Image credit: https://www.gettyimages.ca/photos/ezra-shaw-49ers

After falling short in the NFL Conference Championship, the San Francisco 49ers football franchise was recently hit with another blow; but this time off the field. On February 13, 2022, the organization was reportedly a victim of a ransomware attack by BlackByte [1].

What is ransomware?

Ransomware is a type of malware which attacks files on the computer system by encrypting them. To decrypt the files, the attacker typically asks for a ransom [2].

Who is BlackByte?

BlackByte is Russian ransomware gang that has been targeting corporate organizations since July 2021. They operate as ransomware-as-a-service (RaaS) which means they rent out ransomware software to others for a percent of the ransom [3]. The RaaS operation makes tracking the attackers difficult, because the operators can use the malware from anywhere. Although, their first ransomware version was not too complicated, it appears their second version is much stronger and has been used to target “at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture)” according to the FBI on February 11 [1].

Image credit: https://www.hackread.com/blackbyte-ransomware-san-francisco-49ers/

The ransomware gang appeared to have used Microsoft Exchange Server, a mail server, to gain access to the team’s networks. They then moved “laterally across the network and escalate[d] privileges before exfiltrating and encrypting files” according to the FBI alert [1]. Escalating privileges refers to an attack that increases privileges to give the attacker higher levels of control [4]. The security breach remained in their IT networks and doesn’t seem to impact the stadium operations or season ticket holders. However, the ransomware gang gained access to some of the team’s financial data, including a file named “2020 Invoices” that was leaked on their website on the dark web. It is unclear how much of the data has been encrypted and if an incident response company has been hired to help with the ransomware investigation [5].

What are authorities doing about this?

Although the FBI issued an alert about BlackByte, there isn’t too much that can be done at the moment due to the anonymous nature of the RaaS operation. The trend towards more RaaS operating groups brings more challenges for corporate organizations around the world, but certain measures can drastically reduce the likelihood of a ransomware attack.

According to the FBI and US Secret Service [6], some of these measures include:

• Implementation of network segmentation so the malware cannot spread throughout all computer on the network.
• Installation of updated antivirus software.
• Disabling of hyperlinks on incoming emails.
• Regular backup of data which is stored offline with password protection.
• Making sure offline copies cannot be modified from the original machine.

The monetary gain currently outweighs the risks of severe consequences for their actions. This should not be the case. With ransomware on the rise in 2021, the US Department of Justice has made progress by forming the Ransomware and Digital Extortion Task Force [7], but clearly the efforts have not been enough to deter ransomware gangs.

References

[1]: https://www. hackread.com/blackbyte-ransomware-san-francisco-49ers/

[2]: https://www.mcafee.com/enterprise/en-ca/security-awareness/ransomware.html

[3]: https://techcrunch.com/2022/02/14/blackbyte-critical-infrastructure-ransomware/#:~:text=BlackByte%20is%20a%20ransomware%2Das,to%20target%20corporate%20victims%20worldwide.

[4]: https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained

[5]: https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/49ers-ransomware-attack-details-and-recovery-update/

[6]: https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/

[7]: https://techcrunch.com/2021/12/30/the-year-the-tide-turned-on-ransomware/

Recently, the IRS issued an update on its partnership with ID.me. Id.me, which has been providing third-party authentication services to dozens of government agencies, received a request from the Internal Revenue Service to stop all facial recognition support for those agencies. The move is aimed at protecting users’ privacy.

Facial recognition system is a kind of use of analysis and comparison technology, the facial features of the construction of data, used for comparison to carrying out identity verification, recognition, and other purposes.

The main application areas include.

Face detection.

Determine whether the image contains a face inside. This type of detection generally does not raise privacy concerns because it does not collect or store face-related information. The main purpose is to detect faces in videos or pictures and mask recognizable faces through subsequent processing. Face tracking is often applied to cameras, or motion cameras. Recognize faces and keep them centered on the screen at all times. The same technology can be used to create interesting filters on social networks. This technology is not too risky, so it is widely used in our life.

Facial recognition.

The technology is used to identify a person’s face and convert its features into character segments that can be compared with the contents of a database to confirm the person’s identity and additional information. The technology involves storing facial information in a database in advance, indexing it and enriching it with other content.

