Infosec in brief Remember earlier this year, when we found out that a bunch of baddies including at least one nation-state group broke into a US federal government agency's Microsoft Internet Information Services (IIS) web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution?

It turns out that this same gang of government-backed hackers used a different and even older Telerik flaw to break into another US federal agency's Microsoft IIS web server, access the Document Manager component, upload webshells and other files, and establish persistence on the government network.

The US Cybersecurity and Infrastructure Security Agency and FBI warned about the first intrusion into a federal civilian executive branch agency's Microsoft IIS web server back in March, and said the snafu happened between November 2022 and early January.

"Multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency's Microsoft Internet Information Services (IIS) web server," the joint advisory revealed.

But wait, there's more. On Thursday, the feds updated the March alert and said a forensic analysis of a different federal civilian executive branch agency "identified exploitation of CVE-2017-9248 in the agency's IIS server by unattributed APT actors specifically within the Telerik UI for ASP.NET AJAX DialogHandler component."

This separate break-in, exploiting an almost six-year-old vulnerability, occurred in April. The agency was running an outdated version of the software, and a proof-of-concept exploit has been publicly available since January 2018, according to the feds.

"It should be noted that Telerik UI for ASP.NET AJAX versions prior to 2017.2.621 are considered cryptographically weak; this weakness is in the RadAsyncUpload function that uses encryption to secure uploaded files," CISA added.

On April 14, the nation-state criminals used a brute force attack against the encryption key and gained unauthorized access to the Document Manager component within Telerik UI for ASP.NET AJAX.

After breaking in, they uploaded malicious scripts, downloaded and deleted sensitive files, made unauthorized modifications, and uploaded webshells to backdoor and remotely access the server.

"CISA and authoring organizations were unable to identify privilege escalation, lateral movement, or data exfiltration," according to the alert. "However, the presence of webshells and file uploads indicated APT actors maintained access and had the potential to conduct additional malicious activity."

And it also underscores the importance of patching.

Speaking of patching, there's a ton of critical fixes to implement now if you haven't already across Microsoft, VMware, Fortinet, Adobe, and SAP software, and all of those are detailed in The Register's June Patch Tuesday coverage.

Plus, the ongoing MOVEit fiasco continues with a third vulnerability and a third fix.

And in other vulnerability news:

Google pushed a Chrome update that includes five security fixes. This includes one critical vulnerability, CVE-2023-3214, in the autofill payments function that could allow for arbitrary code execution.

Also, CISA identified six critical ICS vulnerabilities OT teams should be aware of:

Criminals posing as legit security researchers on GitHub and Twitter are pushing malicious repositories claiming to be proof-of-concept exploits for zero-day vulnerabilities.

Spoiler alert: these aren't real PoCs but rather malware that infects Windows and Linux machines.

Security researchers at VulnCheck spotted the first malicious GitHub repository claiming to be a Signal zero-day in May. They reported the scam to GitHub, and it was taken down. The next day, VulnCheck discovered "an almost" identical repository purporting to be a WhatsApp zero-day.

This continued throughout May, with the researchers finding the fake repos, and GitHub removing them.

Apparently, the takedowns also forced the miscreants to put more effort into spreading malware. "The attacker has created half a dozen GitHub accounts and a handful of associated Twitter accounts," VulnCheck researcher Jacob Baines said in a blog about the scam. "The accounts all pretend to be part of a non-existent security company called High Sierra Cyber Security."

The accounts include profile pictures at least one used a real headshot belonging to a Rapid7 employee and had followers, Twitter handles, and (dead) links to the (fake) security company's website.

The accounts attempt to trick real security researchers into downloading malicious binaries by tagging an exploit for a popular product like Chrome, Exchange, Discord, Signal or WhatsApp.

And while the Windows binary has a high detection rate on VirusTotal (43/71), VulnCheck notes that the Linux binary is stealthier (3/62), but "contains some very obvious strings indicating its nature."

VulnCheck includes a list of seven phoney GitHub accounts, seven GitHub repositories, and four Twitter accounts, and cautions that if you've interacted with any of them, you may have been compromised.

Ransomware is the most widespread malware-as-a-service (MaaS), accounting for 58 percent of all malware families between 2015 and 2022.

This is according to Kaspersky researchers, who based their latest report on 97 malware families circulating on the dark web.

