Eliana Willis

Brazilian government officials will be meeting their US counterparts and investors as part of a plan intended to speed up the process around Brazil’s upcoming 5G auction. The US visit starts today (7) and will end on Friday (11). The agenda is led by Brazil’s Ministry of Communications and includes representatives from the Ministry of Foreign Affairs, the Ministry of Defense, the Special Secretariat for Strategic Affairs, the National Congress, as well as senators Ciro Nogueira and Flávio Bolsonaro, president Jair Bolsonaro’s son. Other participants of the meetings in the US are representatives from the Brazilian Intelligence Agency, as well as ministers and technical staff from the Federal Court of Auditors, which is current analyzing the notice for the auction for the 5G spectrum, expected to take place in July.

The aim of the visit, according to the Ministry of Communications, is to “learn more about regulatory approaches to private communications networks and their implementation, as well as sharing experiences around cybersecurity”. During the meetings in Washington and New York, the ministers will visit the US Department of Defense, as well as the Department of National Intelligence and the Federal Communications Commission. According to Communications minister Fabio Faria, the meetings in the US are “a great solution” to expedite the 5G auction, since the Federal Court of Auditors will have the opportunity to have their questions in relation to the fifth-generation spectrum answered, especially when it comes to the implementation of the government’s private network. Another goal of the visit is to “promote the dialog with potential investors in the Brazilian telecommunications market”, the Ministry noted. The Brazilian government officials have meetings set up with Motorola, Qualcomm, IBM and AT&T, as well as investment funds and banks, as well as consulting firm Eurasia. The Brazilian government’s US visit this week follows a previous tour led by the Ministry of Communications to some of the leading countries in the 5G space. During the visit, which took place in February, government officials visited Sweden, Finland, Japan and China. At the time, the Brazilian delegation visited companies such as Nokia and Ericsson in their home countries, and new meetings with these two companies will take place during the US visit. More

Facebook is now testing out new privacy and encryption features for Messenger’s Secret Conversations. 

The tests, due to start over the course of this week, will include trials of end-to-end encrypted audio and video calling. At present, Secret Conversations only supports messages, pictures, video clips, voice recordings, and stickers being sent with end-to-end encryption, a protocol that is intended to prevent anyone other than participants from reading content, including platform providers.  Secret Conversations does not support encrypted group messages, payments, or audio/video calling, however, the social media giant has now begun testing extended encryption options for a potential rollout in the future.  Test group participants will see a phone icon at the top of the Secret Conversations window, as shown below, that can be selected to make a call. The option will be set in a similar layout to typical Messenger windows.  Facebook told ZDNet that the features will “give people more choice and controls” and that development in these areas is an “important step toward making Messenger a more secure and private experience.”The tests are expected to last several months. Potential rollouts may follow depending on the success of the trials. 

In addition, the company is trying out a new timer feature. Secret Conversations already permits users to set a timer for their messages to expire, but the bolt-on will allow participants to turn off disappearing messages entirely — or set a default timer for content to vanish based on one minute, 15 minutes, or 24-hour intervals.  The company has previously announced its plans to make chats across the platform encrypted by default, it’s likely years before such a rollout is ready. In the meantime, the trials with Secret Conversations could pave the way forward in default encryption development. “While we expect to make more progress on default end-to-end encryption for Messenger and Instagram Direct this year, it’s a long-term project and we won’t be fully end-to-end encrypted until sometime in 2022 at the earliest,” the company said.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A phishing campaign is delivering a new variant of one of the oldest forms of remote access trojan (RAT) malware in an effort to steal usernames, passwords and other sensitive information. It also aims to steal cryptocurrency from the victim.Agent Tesla first emerged in 2014 and it remains a common form of malware today. The malware is focused on stealing sensitive information from compromised Windows machines with the aid of a keylogger, which sends what the victim is typing to the attacker – allowing them to see usernames, passwords, and more.

Now researchers at Fortinet have detailed a new Agent Tesla campaign that distributes an updated version of the malware via phishing emails.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)The malicious messages are designed to look like a business email – for example, one asks the user to open a Microsoft Excel attachment titled “Order Requirements and Specs”. The document contains a macro which, if run, starts a process that executes and downloads Agent Tesla onto the machine.This is done across a number of different stages, including downloading PowerShell files, running VBScript and creating a schedule task, all to help mask the installation of the malware, allowing the attacker to secretly monitor activity on the machine. This version of Agent Tesla pings the operator every 20 minutes, sending them any new input detected.In addition to this, the attack also hijacks any bitcoin wallet on the victim’s device. By monitoring activity on the machine and the abuse of PowerShell code, the attacker can monitor for a valid bitcoin address. If this is spotted, the code modifies the bitcoin address and changes it to one owned by the attacker, allowing them to steal cryptocurrency transfers.

Despite being around since 2014, Agent Tesla remains popular with cyber criminals by remaining effective and being relatively cheap: it can cost as little as $15 to buy a license on underground forums. SEE: Network security policy (TechRepublic Premium)In addition to low cost, the authors of Agent Tesla offer 24/7 technical support, allowing it to serve as an entry point for less sophisticated cyber criminals – while still being potentially damaging to any person or organisation that falls victim to the malware.Many of the attacks continue to be distributed by phishing emails – which means if the right precautions are taken, falling victim can be avoided. Cybersecurity researchers recommend using antivirus software to detect suspicious activity, while users should be careful when it comes to opening attachments from unknown sources with unexpected emails.MORE ON CYBERSECURITY More

Microsoft-owned GitHub has updated its policies on sharing malware and exploits on the site to better support security researchers sharing so-called “dual-use” software – or software that can be used for security research but which might be used to attack networks. It admits the language it previously used was “overly broad”. 