As a relatively new biometric technology, facial recognition has many advantages. It doesn’t require people to actually touch the device, which is particularly advantageous during the COVID-19 pandemic. Reduce the frequency of direct contact in the workplace and life scenarios, reducing the risk of transmission of the virus. Similarly, when facial recognition technology is used as the login certificate of the device, the more logical principle is well accepted by people. Apple’s Face ID, for example, requires the user to face the camera to unlock the device, which requires no additional process. Fingerprint recognition requires the user to go through the extra action of placing a finger on the recognizer.

Despite its easy-to-use features, the development and application of facial recognition technology is slow due to privacy issues. Id.me uses facial recognition technology as login credentials for many government tax systems, which means it stores many users’ all-important “keys.” A third-party system cannot guarantee the security of the use and storage of the information, and the facial information is at risk of disclosure and abuse. The disclosure of facial information poses a bigger security risk than fingerprints, which can only be compared through databases, and facial information is one of the things we face with other people every day of our lives. “Face Swap,” a popular app in recent years, has made it almost impossible for the human eye to tell if a video has been face-swapped. This leads to a lot of legal problems, not only the violation of privacy but also the right of portrait and legal evidence.

So while facial recognition is a promising technology, there’s still a lot of social and legal work to be done to keep up with the science and technology. As it stands, eliminating facial recognition from government services is only the first step, and it should not be used for any unnecessary database comparisons until security and privacy concerns can be addressed. Facial recognition for public safety is available, but it still needs to strike an acceptable balance between ensuring the necessary security order and the illegal monitoring of privacy.

Reference,

https://www.eff.org/deeplinks/2022/02/victory-irs-wont-require-facial-recognition-idme

https://www.eff.org/deeplinks/2021/10/face-recognition-technology-commonly-used-terms

https://www.expressvpn.com/blog/top-6-deepfake-apps-are-they-safe/

Face Detection vs. Face Recognition: What Decision Makers Need to Know

https://rapidapi.com/blog/top-facial-recognition-apis/

What Happened?

On Thursday, February 10th, the Commission nationale de l’informatique et des libertés (CNIL) of France, declared that using Google Analytics is in violation of the European Union’s General Data Protection Regulation (GDPR). This came about after the non-profit privacy advocacy organisation, None Of Your Business (NOYB) brought up privacy concerns of using this service to CNIL (yes, that is what they are called). CNIL then confronted certain websites using Google Analytics, and ordered them to stop.

What is Google Analytics?

Google Analytics is a tool that website owners can use, that tracks and reports website traffic. In this case, data about website traffic is transferred from France to the USA via transatlantic communication cables. The data is then processed on American servers before being sent back to French website owners. This data collection is legal without consent in France, so long as the analysis is done anonymously.

What’s the issue?

The issue (according to CNIL) is that Google has not taken the appropriate security measures in order to ensure that American intelligence services (for example the CIA, FBI) cannot access the personal data of French citizens during the transfers. Either CNIL cannot trust American intelligence services to simply mind their own business, or American intelligence services were never interested in minding their own business in the first place.

What does this mean?

Heavy restrictions on how personal data is transferred from the EU to the USA makes it harder for companies such as Google or Meta to provide their services in the EU, since they rely heavily on analyzing user data.

As evidence, Meta announced in a recent annual report that 

“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”

[1] Meta Annual Report

So far Google has not made any comment on the recent CNIL decision, but has claimed in the past that organizations using Google Analytics have control over the data they collect.

What’s next?

CNIL gave this particular website owner one month to stop using Google Analytics. After that they are still allowed to use a different traffic monitoring tool, so long as it does not involve the transfer of personal data outside of the EU. In the future, Google might be forced to beef up their security if they want to keep the business of European users, since France is not the only country to have made this decision. About a month ago, Austria made a similar decision about Google Analytics. And with the current climate of internet privacy in Europe compared to North America, it would not be surprising if more European countries followed suit. It will be interesting to see the result of this shift towards privacy, as nations continue to attempt to strike a balance between the privacy of their citizens and the wishes of big tech companies.

