial and banking accounts commanding the highest price – US$70 a pop. The rest, typically streaming media accounts, social media and other services, can be purchased for under US$10.

Consumers are just the tip of the iceberg; perpetrators have their eyes on bigger fish they’d like to fry. Accounts that could allow them to infiltrate the critical systems of an organization are auctioned and can fetch an average price of over US$3,100; the most valuable have been known to go for US$120,000. That said, Digital Shadows noted that it “cannot confirm the validity of the data that the vendors purport to own”.

Still, the price might not come as a surprise, since compromising a whole company network could yield information that can be sold off or held for ransom, ultimately paying out much more than the initial ‘investment’.

RELATED READING: Cybercrime black markets: Dark web services and their prices

How are all those credentials acquired, anyway? As the report points out, there is the straightforward option of hacking a company database and stealing the data, but there are also methods that require less effort.

These include harvesting them using phishing campaigns, as well as compromising machines with malware, such as keyloggers, or buying the login information from marketplaces or using credentials that are offered on forums for free. But there is still one more option.

Dark Shadows says that they have observed the emergence of markets that are offering account takeover as a service; in this case, instead of buying account credentials, criminals are renting an identity for a limited amount of time. “Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market,” the company adds.

How to protect yourself?

There are multiple steps you can take to mitigate the risk of having your usernames and passwords stolen:

Don’t recycle your passwords across multiple services; you should use a strong and unique password for each of your online accounts – which is precisely where a password manager can come in handy. Start using multi-factor authentication, which is the easiest way to add an extra layer of security to your account. If a service you use has been breached, immediately change your password across all the services you use it for and perhaps check if you use a variation of it on other services and change those as well. You can also set up a password breach alert, such as the one offered by Chrome’s Password Checkup or you can run a similar check using dedicated services. Watch out for phishing attempts, don’t click on links or attachments that seem suspicious. Use a reputable security solution. 9 Jul 2020 – 06:11PM

More evil: A deep look at Evilnum and its toolset

ESET research gives a detailed picture of the operations of the Evilnum group and its toolkit deployed in attacks against carefully chosen targets in the fintech sector

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates.

In this article we connect the dots and disclose a detailed picture of Evilnum’s activities. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.

Targets

According to ESET’s telemetry, the targets are financial technology companies – for example, companies that offer platforms and tools for online trading. Although most of the targets are located in EU countries and the UK, we have also seen attacks in countries such as Australia and Canada. Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks.

The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers. Some examples of the information this group steals include:

Spreadsheets and documents with customer lists, investments and trading operations Internal presentations Software licenses and credentials for trading software/platforms Cookies and session information from browsers Email credentials Customer credit card information and proof of address/identity documents

According to what we have seen during our investigation, the group has also gained access to IT-related information such as VPN configurations.

Overview of the attack

Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several LNK (aka shortcut) files that extract and execute a malicious JavaScript component, while displaying a decoy document. These shortcut files have “double extensions” to try to trick the user into opening them, thinking they are benign documents or pictures (in Windows, file extensions for known file types are hidden by default). The contents of one of the ZIP files are shown in Figure 1.

Figure 1. Malicious LNK files

Once a shortcut file is opened (it doesn’t matter which one, as they all do the same thing), it looks in the contents of its own file for lines with a specific marker and writes them to a .js file. Then this malicious JavaScript file is executed and it writes and opens a decoy file with the same name as the shortcut, but with the correct extension. It also deletes the shortcut file. The documents used as decoys are mostly photos of credit cards, identity documents, or bills with proof of address, as many financial institutions require these documents from their customers when they join, according to regulations (this is known as “Know Your Customer”). One such decoy is shown in Figure 2 (blurred for privacy).

Figure 2. Photo of the back of an ID card, used as a decoy

These decoy documents seem genuine, and we assume that they have been collected by this group during years of operation. Documents are collected actively in the group’s current operations, as it targets technical support representatives and account managers, who regularly receive these kinds of documents from their customers. The group reuses the documents on different targets, unless the targets are from different regions.

The JavaScript component is the first stage of the attack and can deploy other malware such as a C# spy component, Golden Chickens components or several Python-based tools. The name Evilnum was given to the C# component by other researchers in the past, but the JS component also has been referred to as Evilnum. We have named the group Evilnum as that is the name of their flagship malware, and we’ll refer to the various malware pieces as components. An overview of these is shown in Figure 3.

Figure 3. Evilnum components

Each of the various components has its own C&C server, and each component operates independently. The operators of the malware manually send commands to install additional components and use post-compromise scripts and tools if they consider them necessary.

