German police have located and closed down the servers of Hydra, allegedly one of the world’s biggest underground online stores.
Investigators at the Bundeskriminalamt (BKA – the Federal Criminal Police Office) claim that the Russian-language Hydra darkweb site, accessible via the Tor network, had about 17 million customer accounts (many individual buyers may have had several accounts, of course) and more than 19,000 seller accounts at the time they shuttered it.
As you probably expect from a darkweb marketplace, the main products traded online were illegal drugs, but the site also apparently offered a money-laundering “coin tumbler” service aimed at creating hard-to-trace cryptocurrency transaction records, and did a brisk trade in forged identification documents.
According to a report from the BBC, locating the actual servers used to run Hydra was not an easy task (the site has been online since at least 2015), but German police said they started following up on a tip in the middle of 2021 that suggested the servers were actually hosted in Germany.
That led to the shutdown on Tuesday 2022-04-05, with the site’s main page changed to look like this:
Click on image to see it in context on the BKA’s original page.
What makes a Tor takedown hard?
Tracking back both clients and servers to their source on the Tor network, which was deliberately designed to protect privacy and resist takedowns, is much more complex than tracking conventional network traffic.
Regular network packets on their way to a destination contain a source IP number (network location) that denotes the earliest known device in the traffic chain, and a destination address that determines the IP number they’re supposed to be sent to.
But source IP numbers don’t always identify the exact computer that originated the request, because there could be an intermediate server that handles traffic on behalf of that computer, although source IPs often identify a related device that could help track down the true origin.
In a typical home network, for example, your router presents itself as the source address for all your outbound network traffic, so that the rest of the world sees your whole network as a single device, with a single IP number.
Your router keeps track of which reply packets belong to which internal devices, and redirects the necessary data internally when the replies come back.
This prevents law enforcement from immediately identifying exactly which device inside your household was responsible for any specific network connection, but the IP number of your router usually, and very conveniently, identifies your home address, given that your router’s IP number is allocated to your connection by your ISP.
Your ISP can, and almost certainly will, reply to lawfully authorised demands from investigators by identifying the household associated with your IP address, whether your router is the start (e.g. you’re visiting suspicious locations) or the destination (e.g. you’re running a server accepting suspcious connections) of apparently illegal activity.
Likewise, if you use a VPN (virtual private network), all your network traffic appears to originate from one of the VPN provider’s servers, often in a different country.
The VPN provider effectively becomes both your router and your ISP, and while tracking you back to the VPN itself might be easy, law enforcement might have difficulty getting the VPN to tell them where you live, not least because the VPN operator might be in a different jurisdiction, and might not even know your real identity.
Nevertheless, the VPN provider can identify your IP number while you’re connected, because without it they wouldn’t be able to relay traffic back to you – you’d be able to send packets out, but not to receive any replies.
Some VPNs claim not to keep any logs of past connections, and therefore claim that it’s impossible for the police in their country or anywhere else to track back old traffic, because no records of any IP numbers are retained.
But there are many cases where “log-free” VPN providers turned out not only to be keeping logs anyway, but also to have suffered data breaches that leaked this “non-existent” information to outsiders.
In fact, the problem with relying on a VPN provider as the primary way of maintaining your anonymity is that you have to have total trust in the technical abilities and ethics of the provider and all their staff.
What if you can’t trust the person in the middle?
Tor aims to improve on the “what if you can’t trust the person in the middle” problem by bouncing anonymised traffic through three different, randomly chosen “routers” in succession.
When you create a Tor connection, your client software randomly selects three nodes from a pool of about 7000 different Tor nodes run by volunteers around the world, and directs your traffic through those three nodes, like this:
Client -> Tor Node 1 -> Tor Node 2 -> Tor Node 3 -> Server
Additionally, and this is the clever part, the identity of Server is encrypted with the public key of the Tor3 node, and this encrypted blob is then encrypted with the public key of Tor2, which is then encrypted with the public key of Tor1.
Thus the routing details of your network traffic are encrypted in multiple layers, like an onion, which is why Tor’s full name is The Onion Router.
So the Tor1 node knows your IP number, and can use its private key to decrypt the outer layer of the onion to find the the IP number of theTor2 node, to which it passes on the remaining layers of the onion.
But Tor1 can’t peek any deeper into the encrypted onion and find out the identity of Tor3 or of the Server you want to end up on.
Likewise, the Tor3 node can strip off the final layer of the onion, which reveals the innermost secret of the Server you want to visit, but it can only trace your traffic back to Tor2, and therefore has no idea where Tor1 is located, let alone where the Client computer is.