References

• French regulator finds Google Analytics illegal
• France Rules That Using Google Analytics Violates GDPR Data Protection Law
• Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply
• French Privacy Regulator Rules Against Use of Google Analytics
• [1] Meta Annual Report
• https://www.octoboard.com/assets/imports/octocat/google-analytics-seo-dashboard-for-audience-and-web-traffic-reporting-automated.png
• https://csis-website-prod.s3.amazonaws.com/s3fs-public/styles/amp_metadata_content_image_min_696px_wide/public/publication/Subsea_Banner-01.jpg?teMz1f0sXwyxYW91XuYAFZMOaNdqxaTT&itok=P4kKn4O1

What is Maze ransomware team?

For ransomware Maze ransomware can be considered a trendsetter. Most of the ransomware currently available on the Internet encrypts files on the victim’s computer after infection, and then will require the victim to pay money to a designated account within a certain period of time, or the files will be deleted or unrecoverable. And the Maze ransomware team was the first of all ransomware teams to threaten to publish sensitive information about their victims on their website if they didn’t pay the ransom. Maze starts its crime from May 2019 to its November 1, 2020 when they announce their official retirement.

The cyber crime operation published large amounts of documents filched from Xerox, LG, Southwire, Canon and the city government of Pensacola among other targets that refused to pay up. Maze would often publish tens of gigabytes of these files on its dark web “leak site” Maze News in retaliation for a failure to pay the ransom by a specified deadline. Sensitive information that it published included employee information files, proprietary information about products and internal source code.^[1]

Retirement?

Back to retirement, the Maze team officially announced their official closure on their website on November 1.
At the time there were many websites that covered it and most of them mentioned several issues.
Firstly, the Maze ransomware team’s retirement was fraught with problems, and most people felt that they didn’t really recognize the wrongness of their actions. Even they themselves believe that their actions were justified. Here are the responses from the Maze team.

For this reason, most of the news writers believe that the retirement of the Maze ransomware team is probably just a ruse, and that they have probably just abandoned Maze in favor of the new ransomware Egregor, which has a lot of similar code.
Secondly, Maze team announced that they stopped their activities and deleted the private sensitive files posted on the internet. For those users whose files were encrypted, they did not provide the key to the general public, while most other ransomware organizations release the key to the public after a complete shutdown.

End?

On February 10, 2022, it was reported that someone posted on the Bleeping Computer forum claiming to be the creators of the ransomware, Maze, Egregor and Sekhmet. The poster also posted keys for all three ransomwares and claimed that all those involved in the ransomware were out of the ransomware game for good.

Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.^[2]
also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.^[2]
In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.^[2]

The Maze ransomware team will not be the first ransomware team to announce its retirement, nor will it be the last. In just 18 months, this team has caused financial losses to too many people. Yet in their eyes it all seems like a game. Who can guarantee that they won’t come back. But I believe that in the future, as people’s awareness of cyber security increases, and the law improves, ransomware will slowly decrease!

Reference

[1] https://www.cpomagazine.com/cyber-security/maze-ransomware-group-infamous-for-adding-doxxing-threats-to-attacks-announces-it-is-shutting-down-its-cyber-crime-operation/
[2] https://blog.malwarebytes.com/malwarebytes-news/2022/02/ransomware-author-releases-decryption-keys-says-goodbye-forever/
[3] https://cisomag.eccouncil.org/maze-ransomware-retires/
[4] https://blog.malwarebytes.com/ransomware/2020/11/maze-ransomware-gang-announces-retirement/

Recently, installers claiming to offer users an upgrade to Windows 11 have been appearing, mimicking the appearance of the official Microsoft website, but hidden behind their download buttons is a zip archive of malicious files containing a malware called RedLine.

These websites appeared after the recent Microsoft announcement that they were advancing the pace of the rollout of Windows 11’s broad deployment phase due to high demand and an upgrade rate twice what was seen for Windows 10. This suggested that the attackers were anticipating such an announcement to come from Microsoft, and had been lying in wait for a spike in demand for the new version of the OS.

What is RedLine?