Most servers used by the malware are referenced by IP addresses; domain names have not been used. The only exceptions are the C&C servers used by the Golden Chickens components; malware purchased from a MaaS provider, as we describe later.

Those referenced by an IP address can be split into two groups, based on the hosting provider. The majority of them are hosted with FreeHost, a Ukrainian provider. The rest are hosted in the Netherlands, with Dotsi.

JS Component: First compromise

This component communicates with a C&C server and acts as a backdoor without the need for any additional program. However, in most attacks that we have seen, the attackers deployed additional components as they saw fit and used the JS malware only as a first stage.

The first known mention of this JavaScript malware was in May 2018 in this pwncode article. The malware has changed since then and we illustrate these changes in Figure 4.

Figure 4. Timeline of changes in JS component

Differences between version 1.3 and the others are noteworthy, as the server-side code for the C&C was changed and commands are different. In that early version it was not possible to upload files to the C&C, only to download files to the victim’s computer. Also, as new versions appeared, the malware was extended with some Python scripts (see the Post-compromise toolset section) and external tools such as ChromeCookiesView.

Despite the differences, the core functionalities remain the same in all versions, including the retrieval of the C&C server’s address from GitHub, GitLab or Reddit pages created specifically for that purpose. Figure 5 shows an example

Attackers target critical flaw in popular networking gear

The vulnerability, which received the highest possible severity score, leaves thousands of devices at risk of being taken over by remote attackers. A patch is available.

F5 Networks, one of the world’s leading providers of enterprise networking equipment, has recently published a security advisory about a critical vulnerability that impacts its BIG-IP multi-purpose networking devices and “may result in complete system compromise”. The company has also released a patch plugging the security hole, all the while multiple security experts report that attackers are already deploying exploits targeting the flaw.

Evidence of miscreants actively trying to exploit the vulnerability was recorded as early as July 4th, with the first attempts coming out of Italy. NCC Group also recorded increased activity over the next few days on the honeypots that it’d set up to bait potential attackers.

Other researchers have publicly shared proof-of-concept (PoC) exploits for the vulnerability, showing how easy it is to compromise unpatched devices.

TMSH access in a matter of minutes 😱 (CVE-2020-5902). Of course this does require access to the management interface. pic.twitter.com/FcR2zRZBG9

— Yorick Koster (@yorickkoster) July 5, 2020

Indexed as CVE-2020-5902, the remote execution code (RCE) vulnerability in the Traffic Management User Interface (TMUI) of a line of BIG-IP products holds the “perfect” score of 10.0 on the Common Vulnerability Scoring System (CVSS) severity scale. According to Mikhail Klyuchnikov, a researcher at Positive Technologies who discovered the critical flaw, a hacker with access to the BIG-IP configuration utility could exploit the device remotely without authentication.

“The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation,” he added.

Klyuchnikov also uncovered another, though less severe, vulnerability in BIG-IP that earned a severity score of “only” 7.5. Tracked as CVE-2020-5903, the cross-site scripting vulnerability in the BIG-IP configuration interface could allow a cybercriminal to run malicious code with the same rights as a logged-in user. Successful exploitation of the flaw could even lead to a full compromise of the device.

While F5 Networks disclosed the vulnerabilities and released patches last Wednesday, many devices remain unpatched. The United States Cyber Command also issued an alert about the flaws and urged everyone do install the updates post-haste. F5 Networks counts 48 out of the Fortune 50 among its clients and its devices are used by governments as well.

URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv

— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020

At the time of the warning, a Shodan search turned up more than 8,000 BIG-IP devices connected to the internet. If your company uses any of the affected devices, you should patch them immediately. F5’s security advisories for both CVE-2020-5902 and CVE-2020-5903 feature the full list of affected devices and remediation steps.

7 Jul 2020 – 05:57PM

Raising children in the social media limelight? Pause before you post

How (over)sharing your children’s triumphs and antics with the world may impact their immediate and distant future – and how to reduce the risks of ‘sharenting’

Most people like to share glimpses of their personal lives on social media, ranging from sports activities and delicious food to achievements and special moments. These are usually shared with their network of family, friends, and sometimes followers. The usual reason is strengthening bonds, since your family and friendship circle can be dispersed all around the globe.

Those who are also parents often post photos of their children from a very early age, sometimes even in the form of ultrasounds. Strictly speaking, their children have a digital presence before they’re even born. And the sharing doesn’t stop there: teething, first steps, potty training, and a wide assortment of other achievements that some parents like to share well into their children’s teenage years.

The phenomenon of (over)sharing content involving one’s kids on social media has even earned its own name – sharenting. It’s all right to feel the need to document your children growing up, but it’s not OK to share their every waking moment on social media for everyone to see. Here are some reasons why.