The Tor2 node in the middle is there to add another layer of anonymity protection, because it keeps Tor1 and Tor3 apart.
That means, if Tor1 and Tor3 just happen to be nodes “volunteered” by collaborating law enforcement teams or intelligence agencies, they can’t directly collude to match up your traffic patterns and unmask your identity that way.
In other words, to unmask an individual connection, an attacker would need to control all the Tor nodes chosen for that connection, and to keep a careful and detailed record of each relay connection on each node.
(Tor also works against collusion by “rewiring” long-lasting connections regularly, typically rebuilding each virtual circuit automatically every 10 minutes, and creates a new circuit with new nodes for each new connection.)
Hiding the server
If the Server you connect to in the diagram above is a regular server on the internet, then your network connection emerges from Tor into plain sight after Tor3, so the content of your traffic to Server, and that server’s physical location online, is also in plain sight.
But if the final server is itself a darkweb server on the Tor network, identified by one of those mysterious URLs that end with .onion instead of a regular top-level domain name, your traffic never leaves Tor once it’s entered the Tor network via the Tor1 node.
Loosely speaking, in a true darkweb connection, the final server connection is handled as a fourth hop in the Tor chain, which rather neatly adds anonymity at both ends.
A “four-hop” Tor-only connection means not only that the server doesn’t know your IP number, and therefore couldn’t reveal it even if it wanted to, but also means that you never know the server’s IP number.
In other words, even if you get put under surveillance yourself, or busted, your browsing activity and your logs won’t, and can’t, give away the likely physical locations of any darkweb services you’ve been using.
So, ISPs who don’t care what sort of customers they serve, and who don’t tell the truth when presented with search warrants or other “know your customer” requests, can, in theory, surreptitiously operate services known in the jargon as bullet-proof hosts, even though they may themselves be in a country with strict know-your-customer rules and powerful lawful interception provisions.
Thanks to the multi-hop “onion encryption” of an anonymising service such as Tor, clients and servers can make contact without giving away where on the internet the other end can be found, which makes servers of this sort much harder to locate, and therefore much harder to take down.
Tracked and traced nevertheless
In this case, Tor wasn’t enough to prevent the location of the alleged Hydra servers being tracked down and “repurposed” by law enforcement, as happened when the BKA replaced the Hydra home page with the site seizure message shown above.
As an aside, we noticed that the handcuffs in the image very unusally have three identical wrist-cuffs, which seems redundant, given than almost all humans have at most two arms, and dangerous, given that, if those restraints were applied to a two-armed suspect, the loose cuff could be swung around by the person being arrested as an improvised weapon.
We therefore can’t help wondering whether those triple-cuffs are a visual metaphor that references the three-node basis of Tor connections.
Perhaps the three interconnected cuffs are there to remind us that, with good intelligence and technical determination, even three apparently unconnected and anonymous Tor relays can be linked together evidentially and bust the anonymity of the system?
(Note that Tor doesn’t claim to guarantee your anonymity or to be able to immunise your connection from takedown no matter what, so if you have a legitimate reason to use Tor, be sure to read the project’s guidelines before you start, and to remember Tor’s own advice that “[g]enerally, it is impossible to have perfect anonymity, even with Tor.”)
What next?
Following the German takedown, during which about $25,000,000 in cryptocurency was seized, both the US Department of Justice (DOJ) and the Department of the Treasury’s Office of Foreign Assets Control (OFAC) put out press releases about the US follow-up to the invervention.
As the OFAC notes:
In addition to sanctioning Hydra, OFAC is identifying over 100 virtual currency addresses associated with the entity’s operations that have been used to conduct illicit transactions. Treasury is committed to sharing additional illicit virtual currency addresses as they become available.
The DOJ added:
In conjunction with the shutdown of Hydra, announced criminal charges against Dmitry Olegovich Pavlov, 30, a resident of Russia, for conspiracy to distribute narcotics and conspiracy to commit money laundering, in connection with his operation and administration of the servers used to run Hydra.
Russia, like many other countries, doesn’t extradite its own citizens, even in peacetime, so whether those criminal charges will have any effect is anyone’s guess.
Nevertheless, as the three-armed handcuff metaphor reminds us, as the Tor Project itself carefully and explicitly states, and as this multinational takedown operation shows, it’s impossible to have perfect anonymity on the internet.
The good news in this month’s Android patches is that even though Google’s own updates close off numerous elevation of privilege (EoP) holes, there aren’t any remote code execution bugs on the list.