Coming in second, infostealers made up 24 percent. The remaining 18 percent were split between botnets, loaders, and backdoors.

"Despite the fact that most of the malware families detected were ransomware, the most frequently mentioned families in dark web communities were infostealers," the report indicates. "Ransomware ranks second in terms of activity on the dark web, showing an increase since 2021."

Meanwhile, botnet, backdoor and loader mentions are on the decline.

Read this article:
Guess what happened to this US agency using outdated software? - The Register

I recently told you I was tempted to switch my password manager from 1Password to Proton Pass, a newly announced service from the Swiss software company Proton. Now, Proton has given me another reason to consider the switch. Enter the Proton Family Plan, which offers a suite of end-to-encrypted apps: Mail, Calendar, Drive, VPN, and Pass. It all starts at $19.99 per month if you get the two-year plan, and thats a tremendous value for up to six family members.

You might be familiar with Proton for their end-to-end encrypted Mail app. But the company has launched several useful services over the years, with Proton Pass being the most recent.

Proton Mail, Calendar, Drive, VPN, and Pass are all end-to-end encrypted, which will ensure and protect your privacy. Moreover, since Proton is based in Switzerland, your data is safeguarded by local privacy laws.

The Proton Family Plan will extend that privacy protection to your family members, who might not be as tech-savvy as you. Still, access to end-to-end encrypted apps might help them better understand and appreciate strong privacy and security features.

The family plan is available right now, starting at $19.99 per month if youre willing to pay for two years worth of access up front. Heres what the plan has to offer:

This is already amazing value right here, especially if you and your family have no problem starting from scratch. That is, ditch competing services to rely more on Protons suite of apps.

At $20/month, its a service worth considering even if you dont plan on sharing it with others. The plan costs $23.99 per month if you pay for 12 months of access upfront or $29.99 monthly for month-to-month access.

But you can get a free account to test drive Proton services if youve never used Proton Mail before you ink a family deal.

If your attachment to Gmail is the main reason youd avoid Proton, you should know that Proton Mail supports Gmail forwarding. You wont have to ditch Gmail to get on the Proton Family Plan.

The only thing we dont know is when Proton Pass will be available, the password manager that Proton announced recently. Like I said before, the upcoming password manager is a highlight, and the inclusion in the new Proton Family Plan is terrific news.

And yes, the fact that Proton will include future premium apps in the plan is another exciting promise.

View post:
Proton's new Family plan is tempting me to spend even more on encryption - BGR

A broad coalition of technology, civil liberties, reproductive justice and privacy advocacy groups are urging the global workplace collaboration platform Slack to offer end-to-end encryption so that its users messages cant be read by government officials or eavesdropping bosses.

Right now, Slack is falling short in terms of the most basic guardrails for platform safety and privacy, a group of 93 organizations wrote in the letter. At this political moment, this can mean life or death for some people online. We call on Slack to go beyond statements and put into action its commitment to human rights by implementing basic safety and privacy design features immediately.

Concerns about the security of private messages have come into greater focus in recent years due to a number of factors, including the rise of government use of spyware on activists and dissidents as well as the increased risks posed to reproductive rights after the U.S. Supreme Court overturned the right to abortion last summer. While there are no reported instances of Slack messages being weaponized in these cases, the trove of communications the platform collects from clients ranging from government agencies to activists has made users communications a target of both lawsuits and hackers.

The letter from groups such as the Mozilla Foundation and the Tor Project is the latest step in a campaign led by the digital rights advocacy group Fight for the Future that urges messaging companies to adopt encryption. Fight for the Future launched its campaign last year in response to the Supreme Courts Dobbs decision that ended the constitutional right to abortion, a ruling that led to concerns that abortion seekers unsecured communications could be used against them in criminal prosecutions.

In the aftermath of Dobbs, companies such as Meta doubled down on existing encryption efforts. However, Fight for the Future Campaign director Caitlin Seeley George said that Slack, which was named alongside other companies such as Meta, Twitter and Google in the Make DMs Safe campaign, hasnt been responsive to the groups requests.

The concerns raised by the Fight for the Future campaign arent abstract. In the past year, there have been several high-profile cases in which law enforcement used private messages turned over by tech companies to investigate illegal abortion.

Were moving to a point where the expectation that communication platforms have end-to-end encryption is becoming the new norm, said Seeley George. I think people broadly are a lot more aware and cautious about how theyre communicating with people in part because, unfortunately, weve seen cases pop up already where the consequences of not having secure messaging have become really clear.