Ultimately, it’s not your information

Although most parents obviously have the best interests of their children at heart, they also tend to be the biggest violators of their children’s privacy. According to a recent report from the Children’s Commissioner of England, parents post an average 1,300 photos and videos of their children by the age of 13. While parents share various aspects of their children’s lives with the best intentions, they should thoroughly think about what impact the sharing of this information could have for their children in the future. As their progeny grow up, some of the photos and details they have shared may have far-reaching consequences, which they are unaware of at the moment.

For example, parents may share pictures of their kids sporting T-shirts showing support for a political party or cause, with which their children might not want to be affiliated or even agree with when they grow up. Furthermore, it could prove difficult for them to shed the reputation their parents may have unintentionally cultivated for them by inappropriate sharenting.

While sharing the images of children is at the discretion of the parents when they are too young to understand or care, there comes a point where you have to have a discussion on posting about them on social media. You should make a set of rules on what content is acceptable and respect their opinions on the matter, including in what actually gets posted.

If you think the idea is novel, you’d be mistaken. Gwyneth Paltrow was called out by her daughter Apple Martin for not asking for her consent when the actress shared a mom-daughter photo. “Mom we have discussed this. You may not post anything without my consent,” wrote Apple, who was 14 at the time.

What am I sharing? And with whom?

Data on the internet is, by design, usually searchable, shareable, and long-lasting. Or in other words “what goes on the internet, usually stays there”. An important tidbit of internet etiquette that is frequently repeated is that you should think twice about what you’re sharing, something that should apply tenfold if you’re sharing someone else’s information, like your child’s.

Nonetheless, people tend to forget that something as banal as sharing a public photo of a child’s birthday party could cause a lot of harm if the photo made its way into the wrong hands. Let’s break down how much information one such post can include. At the very least, it could include:

a photo of the child, probably with a wish along the lines of “Happy 2nd birthday, John!”, details that may reveal the location, such as landmarks, other people, since it may be a group photo; this may be problematic too, as you need to be mindful of other people’s privacy, a geotag if the parent hasn’t turned off location tracking.

Piecing the information together, we have the child’s name, birth date, and address. This information could be then used, for example, for identity theft and fraud.

Stacey Steinberg, associate director for the Center on Children and Families, also touched upon the perils of sharenting in her paper, Sharenting: Children’s privacy in the age of social media. One of the examples mentioned is of a mother who posted pictures of her twins’ toilet training. She later found out that strangers accessed these pictures, downloaded and altered them, and then shared those on a website used by pedophiles.

RELATED READING: Online grooming: A threat to minors that demands our attention

This and other of Steinberg’s examples demonstrate that people are sometimes woefully unaware of how easy it is for other people to download and store images shared on social media, or of how much information they contain. Which brings us to another question – who are you sharing these photos with?

The audience of your posts depends on where and with whom you choose to share them. If your social media profile is public, then literally anyone who stumbles upon your profile can see the content. However, if you keep it private, only those you have “friended” or allowed to follow you can see it. How many of them do you really know? When was the last time you conducted an audit of your friend or follower list?

Facebook, for example, allows you to choose an audience for each of your posts, so you can restrict them to specific family members and selected friends. But that presents its own set of problems. Can you trust them not to repost it? Do you believe that they adhere to proper cybersecurity and privacy practices and have everything locked down tighter than Fort Knox? These are questions parents probably don’t really ask themselves all that often when posting something, although they should.

How to be a responsible “sharent”?

The best and safest

The Fed shares insight on how to combat synthetic identity fraud

The Federal Reserve looks at ways to counter what is thought to be the fastest-growing type of financial crime in the country

The United States’ Federal Reserve has published advice for financial institutions located in the US on how to mitigate risks of synthetic identity payments fraud. Citing an analysis by the Auriemma Group, the Fed noted that synthetic identity fraud cost US lenders around US$6 billion and was responsible for 20% of credit losses in 2016.

Scammers usually create synthetic identities by piecing together bits and pieces of real and fake information, which includes Personally Identifiable Information (PII), such as names, Social Security Numbers (SSN), and addresses. They frequently target individuals, who are less likely to check their credit information often, such as children, the elderly, or even homeless people. The upside of utilizing this method for fraudsters is that synthetic identities act like legitimate accounts, which means they evade conventional means of fraud detection.

“This affords perpetrators the time to cultivate these identities, build positive credit histories, and increase their borrowing or spending power before ‘busting out’ – the process of maxing out a line of credit with no intention to repay,” warns the Federal Reserve.

The guidance, entitled “Mitigating Synthetic Identity Fraud in the U.S. Payment System”, is the third publication in a series of white papers dedicated to synthetic payments fraud; the previous two instalments were published last year and focused on defining and identifying this type of fraud.

