Week in security with Tony Anscombe

Analysis of Numando banking trojan, steps to mitigate attack surface, and more! – Week in security with Tony Anscombe

In this edition of Week in security, Tony looks at these topics:

ESET Research continues its series on Latin American banking trojans, this time dissecting Numando, which targets mainly Brazil and rarely Mexico and Spain. An overview of what the attack surface is and the best ways to mitigate your organization’s, in order to maximize cybersecurity. The Facebook-owned messaging service WhatsApp announced it plans to roll out end‑to‑end encrypted backups to both iOS and Android users in the coming weeks.

All this – and more – on WeLiveSecurity.com. Connect with us on Facebook, Twitter, LinkedIn and Instagram.

Numando: Count once, code twice

The (probably) penultimate post in our occasional series demystifying Latin American banking trojans.

Before concluding our series, there is one more LATAM banking trojan that deserves a closer look – Numando. The threat actor behind this malware family has been active since at least 2018. Even though it is not nearly as lively as Mekotio or Grandoreiro, it has been consistently used since we started tracking it, bringing interesting new techniques to the pool of Latin American banking trojans’ tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images. Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain.

As with all the other Latin American banking trojans described in this series, Numando is written in Delphi and utilizes fake overlay windows to lure sensitive information out of its victims. Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage.

Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings (see Figure 1), which inspired our naming of this malware family.

Figure 1. Numando command processing – part of command 9321795 processing (red)

Strings are encrypted by the most common algorithm among Latin American banking trojans (shown in Figure 5 of our Casbaneiro write-up) and are not organized into a string table. Numando collects the victimized machine’s Windows version and bitness.

Unlike most of the other Latin American banking trojans covered in this series, Numando does not show signs of continuous development. There are some minor changes from time to time, but overall the binaries do not tend to change much.

Numando is distributed almost exclusively by spam. Based on our telemetry, its campaigns affect several hundred victims at most, making it considerably less successful than the most prevalent LATAM banking trojans such as Mekotio and Grandoreiro. Recent campaigns simply add a ZIP attachment containing an MSI installer to each spammed message. This installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. If the potential victim executes the MSI, it eventually runs the legitimate application as well, and that side-loads the injector. The injector locates the payload and then decrypts it using a simple XOR algorithm with a multi-byte key, as in the overview of this process illustrated in Figure 2.

Figure 2. Numando MSI and its contents distributed in the latest campaigns

For Numando, the payload and injector are usually named identically – the injector with the .dll extension and the payload with no extension (see Figure 3) – making it is easy for the injector to locate the encrypted payload. Surprisingly, the injector is not written in Delphi – something very rare among Latin American banking trojans. The IoCs at the end of this blogpost contain a list of legitimate applications we have observed Numando abuse.

Figure 3. Files used for executing Numando. Legitimate application (Cooperativa.exe), injector (Oleacc.dll), encrypted payload (Oleacc) and legitimate DLLs.

Decoy ZIP and BMP overlay

There is one interesting distribution chain from the recent past worth mentioning. This chain starts with a Delphi downloader downloading a decoy ZIP archive (see Figure 4). The downloader ignores the archive’s contents and extracts a hex-encoded encrypted string from the ZIP file comment, an optional ZIP file component stored at the end of the file. The downloader does not parse the ZIP structure, but rather looks for the last { character (used as a marker) in the whole file. Decrypting the string results in a different URL that leads to the actual payload archive.

Figure 4. The decoy is a valid ZIP file (ZIP structures highlighted in green) with an encrypted URL included in a ZIP file comment at the end of the archive (red)

The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it. The process is illustrated in Figure 5.

Figure 5. Numando distribution chain using a decoy ZIP archive

This BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the overlaly is simply ignored. Figure 6 shows some of the decoy images the Numando threat actor uses.

Figure 6. Some BMP images Numando uses as decoys to carry its payload

Like many other Latin American banking trojans, Numando abuses public services to store its remote configuration – YouTube and Pastebin in this case. Figure 7 shows an example of the configuration stored on YouTube – a technique similar to Casbaneiro, though much less sneaky. Google took the videos down promptly based on ESET’s notification.