Slack has more than 10 million daily users around the globe and is used by a range of entities including government agencies, political campaigns and Fortune 500 companies. The platform does encrypt data in transit. However, user messages are not protected using end-to-end encryption, meaning that workspace administrators or Slack are free to snoop on conversations. Without end-to-end encryption, that data could also be accessed by law enforcement that requests it.

Slack said in a blog post that its policy is to carefully review all requests for legal sufficiency and with an eye toward user privacy. According to its last available transparency report, Slack received 31 law enforcement requests between January 1 to December 31, 2021. Five of those requests involved content data.

Ranking Digital Rights, one of the groups that signed the letter, observed that Slack was in the minority when it came to the practices of most global messaging services and instead aligns more closely with Chinese messaging platforms.

The letter to Slack comes amid growing pressure on encrypted messaging services from lawmakers in both the U.S. and abroad. WIRED reported Monday that a leaked European Council document found that the majority of EU countries represented in the document supported some form of scanning encrypted messages with Spain taking the more extreme position of advocating for a full ban of the technology.

In addition to end-to-end encryption, the groups behind the letter are urging Slack to adopt anti-harassment tools such as blocking and reporting features. In the past, the company has said that such a feature doesnt make sense for a workplace tool. Critics say that the messaging platform is used by a broad array of groups and that workplace harassment on Slack is a well-documented issue that got even worse during the rise of remote work.

Caroline Sinders, a researcher who has been pushing Slack to introduce a block feature since 2019, says that anti-harassment and encryption features are the seatbelts of online safety. We need to shift our thoughts away from thinking of these solely as additional features, but as necessary and required functionality to create and maintain a healthier web, she said in a statement.

Slack responded to a request for comment from CyberScoop by reiterating its user privacy policies.

Slack is a workplace communication tool and we take the privacy and confidentiality of our customers data very seriously, a spokesperson wrote in an email. Our policies, practices, and default settings are aligned with business uses of our product.

Seeley George said that its important to push companies that have come out as pro-choice to follow through with that commitment when it comes to user security. We cant and wont let companies like Slack hide behind good PR moments, she said. We really need to push them to go further and really consider safety more holistically.

Updated May 24, 2023: To include a comment from Slack.

The rest is here:
Broad coalition of advocacy groups urges Slack to protect users' messages from eavesdropping - CyberScoop

Billions of people around the world use a messaging app equipped with end-to-end encryption, such as WhatsApp, Telegram, or Signal. In theory, end-to-end encryption means that only the sender and receiver hold the keys they need to decrypt their message. Not even an apps owners can peek in.

In the eyes of some encryption proponents, this privacy tool now faces its greatest challenge yetlegislation in the name of a safer Internet. The latest example is the United Kingdoms Online Safety Bill, which is expected to become law later this year. Proposed laws in other democratic countries echo the U.K.s. These laws, according to their opponents, would necessarily undermine the privacy-preserving cornerstone of end-to-end encryption.

On its face, the bill isnt about encryption; it aims to make the Internet less unpleasant. The bill would give the U.K.s broadcasting and telecoms regulator, Ofcom, additional policing powers over messaging apps, social-media platforms, search engines, and other services. Ofcom could order providers to take down harmful content, such as hateful trolling, revenge porn, and child pornography, and fine those service providers for failing to comply.

The authorities are looking for needles in a haystack....Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people? Joe Mullin, Electronic Frontier Foundation

The specific segment of the Online Safety Bill that worries encryption advocates is Clause 110, which entitles Ofcom to issue takedown orders for messages whether communicated publicly or privately by means of the service. To do this, the bill obliges services to monitor messages with accredited technology that has received Ofcoms stamp of approval.

Observers believe that there is no way for service providers to comply with Clause 110 takedown orders without compromising encryption. Representatives from Meta (which owns WhatsApp), Signal (which pioneered the Signal encryption protocol that WhatsApp also uses), and five other firms signed an open letter in opposition to the bill:

What does proactive scanning look like in practice? One example could be Microsofts PhotoDNA, which the company says was designed to crack down on images of child pornography. PhotoDNA assigns each image an irreversible hash; authorities can compare that hash to other hashes to find copies of an image without actually examining the image itself.