In its newest whitepaper, the Fed points out that institutions shouldn’t rely only on one screening method to combat what a recent McKinsey report called “the fastest-growing type of financial crime” in the US. Instead, implementing a multi-layered approach that weds manual and technological data analysis places organizations in an optimal position to identify and mitigate cases of synthetic identity-related fraud.

RELATED READING: Simple steps to protect yourself against identity theft

While looking at the basic PII, such as SSNs, names, dates of births and addresses, is a good starting point, experts say that broadening the scope to include additional data sources affords institutions the best chance of success in identifying fraudsters. Looking for common denominators, such as multiple users using the same SSN or checking for multiple accounts that were created from the same IP address, could help in identifying more cases.

It is important to point out that there is no pixie dust that’ll make synthetic identity payment fraud disappear; there are many hurdles to overcome ranging from regulations on the state level to fraudsters switching up tactics. However, specialists think that a holistic approach consisting of a consistent definition of synthetic identity fraud, technological innovation, data solutions, and cooperation between the private and government sector could be the best way to mitigate this type of fraud in an effective manner.

6 Jul 2020 – 05:08PM

Week in security with Tony Anscombe

Brute-force attacks against RDP surge – Is contact tracing the answer to ending the COVID-19 crisis? – Microsoft ships urgent security updates

ESET researchers have released data that confirms a sharp increase in brute-force attacks against Remote Desktop Protocol connections during the pandemic-induced lockdowns. Also this week, we discussed the question of whether contact tracing can stem the COVID-19 pandemic while avoiding the privacy risks of location tracking. Meanwhile, Microsoft rushes out an emergency patch to fix a pair of serious vulnerabilities in its Windows Codecs library. All this – and more – on WeLiveSecurity.com.

Discussion

Comments are closed.

Hundreds arrested after police crack encrypted chat network

European police infiltrate EncroChat, go on to crack down on crime kingpins and seize guns, drugs, cars and millions in cash

Law enforcement agencies in Europe recently cracked an instant messaging system used by organized crime before the ensuing police operation ultimately led to the arrests of more than 800 suspected criminals, mostly in the United Kingdom. The service, dubbed EncroChat, was used by 60,000 people worldwide to manage their criminal enterprises.

EncroChat’s operating system operated on specially customized Android phones that could switch between both systems. The encrypted communication platform included features such as VoIP calls and self-destructing messages that would delete themselves from the user’s device after a certain time period elapsed, as well as a panic wipe feature, which would wipe the device clean of any data after a four-digit code was entered. The service sold these devices for £900 (US$1,120) a pop with an additional £1,350 (US$1,680) charged for a six-month subscription.

According to Motherboard, the breakthrough was achieved by the French authorities, which were able to penetrate the EncroChat network and install a technical tool that allowed European law agencies to read over a hundred million encrypted messages that were being sent through the service in real-time.

Once the service realized that the jig was up and it had been compromised, it alerted its users on June 13th, telling them to ditch their devices. But apparently this warning came too late, as the law enforcement swooped to arrest hundreds of criminals in the UK, France, the Netherlands, Norway, and Sweden.

“The infiltration of this command and control communication platform for the UK’s criminal marketplace is like having an inside person in every top organized crime group in the country,” said Nikki Holland, Director of Investigations of the UK’s National Crime Agency.

In what is considered one of the UK’s most significant law enforcement operations ever, the NCA, Regional Organized Crime Units and police forces arrested 746 suspects and seized over £54 million (some US$67 million) in cash gained from illicit activities, as well as firearms, drugs, and high-end cars and luxury watches.

Meanwhile, France and the Netherlands have conducted separate operations and while France didn’t want to comment on ongoing investigations, their Dutch colleagues have arrested more than 100 suspects. “The expectation is that information will be made available in more than 300 investigations. In a number of cases, more arrests are very likely to follow in the coming period,” reads the press release by Europol, the EU’s law enforcement agency.

ESET security specialist Jake Moore, who used to work as a computer forensics examiner for the UK police, applauded what he called “a significant win against criminals”, but went on to warn that we haven’t seen the end of encrypted criminal communications. “Once a service such as EncroChat is shut down, it is quite normal to see another similar service crop up. This can be with the added benefits of an even more underground service that has learnt from its predecessor’s mistakes.”

Nevertheless, he ended his statement on a more positive note: “However, UK cyber-intelligence in the likes of GCHQ are closing the gap on criminal gangs that have had a head start, and it is likely we will start to see more good news stories on the disruption of more crime.”

3 Jul 2020 – 05:06PM