“We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits,” says Michael Hanley, chief security officer of GitHub, in a blogpost. SEE: Network security policy (TechRepublic Premium)Dual-use technologies include tools like the Metasploit framework and Mimikatz, which are used by defenders, ransomware attackers and state-sponsored threat actors to compromise networks and move around networks after they’re compromised. “While many of these tools can be abused, we do not intend or want to adjudicate intent or solve the question of abuse of dual-use projects that are hosted on GitHub,” the company said in its pull request regarding exploit and malware policies. “Many of the projects cited in this ongoing discussion, such as mimikatz, metasploit, and others are all incredibly valuable tools and the goal is to further protect from what we felt was overly broad language in our existing [Acceptable Use Policies] that could be viewed as hostile toward these projects as-written.”

GitHub has also clarified when it may disrupt ongoing attacks that are using GitHub as a content delivery network (CDN) to distribute exploits or malware. GitHub acknowledged its language around the term “harm” was too broad.”We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss,” notes Hanley. It also updated sections of the policy that ask researchers working on dual-use projects to provide a point of contact, but this is not mandatory. The policy update follows a review that GitHub initiated in April after it took down code from researcher Nguyen Jang in March. Jang had posted proof-of-concept (PoC) exploit code targeting two of four zero-day vulnerabilities – dubbed ProxyLogon – affecting on-premise Exchange servers. Microsoft released patches for the bugs on March 2, but warned that a Chinese state-sponsored group Hafnium had been exploiting the flaws before it released patches. Microsoft also warned that the bugs could be quickly exploited by other threat actors before customers applied patches. On March 9, Jang shared his proof-of-concept exploit on GitHub, as reported by The Record. While being just a PoC for two of Exchange flaws, the code could be tweaked with little effort to exploit vulnerable Exchange email servers and gain remote code execution, according to experts.And at that point, many organizations still hadn’t patched affected Exchange servers. SEE: Cloud computing: Microsoft sets out new data storage options for European customersPer Motherboard, GitHub took Jang’s PoC down a few hours after he posted it because of the potential damage it could cause, but acknowledged that PoC exploit code could be helpful to the security community for research purposes. GitHub came under fire from security researchers because it looked like it was making an exception for PoC exploit code affecting parent Microsoft’s software while allowing researchers to share PoC code for non-Microsoft products on the site, as Google security researcher Tavis Ormandy pointed out on Twitter.  The other policy option is to ban sharing PoC exploit code, but Ormandy argued this would be a bad outcome for defenders. “I’m saying that security pros benefit from openly sharing research and access to tools, and they make us safer. We could say “no sharing”, so there is only black market access to exploits. I don’t think that’s a win,” wrote Ormandy.  More

Tax and auditing giant Deloitte announced Monday that it’s acquiring cloud security posture management (CSPM) provider CloudQuest to expand its portfolio of cloud security orchestration, automation and response (SOAR) services. Financial terms of the deal were not disclosed.

The deal marks Deloitte’s second security-related acquisition this year as the company aims to bolster its existing cybersecurity offerings that aid clients in threat management and intelligence. Deloitte said CloudQuest’s technology is designed to help businesses manage security workflows, reduce risk and improve data security. With the addition of CloudQuest’s business, Deloitte’s Cyber Cloud offering will gain more capabilities for monitoring, preventing and remediating security threats, the company said.”Our acquisition of CloudQuest represents our profound commitment to transforming alongside our clients, competing vigorously in the market, and aggressively building out tech-enabled approaches that position Deloitte cyber as an unquestionable business enabler,” said Deborah Golden, leader and principal of Deloitte Risk and Financial Advisory Cyber and Strategic Risk leader for Deloitte & Touche LLP.Deloitte stands as one of the largest private companies in the US, selling tax, auditing, consulting, and cybersecurity advisory services to major governments and large Fortune 500 multinationals. 

Digital transformation More

The number of ransomware attacks targeting schools, colleges and universities is on the rise again, warns the UK’s National Cyber Security Centre (NCSC).The latest alert comes following a spate of high-profile ransomware attacks around the world during the past month, including incidents encrypting the networks of Colonial Pipeline, Ireland’s health service and meat supplier JBS.

The NCSC has previously warned about ransomware attacks targeting the education sector, but late May and early June has seen another increase in incidents – at a critical time of year when it comes to coursework, exams and other assignments.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  The NCSC has previously detailed how ransomware incidents affecting education have led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing. “It is important that senior leaders understand the nature of the threat and the potential for ransomware to cause considerable damage to their institutions in terms of lost data and access to critical services,” said the NCSC alert.Some of the most common methods cyber criminals use to gain access to university networks and lay the groundwork for ransomware attacks involve targeting remote desktop protocol (RDP) and virtual private networks (VPNs).

By exploiting weak passwords, a lack of multi-factor authentication or unpatched vulnerabilities in RDP and VPNs, cyber criminals can stealthily compromise networks. Their presence is often only discovered once they’ve unleashed the ransomware attack and encrypted systems and services.To help prevent ransomware attacks in the first place, the NCSC recommends that organisations have effective vulnerability management and patching procedures, so they can rapidly update networks and software with the relevant security patches when new vulnerabilities emerge.SEE: What is a software developer? Everything you need to know about the programmer role and how it is changingThe NCSC also suggests that RDP and other cloud services are secured using multi-factor authentication and that mechanisms are introduced to help detect and prevent phishing attacks. It’s also recommended that organisations in the education sector – and beyond – have plans to enable effective recovery, so if the worst happens and the network is encrypted with ransomware, it’s possible to restore it without giving into the ransom demands of cyber criminals.This can be achieved by having up-to-date and tested offline backups, because according to the NCSC, “offline backups are the most effective way to recover from a ransomware attack”.MORE ON CYBERSECURITY More