According to Joe Mullin, a policy analyst at the Electronic Frontier Foundation (EFF), a nonprofit that opposes the bill, services could comply with Clause 110 by mandating that PhotoDNA or similar software run on their users devices. While this would leave encryption intact, it would also act as what Mullin calls a backdoor, allowing for an apps owners or law-enforcement agencies to monitor encrypted messages.

In an app that has end-to-end encryption, such a system might work something like this: Software like PhotoDNA, running on a users device, might create a hash for each message or each media file a user can see. If the authorities flag a particular hash, an apps owner could scan the sea of hashes to pinpoint groups or conversations that also hold that hashs corresponding message. Then, whether voluntarily or under legal obligation, the owner might share that information with law enforcement.

While this method wouldnt break encryption, Mullin and other privacy advocates still find the idea of client-side monitoring to be unacceptably intrusive.

Another strong possibility is that to avoid the creation of such backdoors, services will be intimidated away from using encryption altogether, Mullin believes.

The U.K.s Department for Science, Innovation and Technology did not respond to a request for comment. However, earlier this month, a spokesperson of a different U.K. government office denied that the bill would require services to weaken encryption.

The U.K. bill isnt the only one raising privacy advocates concerns.

Since 2020, U.S. lawmakers from both major parties have pushed the so-called EARN IT Act. In the name of cracking down on child pornography, the bill would open the (currently closed) door for lawsuits against Internet services who fail to remove such material. The bill does not mention encryption, and its elected backers have denied that the act would harm encryption. The bills opponents, however, fear that the threat of legal action might encourage services to create backdoors or discourage services from encrypting messages at all.

In the European Union, lawmakers have proposed the Regulation to Prevent and Combat Child Sexual Abuse. In its current form, the regulation would allow law enforcement to send detection orders to tech platforms, requiring them to scan messages, media, or other data. Critics believe that by mandating scanning, the regulation would undermine encryption.

In March, WhatsApps boss Will Cathcart said the app would not comply with the bills requirements

EFFs Mullin, for his part, believes that other methodsallowing users to report malicious posts within an app, analyzing suspicious metadata, even traditional police workcan crack down on child sexual abuse material better than scanning messages or creating backdoors to encrypted data.

The authorities are looking for needles in a haystack, Mullin says. Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people?

Elsewhere, Russia and China have laws that allow authorities to mandate that encryption software providers decrypt data, including messages, without a warrant. A 2018 Australian law gave law-enforcement agencies the power to execute warrants ordering Internet services to decrypt and share information with them. Amazon, Facebook, Google, and Twitter all opposed the law, but they could not prevent its passing.

Back in Westminster, the Online Safety Bill is just a few hurdles away from assent. But even the bills passing probably wont mean the end of the saga. In March, WhatsApps boss Will Cathcart said the app would not comply with the bills requirements.

From Your Site Articles

Related Articles Around the Web

Read more:
Could These Bills Endanger Encrypted Messaging? - IEEE Spectrum

The rate of cyberattacks increased in India in 2022, with 73% of organisations reported that they were a victim of ransomware in 2022, which is up from 57% the previous year, according to a new report.A report by cybersecurity company Sophos said that in 77% of ransomware attacks against surveyed organisations, hackers succeeded in encrypting data. About 44% of victim companies paid the ransom to get their data back a considerable drop from last years rate of 78%.Although dipping slightly from the previous year, the rate of encryption remains high at 77%, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes," said Chester Wisniewski, field CTO, Sophos.The cybersecurity company said that on a global scale, when organisations paid a ransom to decrypt their data, they ended up doubling their recovery costs ($7,50,000 in recovery costs versus $3,75,000 for organisations that used backups to get their data back).Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation, Wisniewski added.Ransomware attack causesWhen Sophos analysed the root cause of ransomware attacks, it found that the most common reason was an exploited vulnerability (involved in 35% of cases), followed by compromised credentials (involved in 33% of cases). Other key global findingsThe report mentioned that in 30% of cases where data was encrypted, data was also stolen, suggesting that the "double dip" method (data encryption and data exfiltration) is becoming commonplace.The education sector reported the highest level of ransomware attacks on a global level, with 79% of higher education organisations and 80% of lower education organisations surveyed reported that they were victims of ransomware.

See the original post here:
73% Indian firms were hit by ransomware attack: Causes, encryption rate and more - Times of India