RedLine, more formally known as RedLine Stealer, is a password grabber that sits in the background and monitors the autocomplete fields of your browsers for data such as passwords, credit card information, and other saved credentials. It is widely available on underground forums, and even offers a monthly subscription for updates. Since initial development, it has also gained the ability to steal cryptocurrency from devices it has infected.

RedLine isn’t exactly new, and has been around since long before these fake Windows installers. The earliest mentions of RedLine were in early 2020, associated with a fake email campaign for the Folding@Home application, which allows users to volunteer processing power for medical research.

According to the Have I Been Pwned data breach monitoring service, as of the end of 2021, 441 thousand accounts have been stolen by RedLine, through various phishing campaigns, YouTube scams, and fake websites.

Through monitoring of dark web data market sites such as ‘2easy’, it has been determined that around half of sellers are using RedLine as their information grabbing malware of choice, or as part of a set.

How can I tell if I’m using a legitimate website?

Given the history of RedLine, as well as the recent appearance of the fake Windows 11 installers, it is likely that more fake sites containing RedLine or other malware like it are on their way.

Some good methods for protecting yourself from fake sites are as follows:

• Keep an eye out for out of place advertisements. If a website is prioritizing advertisement revenue over the revenue of their software, they probably aren’t actually selling the software in question.
• Trust your browser’s instincts. If your browser gives you a warning before you proceed to the site, or tries to stop you from accessing it entirely, it is probably a good idea to listen to it unless you are absolutely sure of the identity of the site you are trying to access.
• Do NOT disable your firewall. If the site you are downloading from asks you to disable your firewall to complete the download of the software, stop the download and exit the site. Your firewall is one of your best lines of defence against malware and by disabling it you leave your computer vulnerable.
• Be wary of big discounts. If a website is offering data at a huge sale, or even for free, there is probably something going on behind the scenes. If you really want to take up the offer, try to separately verify that the company in question has actually put out the software at a discount.

References:

https://www.zdnet.com/article/this-password-stealing-malware-posed-as-a-windows-11-download/

https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/

https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-441k-accounts-stolen-by-redline-malware/

https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/

https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2

https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign

https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/

https://www.hotbot.com/blog/how-to-tell-if-youre-using-a-safe-download-source/

Stealing another person’s identity – harassment

When it comes to the internet and social media, it is really easy to take someone’s identity and use it as your own. There is a chance that the victim might not even find out about the occurrence of such an event. This is really common on platforms such as Instagram – where there can be several accounts impersonating the same person (influencer for example). However, even today, Instagram has yet to find a way to battle all these misrepresentations effectively and to make sure that these do not happen in the future.

How a Welsh novelist (Joe Dunthorne) was a victim of identity-theft

Joe Dunthorne was a novelist, who personally was an active user of the “Twitter” platform and had no online presence over Instagram. One day it came to his attention that a fake instagram account had been set up under his name and it also gained a lot of followers. Then, Joe himself had created an instagram account and contacted the fraud account but just ended up being blocked. Joe had tried to reach out to the company as well, but to no avail.

How the fraud account operated

The fake account took posts that Joe had posted on his twitter account and used them as content for Instagram. The fraud in this case, knew that since the original creator had no online presence on instagram, the followers would believe that this account is authentic. Joe once made a fake account of himself and contacted the imposter account (acting as a fan). He eventually understood through the conversations, that anyone’s image can be messed with through fraud accounts such as this. He found it really frightening when he saw that the impersonator gave his own personal phone number to a fan he just started communicating with, as well as asking questions like “Are you single?”. Later, Joe also noticed that the fraud was using his persona to get his followers to buy cryptocurrency from his friend (most probably another fake account that is impersonating another person).

How Instagram deals with such situations

It is one of the biggest priorities for companies like Instagram to protect the image of their users and prevent them from becoming victims of impersonation. There is a reporting system that would allow any user to send a request, so that any unfortunate matter at hand is looked into. However, since there are millions and millions of users, it is not likely that all requests of such cases can be responded to. This is why it would help if multiple users report on the same issue, since this would increase the chances of the company to know about the situation and to deal with it.