The bad news, of course, is that EoP bugs that directly lead to root access, without any tell-tale signs, make it easy for unscrupulous apps to suck up more data, and snoop on more aspects of your online life, that you might ever expect.
With escalate-to-root exploit code hidden inside, even an otherwise perfectly useful but apparently basic app – offering functionality such as a flashlight or a simple compass, for example, or any of thousands of other innocent-looking “cover stories” – could end up being a front for spyware or a data logging tool.
Unfortunately, even Google’s much-vaunted Play Store can’t always keep you malware-free on its own, with untrustworthy apps regularly sneaking through the automated vetting processes that’s supposed to detect software that egregiously oversteps the mark when it comes to privacy, security or both.
Nevertheless, if you go off-market, things can get much more dangerous, not least because there are many unofficial Android app stores out there where pretty much anything goes, including some app repositories that deliberately pitch themselves as a handy place to get at software that Google “doesn’t want you to have”.
Who would do that?
As an aside, you might think that no one would deliberately seek out apps that clearly wouldn’t be permitted on Google Play, or that have already been rejected by Google.
But cybercriminals can even turn “this app’s not in the Play Store” to their advantage, as SophosLabs has reported in the case of the CryptoRom scammers.
These criminals get to know their victims online, often starting on dating sites.
The crooks don’t intend to begin bogus romances, but simply to make “friends” with whom they soon start to talk about cryptocoin investments…
…building up to persuading their victims to install an entirely fraudulent cryptocurrency investment app.
These apps are almost always off-market, but the crooks portray this as a strength, not a weakness, with the apps pitched as “exclusive” precisely because they aren’t available for just anybody to download.
(There’s a parallel scam for iPhone users to trick them into installing fake “business apps” or “beta test” apps, which aren’t strictly vetted by Apple.)
The risks of root
Usually, Android apps are locked down so that each app runs as if it were an entirely separate user on the device, in the same way that you might have multiple logins on your laptop to share it with your family.
This explicitly limits the files and services that each app can access, so that a buggy or ill-behaved app can’t easily access the data belonging to other apps, in the same way that you can’t read other user’s home directories on a shared laptop, and so that apps don’t have access to any of the operating system’s own files and data.
With every app running in its own sandbox of access permissions, one compromised app can’t simply wander around all your files at will, snooping on whatever it wants, which limits your risk.
Additionally, and unlike your Windows, Mac or Linux laptop, Google Android reserves access to the root, or admininstrator, account, for itself.
On your laptop, you can rootle around in other users’ files if you have Administrator privileges, but on Android, you can’t do that because, by default, you simply can’t get those privileges, even if you want to.
Some Android devices, notably Google’s own Pixel phones, allow you to unlock your device to install any operating system or software you like, such as a non-Google Android version where users are allowed to request and receive root access, just as they can on a regular laptop. But you need physical access to the device to set it into “rootable” mode, and every time you turn this setting on or off, the data already on the device gets wiped. This stops you “rooting” an existing Google Android phone and recovering protected data that was on there before, and it stops you preparing a pre-rooted substrate on which to layer an apparently locked-down version of Androind later.
What’s been fixed?
Google’s updates are enumerated in its April 2022 Security Bulletin, which lists numerous EoP flaws in the Android application framework (the underlying system programming libraries that other apps rely on), and some in the system itself.
This month, Google is offering phone vendors two different update levels, dubbed 2022-04-01, which apparently fixes the most pressing bugs, and 2022-04-05, which includes fixes for additional security holes.
As the company notes, “[this month’s] bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly,” which seems to suggest that Google would rather have many or most vendors fixing at least some bugs than having only some vendors patching all bugs.
Nevertheless, Google does make it clear that a full patch is greatly preferred: “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.”
The 2022-04-01 patch level fixes eight EoP bugs in total, seven in the Android programming libraries, and one in the system itself.
The company notes that these bugs “could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.”
The more rigorous 2022-04-05 patch level adds protection against a further four EoP bugs, including a system-level vulnerability with a warning that, if unpatched, the hole “could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User interaction is not needed for exploitation.”
What to do?
Users of Google’s own Pixel phones can update right now, without waiting for their turn in the automated update delivery queue, by going right now to Settings > Security > Security Update.
(We just updated our Pixel 4a; he update itself was listed as a miserly 11.4MB download, but the installation process took nearly an hour once the almost-instantaneous download had completed, so don’t lose faith if you update and it takes worryingly longer than you were expecting!)
Owners of other phones may not receive the update immediately; when you do, your security update level after the update (and its compulsory reboot) should show up as 1 April 2022 or as 5 April 2022, depending on which patch level your vendor selected.