Figure 7. Numando remote configuration on YouTube

The format is simple – three entries delimited by “:” between the DATA:{ and } markers. Each entry is encrypted separately the same way as other strings in Numando – with the key hardcoded in the binary. This makes it difficult to decrypt the configuration without having the corresponding binary, however Numando does not change its decryption key very often, making decryption possible.

Numando is a Latin American banking trojan written in Delphi. It targets mainly Brazil with rare campaigns in Mexico and Spain. It is similar to the other families described in our series – it uses fake overlay windows, contains backdoor functionality and utilizes MSI.

We have covered its most typical features, distribution methods and remote configuration. It is the only LATAM banking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique, making two reliable factors when identifying this malware family.

For any inquiries, contact us at [email protected] Indicators of

Microsoft Patch Tuesday fixes actively exploited zero‑day and 85 other flaws

The most recent Patch Tuesday includes a fix for the previously disclosed and actively exploited remote code execution flaw in MSHTML.

The arrival of the second Tuesday of the month can only mean one thing in cybersecurity terms, Microsoft is rolling out patches for security vulnerabilities in Windows and its other offerings. This time round Microsoft’s Patch Tuesday brings fixes to no fewer than 86 security loopholes including one that has been both previously disclosed and actively exploited in the wild. Of the grand total, three security flaws received the highest severity rating of “critical”.

Indexed as CVE-2021-40444, the remote code execution vulnerability holding a rating of ‘critical’ on the CVSS scale, resides in MSHTML, a browser engine for Internet Explorer also commonly referred to as Trident. While Microsoft did release an advisory regarding the actively exploited zero-day it didn’t provide an out-of-band update and rather opted to fix it as part of this month’s batch of security updates.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft said describing how an attacker could exploit the vulnerability.

Another critical vulnerability that merits mentioning resides in Open Management Infrastructure (OMI), an open-source project which aims to improve Web-Based Enterprise Management standards. Tracked as CVE-2021-38647 the remote code execution vulnerability earned an ‘almost perfect score’ of 9.8 out of 10 on the CVSS scale. According to the Redmond tech titan, an attacker could exploit the security loophole by sending a specially crafted message through HTTPS to a port listening to OMI on a susceptible system.

Closing up the trio of security flaws with a classification of critical is yet another remote code execution bug. Indexed as CVE-2021-36965, the vulnerability resides in the Windows WLAN AutoConfig Service component, which is responsible for automatically connecting to wireless networks.

Security updates have been released for a wide range of products, including Microsoft Office, Edge, SharePoint, as well as other products in Microsoft’s portfolio.

All updates are available via this Microsoft Update Catalog for all supported versions of Windows. Both regular users and system administrators would be well advised to apply the patches as soon as practicable.

WhatsApp announces end‑to‑end encrypted backups

The Facebook-owned messaging service plans to roll out the feature to both iOS and Android users in the coming weeks.

While users already had the option to back up their message history using cloud-based services, they will soon be able to store their backups end-to-end encrypted (E2EE), WhatsApp has announced.

The introduction of the new feature means that users won’t have to solely rely on the security measures implemented by their cloud-storage providers but can secure their backups including the contents of their chats before they upload them to the cloud.

Developing end-to-end encrypted backups was an incredible technical challenge: an entirely new framework for key and cloud storage.

With encrypted backups they’re only accessible to you, so that neither WhatsApp nor the backup service provider can access or decrypt the messages.

— WhatsApp (@WhatsApp) September 10, 2021

“To enable E2EE backups, we developed an entirely new system for encryption key storage that works with both iOS and Android. With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password,” reads WhatsApps’s blog announcing the much-desired feature.

If the user chooses to go with the password the key will then be stored in Backup Key Vault which is built around a component known as hardware security module (HSM) – a hardware device used to protect and store digital encryption keys. In its whitepaper, the Facebook-owned messaging platform describes its HSM-based Backup Key Vault as being akin to safe deposit boxes offered by traditional banks. Once users need to access or restore their backups they can use the password they created to retrieve the key that has been stored in the HSM-based Backup Key Vault and proceed to decrypt their backup.

“The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it. These security measures provide protection against brute-force attempts to retrieve the key. WhatsApp will know only that a key exists in the HSM. It will not know the key itself,” the messaging platform said, elaborating on the safety measures it has put in place.