My personal views on the matter

For influencers, it is better to be present on most platforms in the online space. The reason for this is that people with a lot of followers can initially already get a hold of their fan base, and this would prevent anyone else to make a fraud account that could end up having more followers than the actual influencer him or herself. If anyone makes another fake account, provided that the influencer already has an account on the platform, then the original creator can warn its followers and tell them to report the fraud account. This would have a greater chance in taking down the fake profile and would prevent any followers from getting any wrong information about the creator or possibly being scammed.

For normal day-to-day users, I believe cyber threats such as these are harder to deal with since the victim in this case might not have too many followers who can help report the fake account. The most such users could do in this case, is to warn their family and friends about the account. Furthermore, Instagram has added the feature for users to make their account private (if they want to). This feature helps users to choose the people they would want to view their posts (only followers can see and non-followers can not).

References:

https://www.bbc.com/news/uk-wales-60325386

https://www.cnbc.com/2021/12/14/instagram-accounts-created-with-stolen-pics-push-bogus-crypto-schemes.html

https://www.redpoints.com/blog/how-to-report-an-impersonation-account-on-instagram/

A recent decision in France ruled that Google Analytics are in breach of section 44 of the GDPR due to international transfers in data, particularly those to the US. The commission which issued the ruling, the CNIL, expressed concerns over what would happen to the data once it entered the United States, saying that French website users were at risk of having their data exploited, and citing concerns over accessibility of the data to US intelligence services. This comes after a 2020 ruling in the EU’s highest court, which again cited concerns that non-US persons could be subject to arbitrary surveillance from the US. 

This ruling, which could have broad ramifications for the EU presence of internet behemoths (at least according to tech CEO Zuckerberg, seen here throwing a tantrum), also draws attention to the differing expectations of privacy in the EU and the US. 

In the aftermath of the Snowden NSA revelations, it became a constant internet joke that nothing you do online is private, at least for those in the United States. One popular meme in recent years arising from this has been the “FBI agent meme”. 

While jokes, these memes highlight the very real phenomenon that many young people no longer have an expectation of privacy, at least from government surveillance. This is exacerbated by the fact that information about government surveillance continues to be released, often to little surprise from the general public:

While most Americans hold strong views about the importance of privacy in their lives, few have confidence that their data will remain private and secure, with only 6% of adults saying they were “very confident” that their government agencies can keep their records private and secure. When asked about the data government collects as part of anti-terrorism efforts, 65% of Americans said there were not adequate limits. And this information was from 2014, surveying adults. 

Surprisingly however, younger Americans have begun to place less value on privacy, at least according to some preliminary studies. Only 42% of Gen Z respondents said that data privacy is very important to them, as opposed to 54% of millenials. It is unclear whether this is due to the fact that this generation grew up with less expectation of privacy, both from the government and companies, as the first true digital natives. 

So why is this important? In many jurisdictions, including Canada, the guarantee of freedom from search and seizure only extends to what a person sees as a “reasonable expectation of privacy”. If a descriptive approach applies here, where the “reasonable expectation” is based on what privacy people believe that they have, then this changing expectation of privacy could be reason for extensive government overreach; after all, we expect the government to be watching us. This is why ensuring that cases take a normative approach, or looking at values and what “ought” to be the case, is likely the approach to take due to the deterioration in expectations of privacy. 

Ransomware is a type of malware that will keep an individual’s computer system hostage in exchange for something-usually money. They do this by encrypting an individual’s system such as their files and applications to deny their access until the ransom is paid.

So What is The Sugar Ransomware?

Sugar ransom note(Source: BleepingComputer)

The Sugar ransomware that was discovered by the Walmart Security Team in November 2021 has been on the rise, targeting individuals instead of big corporations. It’s also called Encoded01 because the encrypted files will have a .encoded01 extension. Like most ransomware, the sugar ransomware uses a public key and private key setup and according to BleepingComputer, the Sugar ransomware uses the “SCOP encryption algorithm”. This algorithm will turn text into encrypted code that is only readable if the individual has the private key. Even though the public and private key system was intended to be used for better security reasons, it can be abused by cyberterrorist as a tool for ransomware.