You can check your Android version by going to the Settings > Android version page.
While you’re about it, check that your apps are up-to-date by opening the Play Store app, tapping on your account icon (the small circle) at the top right corner of the screen, and accessing the Manage apps and device screen.
By the way, despite the imperfections in Google Play, we strongly recommend that you stick to it if you can.
Even though Google doesn’t always keep malware out, the Play Store does have a vetting process that all apps have to go through, as well as a mechanism for keeping installed apps up-to-date reliably…
…which is a lot better than an unknown “alternative” app store open to anyone to submit any app they like, including apps that have already been rejected by Google itself.
The once-every-four-weeks security update to Mozilla’s Firefox browser officially arrived today.
The regular version of Firefox is now 99.0, while the Extended Support Release, which gets security fixes without any feature updates, is now 91.8.0 ESR.
Add together the first two numbers in the ESR release triplet and you should get the same value as the first number in the regular release.
(Thus, 91.8 ESR has the feature set of Firefox 91.0, plus the same 8 sets of four-weekly security patches that came out in the intervening full releases, thus aligning it security-wise with version (91+8).0, i.e. 99.0.)
Fortunately, as in the April 2022 Google Android update we just wrote about that happened to arrive on the same day, there were no critical security fixes and no zero-day holes patched.
In particular, although Mozilla admits that some of the memory management bugs that were fixed in Firefox 99.0 might be exploitable “with enough effort”, no working exploits are yet known.
And with no known exploits at all, clearly there are no known exploits that were already being used the Bad Guys, or zero-days as they’re called in the jargon.
What to do?
Despite the apparently low risk this month, all security holes bring with them some danger, or they wouldn’t be given CVE bug numbers and listed in security advisories, so we recommend updating as soon as you can.
Click the Menu button (three lines) at the top right of your Firefox window, then click Help, and select About Firefox.
If you’re already up-to-date then the dialog will tell you, otherwise it will fetch the latest version.
If an update is needed, don’t forget to click [Restart to update Firefox] to activate the new version. (Alternatively, simply quit Firefox and launch the app again.)
CVE-2022-28283: Missing security checks for fetching sourceMapURL. The SourceMap tool in Firefox isn’t intended for everyday use – it’s a feature that’s useful for developers wanting to dig into the JavaScript source code of a web page to see why it’s misbehaving. Many JavaScript programs sent over the internet are deliberately sent in non-human-readable form, sometimes as a way of making them harder to figure out, but often simply as a way of squashing them up to save download space and time. SourceMap tries to reverse this obfuscation in order to make bugs and rendering problems easier to spot. In this case, obfuscated JavaScript in a web page could have been booby-trapped so that a developer trying to debug it might inadvertently load privileged content such as the contents of local files. Ironically, this might mean that someone helping out by investigating an innocent-looking problem triggered by someone else’s website (or injected ad page) could end up allowing scripts from that “broken” website to take a peek at local, private data.
CVE-2022-28286: IFRAME contents could be rendered outside the border. This one was rated “low”, so we assume it’s unlikely to cause much harm even if someone figures out how to exploit it on unpatched computers. Nevertheless, it’s an important reminder that context is important. IFRAMEs, as the name suggests, are inline frames that create what is essentially a page-within-a-page. Obviously, the content of the inner page mustn’t be allowed to appear outside the IFRAME’s own window, or it might obscure important information in the enclosing page, such as a bold warning that THE FINANCIAL DATA BELOW IS UNAUDITED AND SHOULD NOT BE RELIED UPON, or a statutory notification that THE WINDOW BELOW IS A PAID AD. So-called “spoofing attacks” can be surprisingly useful to cybercrooks, as it makes it easier for them to pass off fake content as the real thing, or to hide warnings that would otherwise tip you off that you were about to get scammed.
Note. If you’re running a version of Firefox that is managed and updated as part of your Unix or Linux operating system distro, don’t forget to check with your distro for the latest version, not with Mozilla’s own servers.
The infamous LAPSUS$ gang, whose curious brand of cyberextortion has been linked with intrusions at Microsoft, Samsung, Okta, Nvidia and others, still seems to be on the boil.
According to Microsoft’s own analysis of the gang’s intrusion at Microsoft itself, these hackers use a range of social engineering techniques that go beyond the usual methods of sweet-talking, cajoling or tricking an innocent victim into giving them a foothold inside the network.
LAPSUS$, tagged with the more serial-number-like code DEV-0537 by Microsoft, are also alleged to use outright bribery, offering to pay insiders to provide them with remote access.