The alternative to using a password for accessing and decrypting their backups is using a 64-digit encryption key. However, memorizing a 64-digit encryption key is easier said than done, so users will probably have to either keep a record of it somewhere (which isn’t really a safe choice) or resort to storing it in a password manager.

WhatsApp said that the end-to-end encrypted backups should be rolled out to both iOS and Android over the upcoming weeks.

What is a cyberattack surface and how can you reduce it?

Discover the best ways to mitigate your organization’s attack surface, in order to maximize cybersecurity.

In almost all coverage of modern breaches you’ll hear mention of the “cyberattack surface” or something similar. It’s central to understanding how attacks work and where organizations are most exposed. During the pandemic the attack surface has grown arguably further and faster than at any point in the past. And this has created its own problems. Unfortunately, organizations are increasingly unable to define the true size and complexion of their attack surface today—leaving their digital and physical assets exposed to threat actors.

Fortunately, by executing a few best practices, these same defenders can also improve their visibility of the attack surface, and with it, gain enhanced understanding of what’s necessary to minimize and manage it.

What is the corporate attack surface?

At a basic level, the attack surface can be defined as the physical and digital assets an organization holds that could be compromised to facilitate a cyber-attack. The end goal of the threat actors behind it could be anything from deploying ransomware and stealing data to conscripting machines into a botnet, downloading banking trojans or installing crypto-mining malware. The bottom line is: the bigger the attack surface, the larger the target the bad guys have to aim at.

Let’s take a look at the two main attack surface categories in more detail:

The digital attack surface

This describes all of an organization’s network-connected hardware, software and related components. These include:

Applications: Vulnerabilities in apps are commonplace, and can offer attackers a useful entry point into critical IT systems and data.

Code: A major risk now that much of it is being compiled from third-party components, which may contain malware or vulnerabilities.

Ports: Attackers are increasingly scanning for open ports and whether any services are listening on a specific port (ie TCP port 3389 for RDP). If those services are misconfigured or contain bugs, these can be exploited.

Servers: These could be attacked via vulnerability exploits or flooded with traffic in DDoS attacks.

Websites: Another part of the digital attack surface with multiple vectors for attack, including code flaws and misconfiguration. Successful compromise can lead to web defacement, or implanting malicious code for drive-by and other attacks (ie formjacking).

Certificates: Organizations frequently let these expire, allowing attackers to take advantage.

This is far from an exhaustive list. To highlight the sheer scale of the digital attack surface, consider this 2020 research into firms on the FTSE 30 list. It found:

324 expired certificates 25 certificates using the obsolete SHA-1 hashing algorithm 743 possible test sites exposed to the internet 385 insecure forms of which 28 were used for authentication 46 web frameworks featuring known vulnerabilities 80 instances of now defunct PHP 5.x 664 web server versions with known vulnerabilities The physical attack surface

This comprises all endpoint devices that an attacker could “physically” access, such as:

Desktop computers Hard drives Laptops Mobile phones/devices Thumb drives

There’s also a case for saying that your employees are a major party of the organization’s physical attack surface, as they can be manipulated via social engineering (phishing and its variants) in the course of a cyberattack. They’re also responsible for shadow IT, the unauthorized use of applications and devices by employees to circumvent corporate security controls. By using these unapproved—and often inadequately secured—tools for work, they could be exposing the organization to additional threats.

Is the attack surface getting bigger?

Organizations have been building out their IT and digital resources for many years. But the advent of the pandemic saw investment on a massive scale, to support remote working and maintain business operations at a time of extreme market uncertainty. It expanded the attack surface in several obvious ways:

Remote working endpoints (eg laptops, desktops) Cloud apps and infrastructure IoT devices and 5G Use of third-party code and DevOps Remote working infrastructure (VPNs, RDP etc)

There’s no going back. According to experts, many businesses have now been pushed over a digital tipping point that will change their operations forever. That’s potentially bad news for the attacks surface as it could invite:

Phishing attacks exploiting a lack of security awareness in employees Malware and vulnerability exploits targeted at servers, apps and other systems Stolen or brute forced passwords used for unauthorized log-ins Exploitation of misconfigurations (eg in cloud accounts) Stolen web certificates

…and much more. In fact, there are hundreds of attack vectors in play for threat actors, some of which are hugely popular. ESET found 71 billion compromise attempts via misconfigured RDP between January 2020 and June 2021.