According to BleepingComputer, the ransom amount is based on the number of encrypted files and is usually affordable. Even though the ransom is quoted to be “affordable”, the individual may still have to pay hundreds of dollars to unlock their files which may be considered a massive price to some people. It was also noted that the victims did not know where they got the Sugar ransomware from, meaning everyone is a potential target for these attacks. This makes the Sugar ransomware extremely dangerous if an individual is not protecting their computer system from these ransomware attacks.

How The Sugar Ransomware Works

Once the sugar ransomware is executed, it will connect to whatismyipaddress.com and ip2location.com. This security breach alone may scare people because the attacker will now have knowledge of a person’s general location-most likely the victim’s home.

It will then download a 76MB file of unknown origin and, as of now, unknown function. The fact that its function is still unknown should put users on alert.

Finally, the Sugar ransomware will connect to a command and control server. Also known as the C2 server, this server will allow the attacker to send and receive data from the victim. This enables the attacker to encrypt the individual’s files and prevent access.

After the encryption of files, the victim will be prompted with a text file containing instructions on how to retrieve their now encrypted files. Victims will then be directed to the Tor website to make their payment as shown below:

Tor website(Source: BleepingComputer)

Like most ransomware, if the demand is not paid then all the files that have been encrypted will be lost. In this situation most people would likely pay the fee to restore their files, however, there is still an uncertainty of whether the attacker will fulfill their end of the deal.

Ways to Protect Yourself From Ransomware

• Backup your files on a remote system where the attacker cannot reach them. Your files will be safe in the backup and will not be encrypted.

• Be cautious when clicking on mysterious links on any platform because that is the most common way a cyberterrorist uses to infect a system.

• Before downloading anything, make sure the website address or email attachments can be trusted.

References

https://www.bleepingcomputer.com/news/security/a-look-at-the-new-sugar-ransomware-demanding-low-ransoms/

https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-about-you-sugar-ransomware-targets-individuals/

https://www.mcafee.com/enterprise/en-ca/security-awareness/ransomware.html

The increase of companies transitioning to online/remote work over the past few years have led to a massive increase of companies online presence. This fast expansion has made it hard for companies to ensure there are no exploits or blind spots in their systems which has given cyber attackers a much larger area to find opportunities to exploit and attack. This has led to many more successful cyber attacks, which is why many companies have implemented Attack Surface Management (ASM) to combat these security threats.

What is Attack Surface Management?

An Attack surface is the many different ways an attacker can get into a company’s system and steal or change data/assets. ASM is the process of monitoring, evaluating, and analyzing a company’s online infrastructure/systems from an attacker’s perspective so they are able to mitigate or remove the risks involved with the system before attackers are able to find and exploit them. There are 2 types of ASM that companies need to be aware of:

• External ASM which is the management of internet exposed data/assets and reducing the blindspots that are vulnerable to attack. These are usually found by scanning through the system and using cyber attack techniques and tools.
• Internal ASM which is the management of data and assets that only people within the company have access to, which is usually not online but within the server or company itself.

ASM starts by discovering areas of concern because it is impossible to manage and fix something that people are unaware of. Next a company should start prioritizing the vulnerabilities by severity because there is no reason to spend a lot time and money on a minimal threat. Then a company should attempt to continuously monitor while attempting to resolve the issues.

Why Is ASM Important?

Ransomware costs businesses more than $75 billion per year, according to one report, and it is well known that data breaches and hacks are usually caused by an overlooked area in security instead of sophisticated exploits which is why many companies should implement ASM and be more vigilant about their cyber security. With companies rapidly expanding, attack surfaces constantly changing, and the number of remote work increasing has led to the implementation of ASM necessary and on the rise as well. ASM can be used as a tool to find vulnerabilities in email records and systems, website security and infrastructure, operating systems, as well as things like outdated hardware, software and weak passwords. This information can then be used to fix the vulnerabilities or at the minimum allow companies to become aware and monitor the situation which helps mitigate the risk of attacks, data breaches/leaks, etc. ASM is a tool that should be implemented throughout a company to help bring awareness to security issues so they can be handled properly and deter cyber criminals from attacking your network because there are no easy entry points in the system.

