The results of Fortinet Threat Intelligence Insider Latin America for the second quarter of 2019 reveal the continuous increasing of malware, exploits and botnet activity in Latin America and the Caribbean. The main activities include unwanted adds, criptojacking, exploit of vulnerabilities and malware for steal information from users.
What are the risk areas?
· Unpatched software with critical vulnerabilities exposed to the Internet.
· Infected devices or those prone to problems of more serious infections.
· Users misusing resources, browsing dangerous sites or downloading non-legal software.
· Misleading adds promoting malware.
· IoT devices without control or adequate security policies.
In regard to the most detected vulnerabilities, collaboration systems such as Voice over Internet Protocol (VoIP) and video calls, among others that use Session Initiation Protocols (SIP) and critical services as NTP are being targeted by multiple recognition and intrusion techniques. Old vulnerabilities still being a main vector for hackers gain access to different systems.
What are the risk areas?
· Collaboration solutions with operational problems due to denial of service attacks.
· Unauthorized access by third parties to VoIP solutions with the aim of making extortion calls or abusing the use of resources such as long-distance calls.
· Access to corporate networks through servers with SIP-based services, taking advantage of multiple attack vectors.
· Evidence of platforms without updates or with weak passwords.
· Reconnaissance of internal networks.
DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in Latin America. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in the region, affecting companies and individuals alike.
Botnets still raising and evidence that the common problems with IoT devices continue. Default or weak passwords are the main infection vector for Mirai botnet. Millions of devices are connected and controlled for increase infections and Denial of Services attacks. Botnets are evolving and today are able to infect not only consumers but business IoT devices for use these as proxy for anonymize transactions of the dark market.
· Ransomware and criptojacking infections.
· Involvement of the infected devices in DDoS or SPAM attacks, denying the entire company’s access to services.
· Password or business-critical information theft.
· Illegal activities in the dark web.
The report also reveals the most common infections in Latin America and the Caribbean:
· Malware infections generating unwanted adds or redirection to sites infected with malware.
· Trojans or backdoors that allow the attacker to take full control of the infected devices
· Viruses or infections of advanced malware for the exfiltration of information such as passwords and users, among others.
· Malware for the exploitation of common vulnerabilities that allow attackers’ remote access to infected devices.
· Riskware, use of free software or of unrecognized origin that offers user characteristics such as protection, but also enables the possibility of infections.
is a generic detection for a backdoor trojan. Since this is a generic detection, this malware may have varying behaviour. This malware may be implanted in hijacked websites
is classified as a downloader trojan. Downloader Trojan has the capability to download other malicious files or an updated version of itself.
is classified as a trojan. This trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) or Distributed DoS (DDoS), capture keyboard inputs and delete files.
This indicates detection of an attempt scan using UPnP SSDP M-Search packets. Simple Service Discovery Protocol (SSDP) is a network protocol for advertisement and discovery of network services information. SSDP is the basis of the discovery protocol, Universal Plug and Play (UPnP). SSDP uses HTTP over UDP to announce the establishment or withdrawal of services information to the multicast group. A client, that wishes to discover available services on a network, uses the method M-SEARCH.
This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.
This indicates an attack attempt against an Information Disclosure vulnerability in Microsoft Windows SMB server. The vulnerability is due to insufficient input validation in the application when handling a crafted SMB request. A remote attacker can exploit this to gain unauthorized access to sensitive information via the crafted SMB request.
This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.
Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
This indicates that a system might be infected by Necurs Botnet. The Necurs botnet is composed of a kernel-mode driver and a user-mode component.