How to mitigate attack surface risks

The attack surface matters fundamentally to best practice cybersecurity because understanding its size and taking steps to reduce or manage it is the first step towards proactive protection. Here are some tips:

First, understand the size of the attack surface with asset and inventory audits, pen testing, vulnerability scanning and more. Reduce the size of the attack surface and associated cyber-risk where you can via: Risk-based patching and configuration management Consolidating endpoints, ditching legacy hardware Upgrading software and operating systems Segmenting networks Following DevSecOps best practices Ongoing vulnerability management Supply chain risk mitigation Data security measures (ie strong encryption) Strong identity and access management Zero trust approaches Continuous logging and monitoring of systems User awareness training programs

The corporate IT environment is in a constant state of flux—thanks to the widespread use of VM, containers and microservices, and the continuous arrival and departure of employees and new hardware and software. That means any attempts to manage and understand the attack surface must be undertaken with agile, intelligent tools that work from real-time data. As always, “visibility and control” should be your watchwords on this journey.

Beware of these 5 common scams you can encounter on Instagram

From cybercriminal evergreens like phishing to the verification badge scam we look at the most common tactics fraudsters use to trick their victims

Instagram is one of the most popular social media platforms. Indeed, with over one billion monthly active users it is among the top four most popular social media networks in the world. That figure, representing potential targets, is bound to attract cybercriminals like bees to honey.

In this article, we look at an overview of the most common scams that you will probably encounter while you’re perusing your feed and connecting with other users through direct messages.

Phishing

If we were to use a relatively small hyperbole to describe phishing scams, we could say that they are as old as the internet itself, and it’s a type of scam cybercriminals like to return to and reuse time and time again. Simply put, the ultimate goal is to dupe you out of your personal information and access credentials, and then proceed to use them in various illicit activities – identity fraud or sell them on marketplaces found in the internet’s seedy underbelly.

Figure 1. Legitimate (L) versus fake (R) Instagram login page

Common strategies include evoking a sense of urgency, by sending out fraudulent emails claiming that someone unauthorized may have logged into your account. The email usually includes a fake password reset link that, once clicked, will navigate you to a faux Instagram login page which will harvest your credentials and allow the scammers access to your account. Alternatively, the fraudsters may imply that you are in trouble due to copyright infringement and that you must set the record straight, by clicking on a link and filling out a form. However, if you do that, you’ll be redirected to another faux login page. And they don’t tend to stick to emails, sometimes fraudsters will try to impersonate Instagram support and contact you through direct messages as well.

🔐 Keep your account safe 🔐

You may get emails that LOOK like they’re from Instagram, but they’re not 👀 Avoid hacks and phishing by:

✔️ Checking your settings to confirm we contacted you. Nothing there? Then it’s not from us.

✔️ Turning on 2-factor authentication. pic.twitter.com/V0B40gVhmj

— Instagram (@instagram) March 29, 2021

To avoid falling victim to these scams, watch out for telltale signs such as poor grammar, or the use of generic greetings instead of personalized ones. Another thing to look out for is the sender’s email address, if it isn’t associated with an official email address it most probably is a scam.

Attack of the clones 

While browsing Instagram, in search of a celebrity or sports team account you’d like to follow, chances are that you’ve stumbled upon several doppelganger accounts. However, these clone attacks aren’t really limited to popular actors, singers, or athletes. Cybercriminals can as easily clone the accounts of regular Instagram users as well. They’ll then go on to impersonate the people in the accounts they cloned and try to reach out to their friends and followers.

From that point, the ruse is quite simple; the attackers will claim that legitimate account that they have cloned has been hacked, this is the new one and that “hackers” have cleaned out the account owner’s bank accounts, or claim that the account owners are in some other kind of monetary jam. With a bit of proper social engineering and luck, the main victims are scammed out of their hard-earned money in the belief that they are helping out a beloved friend or relative.

