Brute Force Attack Attempts on the Rise
According to the Fortinet Threat Intelligence Insider for Latin America, brute force attacks are very active in the region and have been among the most frequent intrusion attack attempts in the second quarter of the year. Some examples are the SSH.Connection.Brute.Force, a brute force attack attempt consisting of multiple SSH requests intended to perform a brute force SSH login, launched at a rate of about 200 times in 10 seconds. Another example is the SMB.Login.Brute.Force, a detection of at least 500 failed SAMBA logins in one minute, indicating a possible brute force attack on Microsoft Windows operating systems.
With the massive transition to the home office, cybercriminals find a significant number of misconfigured Remote Desktop Protocol (RDP) servers, leading to more such attacks.
The growth of remote work has rekindled the interest of cybercriminals in brute force attacks, which are repeated and systematic attempts to guess a credential by sending different usernames and passwords to try to access a system.
Brute-force attacks are commonly used to decrypt encryption algorithms or get weak passwords, email passwords, social network credentials, Wi-Fi access, etc. The attacker tries, through many-time automatic mechanisms, multiple repeated attempts until reaching the successful result.
Malicious Phishing Campaigns
The results of Fortinet Threat Intelligence Insider Latin America for the first semester of 2020 reveal an increase in attempts to lure unsuspecting victims into going to malicious sites, clicking on malicious links, or providing personal information over the phone under the auspices of COVID-19 pandemic.
FortiGuard Labs reported a significant rise in viruses, many of which are included in these malicious phishing attachments.
April saw the highest volume of COVID-19 related email phishing campaigns with over 4,250. Largest spike was April 2 where Fortinet reported 330 COVID-19 email phishing campaigns worldwide. Numbers have been steadily declining since April, with 3,590 email phishing campaigns in May and 2,841 in June.
Most emails had malicious .DOCX and .PDF files (.DOCX being the highest) attached, ransomware attempts being the most prevalent attachment.
It is essential that organizations take measures to protect their remote workers and help them secure their devices and home networks. Here are a few critical steps to consider:
The best way to mitigate brute force attacks is to use strong passwords. Using long and complex passwords is only the first step to prevent this type of attack. It is important to use encryption mechanisms and that the organization limits the number of login attempts for a certain period, as well as enabling other robust authentication mechanisms such as multifactor, tokens, or image validation (CAPTCHA).
In addition, it is important to invest in monitoring and detection solutions capable of identifying network intrusions and anomalous behavior. The ability to respond automatically is crucial to avoid data breaches.
detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products.
is classified as a Trojan, a type of malware that performs activites without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
is classified as a password-stealing Trojan that searches the infected system for passwords and sends them to a remote attacker.
This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.
This indicates a detection of at least 500 failed SAMBA logins in one minute which indicate a possible SAMBA logins brute force attack. Affected Microsoft Windows Operating Systems.
This indicates an attack attempt to exploit an Information Disclosure Vulnerability in Zivif PR115-204-P-RS web cameras. The vulnerability is due to improper authentication in the application. A remote attacker can exploit this to access sensitive information, such as admin credentials, on the affected devices.
Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
This indicates that a system might be infected by Mirai Botnet. System Compromise: Remote attackers can gain control of vulnerable IoT systems.
This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.