References

https://thehackernews.com/2022/02/how-attack-surface-management-preempts.html

https://www.techtarget.com/searchsecurity/tip/What-is-attack-surface-management-and-why-is-it-necessary

https://www.makeuseof.com/what-is-attack-surface-management/

https://www.upguard.com/blog/attack-surface-management#:~:text=Attack%20surface%20management%20is%20important,Vulnerable%20and%20outdated%20software

The Roaming Mantis Android malware campaign has buzzed into Europe, quickly infesting France in particular, where there have been 66,789 downloads of the group’s specific remote access trojan (RAT) as of January.

Roaming Mantis has been spreading since 2018, mostly observed in Japan, South Korea and Taiwan. Now, its arrival in France has resulted in that country seeing the highest volume of attacks worldwide, according to researchers at Kaspersky. There have also been detections in Germany. The attacks are now monitored by French media and German Police.

How does it work ?

According to various researches conducted by security researchers (ex, Kaspersky ) , “roaming Mantis”  is a mobile malware which this year has been spreading via DNS hijacking. The malware redirects potential victims to a malicious webpage that distributes a trojanized application that pretends to be either Facebook or Chrome. Once installed manually by users, a trojan banker will execute.

The campaign typically spreads via “smishing” – i.e., SMS-based phishing, pretending to be Google Chrome or a region-specific entity such as “Yamato Transport” in Japan.

The researchers further explained that the attack works as follows; If a user clicks on the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices.”

What is a WROBA ?

The WROBA RAT ( remote access Trojan ) has a feature that checks the region of the infected device in order to display a phishing page in the corresponding language. In the past, it has checked for Asian regions, but Germany and France have been added as well, according to Kaspersky.

Below is exactly how the phishing is done by the attackers and how it can affect both Operating systems ( iOS , Android) , and how they can check the region and display the corresponding language using WROBA and its advanced features.

These Phishing attacks are mainly financially motivated, but sometimes, the attackers could target the personal data of the victim. In this example, the Attackers steal personal data ( Stealing images , … )

We are coming for your images :

As for the Wroba backdoor by itself, the RAT has acquired two new information-thieving commands: “get_photo” and “get_gallery.” This delivers the whole range of embedded backdoor instructions to 21, in accordance to Kaspersky.

By doing this , the attackers have two aims in their minds ; One possible scenario is that the criminals steal details from such things as driver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services. The criminals are also able to use stolen photos to get money in other ways, such as blackmail or “sextortion.”

Ways to protect You from Phishing Attacks :

Here is how to avoid being a victim of phishing :

• Always inspect the sender’s email address closely : there might be always some changes to the email address that you can spot with your eyes .
• Emails that tells you to ask urgently are sometime suspicious , BE AWARE !
• Avoid clicking on unexpected links : As we said above , this roaming mantis phishing scam can get you and steal you information or even worse.
• SMS texts that contain URLs should always be treated with caution and suspicion, even if they come from someone you know.

These attacks of the Roaming mantis will expend further these coming months, as researchers think that they are financially motivated . Also, the attackers use multiple ways to avoid getting caught ( changing the programming language to Kotlin instead of Java ) and so many other ways that makes them away from justice.

We all make mistakes , I could have almost be a victim of a phishing scam because I trusted the source , but it turned out to be a scam, they were asking me in an urgent way to enter my information ( Email address , Credit Card number , phone number…) or else I lose my account . Thankfully i figured it out . So i’m “urging” everyone reading this post to be careful and always follow the “anti-scam” techniques

References

I used these sources while building my post :

• https://threatpost.com/roaming-mantis-android-backdoor-europe/178247/
• https://thehackernews.com/2022/02/roaming-mantis-android-malware.html
• https://www.microsoft.com/en-us/securitynow/wp-content/uploads/7_ways_to_protect_yourself_from_phishing.pdf
• https://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/
• https://securelist.com/roaming-mantis-reaches-europe/105596/
• https://securelist.com/roaming-mantis-part-3/88071/
• https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/
• https://thecybersecurity.news/vulnerabilities/roaming-mantis-expands-android-backdoor-to-europe-16494/
• https://www.bleepingcomputer.com/news/security/roaming-mantis-android-malware-campaign-sets-sights-on-europe/
• https://vpnoverview.com/news/roaming-mantis-sms-phishing-campaign-sets-sights-on-europe/