And if you think that this scam is hardly plausible and people couldn’t possibly fall for it, you’d be, unfortunately wrong. ESET Security Specialist Jake Moore carried out a successful experiment where he was able to prove the viability of the scam by cloning his own account. The quickest way to check whether you’re being contacted by a cloned account is to reach out to your friends through an alternative method like a phone call. To keep your own accounts safe, you should lock them down and keep them private, as well as be picky about who you allow to follow you.

The verification badge scam

Speaking of cloned accounts, another thing you need to watch out for are account verification scams, or verification badge scams if we want to be exact. In short, if you see a blue checkmark next to an account’s name be it a celebrity, influencer, or brand, it means it’s the real deal. “At its core, verification is a way for people to know that the notable accounts they are following or searching for are exactly who they say they are. It’s a way for people to know which accounts are authentic and notable,” reads Instagram’s description of their verification badges.

@instagram our business page gets many scam imposter accts a week pretending to be us & asks our customers for money. We have tried 4 times to get verified without success. We tried again & got this. I assume this isn’t real but at this point I’m almost desperate enough. Fake? pic.twitter.com/8LuamvPnHI

— Sharpie (@itsmesharpie) March 24, 2021

Being verified basically also means you have a large audience that follows you and you are influential to a certain extent within your community. This also opens up doors to various opportunities like monetizing your content through sponsorship deals with various brands that might offer you to showcase their products. And the desirability of that coveted badge is exactly what the fraudsters are betting on. The scam is relatively straightforward: the scammer will contact you, probably through a direct message offering to get you verified for a fee. However, if you pay up the only thing that will be verified is the fact that you became the victim of a scam.

How to Get Verified on Instagram ✅

No, I can’t get you verified… but here are some tips and things we look for when you apply.

Our new blog post has even more info.

Week in security with Tony Anscombe

Cyberespionnage against Kurdish ethnic group, and more! – Week in security with Tony Anscombe

In this edition of Week in security, Tony looks at these topics:

ESET researchers have investigated BladeHawk, a targeted mobile espionage campaign against the Kurdish ethnic group, and that has been active since at least March 2020. ProtonMail updated its website and privacy policy, and will now have to log its user’s IP address after an order from Swiss authorities Howard University suffers suffered a ransomware attack and had to suspend online classes in aftermath.

All this – and more – on WeLiveSecurity.com. Connect with us on Facebook, Twitter, LinkedIn and Instagram.

Victims duped out of US$1.8 million by BEC and Romance scam ring

Elderly men and women were the main targets of the romance scams operated by the fraudsters.

A United States Army Reservist has been sentenced to  46 months and ordered to and pay approximately US$1.8 million in restitution after he was found to be involved in a scheme to commit romance and business email compromise (BEC) scams against scores of victims across the whole United States, according to the United States’ Department of Justice (DoJ). The illicit profits from the scams were laundered to co-conspirators in Nigeria.

“Among the many victims of the internet scams facilitated by Joseph Asan Jr. were elderly women and men who were callously fooled into believing they were engaging online with potential romantic interests. This former serviceman and his co-defendant even laundered money stolen from a U.S. Marine Corps veteran’s organization in one of the conspiracy’s email spoofing schemes,” said Manhattan U.S. Attorney Audrey Strauss.

From approximately February 2018 up until October 2019, Joseph Iorhemba Asan Jr. and his co-defendant Charles Ifeanyi Ogozy took part in a fraud scheme that mainly targeted elderly victims using romance scams. The members of the scam ring assumed fake identities and duped unwitting elderly women and men into believing that they were in a relationship with them and then proceeded to convince the victims into wiring them money under using various deceitful claims.

Beyond the romance scams, the members of the ring also engaged in business email compromise scams. Using spoofed email addresses or by gaining unauthorized access to them, the scammers masqueraded as employees of companies or third parties that had working relationships with the companies so they could persuade victims to transfer money to them under false pretenses.

To launder their ill-gotten gains the fraudsters opened up at least ten bank accounts in the names of bogus companies at eight banks. These were used to receive and transfer some US$1.8 million in funds defrauded from at least 69 identified victims to co-conspirators overseas.

Asan was also sentenced to three years of supervised release and ordered to forfeit US$ 184,723 and pay the victims US$$1,792,015 in restitution.