Those insiders, of course, don’t have to be direct employees of the intended victim.
In today’s hugely outsourced IT world, breaking into the computer of a contractor or service provider who themselves has access to the target is enough.
In DEV-0537‘s break-in at two-factor authentication provider Okta, for instance, the intrusion was apparently orchestrated via a third-party company contracted to do technical support for Okta.
As Okta rather curiously insisted after the attack became public, staff at the support company that got hacked were “unable to access users’ passwords”, although this was rather cold comfort considering that the same staff were “able to facilitate the resetting of passwords and multi-factor authentication factors for users.”
Microsoft’s report on the activities of LAPSUS$ revealed a level of arrogance that would be amusing if the stakes were not so high: the company says it was able to stop one of the gang’s data heists half way through because LAPSUS$ members openly bragged on Telegram before they’d even finished the job.
Seven UK arrests
Just over a week ago, City of London police in the UK noted the arrest of several hacking suspects, giving little more away than that seven people aged from 16 to 21 years old had recently been arrested and released under investigation.
Although none of them were named or charged, and although the police didn’t reveal when these arrests had actually happened or what sort of hacking allegations were involved, media stories quickly associated the arrests with LAPSUS$, to the point that you will find a myriad of media headlines talking apparently unequivocally about a “LAPSUS$ bust”.
In the meanwhile, however, LAPSUS$-related cybercrime activities continued with the leak of some 70GBytes of data allegedly purloined from software development company Globant.
Globant itself posted an official warning with the US Securities and Exchange Commission (SEC) stating that “we have recently detected that a limited section of our company’s code repository has been subject to unauthorized access.”
The mystery deepens
The mystery of who, what and where the LAPSUS$ kingpins are located deepened yet further last Friday, when City of London Police noted that two suspects, aged 16 and 17 – presumably two of the seven whose arrest-and-release had been reported earlier – were due in court that morning [2022-04-01]:
Two teenagers have been charged in connection with an investigation into members of a hacking group. They will both appear at Highbury Corner Magistrates Court this morning.
Because of the young age of the suspects, neither the public court lists (showing whose hearings are at what times) nor the court hearings themselves (which would usually state their names) ought to give any clues to who they are.
Indeed, as the police press release itself reminds everyone, “automatic reporting restrictions currently apply prohibiting the identification of the name, address, school or any matter likely to identify the individuals.”
All we know is that the City of London Police officially reported the criminal charges the youngsters faced, which came out in legal verbiage as follows.
Both defendants faced:
Three counts of unauthorised access to a computer with intent to impair the reliability of data.
One count of fraud by false representation.
One count of unauthorised access to a computer with intent to hinder access to data.
The younger defendant also faced:
One count of causing a computer to perform a function to secure unauthorised access to a program.
What to do?
In a follow-up report, the BBC insists that the suspects were “charged with hacking for a major cyber-crime gang”, explicitly stating in its headline that this gang was, indeed, LAPSUS$.
But few reliable details of who did what to whom under which gang’s “brand” are likely to emerge until the pair return for trial in due course.
In the meantime, whether this really is a LAPSUS$ bust or not is a bit of a red herring.
The key thing to remember is that the LAPSUS$ attacks, along with many others, rely at least in part on ongoing attempts to trick, cajole or bribe insiders into granting remote access.
So, if you don’t already have a fast and simple way for your staff to report security anomalies to your designated in-house security experts (for example, via a standard email account such as security911@yourcompany.example) then create one now.
Crooks like LAPSUS$ don’t just give up if their first attempt to break in fails, so the sooner someone in your company feels empowered to say something, the sooner everyone can be warned and protected.
If no one feels they can say anything, then the crooks get a free pass to try to sneak in over and over again.
Two questions to ask yourself
If you received a dangerous-looking link to click, an unexpected attachment to open, a password request where you didn’t expect it, or a dubious-sounding offer to bribe you to do something insecure, would you know right away where in your company to report it?
And if you’re one of the people who receives reports of that sort, do you treat them promptly and properly even if they turn out to be false alarms, so that your users feel inspired to keep on helping you?
Treat your staff and their cybersecurity concerns with respect and you can turn everyone into the eyes and ears of your security team.
If you don’t have the time or skills in-house, look into a Managed Threat Response (MTR) service that can handle the cybersecurity details you can’t keep up with.
If you don’t have the experience or the time to maintain ongoing threat response by yourself, consider partnering with a service like Sophos Managed Threat Response. We help you take care of the activities you’re struggling to keep up with because of all all the other daily demands that IT dumps on your plate.