A costly and persistent problem

Both BEC and romance scams remain a perennial problem. Based on the FBI’s 2020 Internet Crime Report, BEC Scams remain the costliest type of scam, with losses emanating from them reach a total of almost US$2 billion last year.

Meanwhile, losses from romance scams were also at a record-high in 2020, according to a report published by the United States’ Federal Trade Commission (FTC). “In 2020, reported losses to romance scams reached a record $304 million, up about 50% from 2019. For an individual, that meant a median dollar loss of $2,500. From 2016 to 2020, reported total dollar losses increased more than fourfold, and the number of reports nearly tripled,” said the FTC.

Howard University suffers cyberattack, suspends online classes in aftermath

The university suffered a ransomware attack, however there is no evidence so far of data being accessed or stolen.

Howard University, a private research university based out of Washington D.C. admitted that it suffered a cyberattack on Friday. The university alerted both the Federal Bureau of Investigation and the D.C. city government about the incident and added additional safety precautions to protect both staff’s and students’ data.

“On September 3, 2021, the Howard University information technology team detected unusual activity on the University’s network. In accordance with our cyber response protocol, and to mitigate potential criminal activity, Enterprise Technology Services (ETS) intentionally shut down the University’s network to investigate the situation,” said the University in a press release detailing the incident.

Although the investigation is still ongoing, Howard disclosed that it has suffered a ransomware attack. While the university in cooperation with ETS partners is working on resolving the incident and restoring operations, it warned that restoring operations after such an incident is no easy feat and it might take a while.

The university is working with external forensic experts and law enforcement to investigate the cyberattack and its full impact. For the time being it appears that there is no evidence of any personal information being accessed or siphoned from its systems. On the other hand, the investigation hasn’t been wrapped up yet and Howard is still trying to glean what led to the situation and what kind of data may have been accessed.

In the aftermath of the incident, Howard University set up a backup Wi-Fi system on its premises and suspended its online and hybrid undergraduate courses while also extending deadlines for adding and dropping courses. While in-person courses would resume as scheduled the parts that would necessitate internet access may not be available.

“Also, You will receive additional communications from ETS over the course of the next few days, especially surrounding phishing attempts and how to protect your data online beyond the Howard University community,” the university went on to add.

Indeed, students and staff would do well to protect themselves against possible phishing attacks. A good rule of thumb is to always scrutinize any unsolicited emails, especially if they contain suspicious links.  Using two-factor authentication where possible to secure accounts is always a good idea and you can never go wrong with by using a password manager to bolster your password security.

ProtonMail forced to log user’s IP address after an order from Swiss authorities

Following the incident the company has updated its website and privacy policy to clarify its legal obligations to its userbase

ProtonMail a Swiss-based secure email provider has been at the center of some controversy after it was forced to share the IP address of one of its clients, a climate activist, with law enforcement agencies due to a legally binding request by the Swiss authorities.

According to TechCrunch, which broke the story, the French law enforcement authorities were able to acquire the IP address of a French activist that was using ProtonMail’s services, by sending a request to the Swiss police through Europol.

“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request. As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account,” said Proton CEO Andy Yen in a blog post explaining the details of the incident.

The revelation was met with criticism from the company’s user base, with one user with the handle Etienne – Tek questioning what ProtonMail meant by its claim that it doesn’t keep any IP logs that could be associated with anonymous email accounts.

Now, of course Protonmail has to comply with Swiss law, but is that what you mean by “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”

— Etienne – Tek (@tenacioustek) September 5, 2021

It seems that the company has since removed the claim from its website and amended its privacy policy. Yen said it would do as much in his blog, saying that the email provider would update its website in order to shed more light on its legal obligations when it comes to criminal prosecution cases and update its privacy policy to clarify its obligations under Swiss law.

However, he did highlight that ProtonMail’s encryption cannot be bypassed and that the company doesn’t give data to foreign governments, and it only complies with “legally binding orders from Swiss authorities”. The email provider also maintains that it doesn’t know the identity of its users due to its strict privacy measures.

Yen acknowledged that development is concerning, however he emphasized that the company does fight for its users, “Few people know this (it’s in our transparency report), but we actually fought over 700 cases in 2020 alone. Whenever possible, we will fight requests, but it is not always possible.”