Brute Force Attack Attempts on the Rise
According to the Fortinet Threat Intelligence Insider for Latin America, brute force attacks are very active in the region and have been among the most frequent intrusion attack attempts in the second quarter of the year. Some examples are the SSH.Connection.Brute.Force, a brute force attack attempt consisting of multiple SSH requests intended to perform a brute force SSH login, launched at a rate of about 200 times in 10 seconds. Another example is the SMB.Login.Brute.Force, a detection of at least 500 failed SAMBA logins in one minute, indicating a possible brute force attack on Microsoft Windows operating systems.
With the massive transition to the home office, cybercriminals find a significant number of misconfigured Remote Desktop Protocol (RDP) servers, leading to more such attacks.
The growth of remote work has rekindled the interest of cybercriminals in brute force attacks, which are repeated and systematic attempts to guess a credential by sending different usernames and passwords to try to access a system.
Brute-force attacks are commonly used to decrypt encryption algorithms or get weak passwords, email passwords, social network credentials, Wi-Fi access, etc. The attacker tries, through many-time automatic mechanisms, multiple repeated attempts until reaching the successful result.
Malicious Phishing Campaigns
The results of Fortinet Threat Intelligence Insider Latin America for the first semester of 2020 reveal an increase in attempts to lure unsuspecting victims into going to malicious sites, clicking on malicious links, or providing personal information over the phone under the auspices of COVID-19 pandemic.
FortiGuard Labs reported a significant rise in viruses, many of which are included in these malicious phishing attachments.
April saw the highest volume of COVID-19 related email phishing campaigns with over 4,250. Largest spike was April 2 where Fortinet reported 330 COVID-19 email phishing campaigns worldwide. Numbers have been steadily declining since April, with 3,590 email phishing campaigns in May and 2,841 in June.
Most emails had malicious .DOCX and .PDF files (.DOCX being the highest) attached, ransomware attempts being the most prevalent attachment.
It is essential that organizations take measures to protect their remote workers and help them secure their devices and home networks. Here are a few critical steps to consider:
The best way to mitigate brute force attacks is to use strong passwords. Using long and complex passwords is only the first step to prevent this type of attack. It is important to use encryption mechanisms and that the organization limits the number of login attempts for a certain period, as well as enabling other robust authentication mechanisms such as multifactor, tokens, or image validation (CAPTCHA).
In addition, it is important to invest in monitoring and detection solutions capable of identifying network intrusions and anomalous behavior. The ability to respond automatically is crucial to avoid data breaches.
Top | Name | Count | |
---|---|---|---|
1 | W32/Glupteba.B!tr | 7,140 | |
2 | Riskware/GenericBG | 2,024 | |
3 | W32/PECompact!tr | 1,956 | |
4 | W32/FakeAlert.AB!tr | 1,949 | |
5 | W32/PcClient.AHFM!tr.bdr | 1,949 | |
6 | ELF/DDoS.CIA!tr | 1,753 | |
7 | W32/Bancos.CFR!tr | 1,336 | |
8 | MSOffice/CVE_2017_11882.C!exploit | 1,400 | |
9 | HTML/ScrInject.OCKK!tr | 1,336 | |
10 | ELF/Mirai.AE!tr | 790 |
is classified as a Trojan that performs activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
is classified as a type of Riskware. Riskware is any potentially unwanted application that is not classified as malware, but may utilize system resources in an undesirable or annoying manner, and/or may pose a security risk.
is a very generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/PECompact!tr may have varying behaviour.
Top | Name | Count | |
---|---|---|---|
1 | Backdoor.DoublePulsar | 8,825,991 | |
2 | MS.SMB.Server.Trans.Peeking.Data.Information.Disclosure | 8,823,713 | |
3 | SSLv3.POODLE.Information.Disclosure | 709,986 | |
4 | Web.Server.Password.Files.Access | 80,225 | |
5 | HTTP.URI.SQL.Injection | 69,686 | |
6 | Cross.Site.Scripting | 41,168 | |
7 | PHPUnit.Eval-stdin.PHP.Remote.Code.Execution | 34,996 | |
8 | SSL.Anonymous.Ciphers.Negotiation | 24,418 | |
9 | SIPVicious.svcrack.Brute.Force.Login | 15,319 | |
10 | HTTP.Unix.Shell.IFS.Remote.Code.Execution | 11,494 |
This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.
This indicates an attack attempt against an Information Disclosure vulnerability in Microsoft Windows SMB server. A remote attacker can exploit this to gain unauthorized access to sensitive information via the crafted SMB request. This vulnerability has been incorporated into various tools and is used for scanning vulnerable targets that might be affected by the vulnerabilities related to Shadow Brokers leak.
This indicates an attack attempt to exploit an Information Disclosure vulnerability in OpenSSL. The vulnerability is due to an error in the application when it handles maliciously crafted SSLv3 messages. A remote attacker can exploit this to access sensitive information. The signature detects for 200 SSLv3 messages within a span of 10 seconds.
Top | Name | Count | |
---|---|---|---|
1 | Andromeda.Botnet | 498,138 | |
2 | Emotet.Botnet | 239,341 | |
3 | njRAT.Botnet | 215,699 | |
4 | H-worm.Botnet | 128,808 | |
5 | Emotet.Cridex.Botnet | 61,525 | |
6 | Gozi.Botnet | 59,514 | |
7 | Conficker.Botnet | 46,078 | |
8 | Sality.Botnet | 24,591 | |
9 | Necurs.Botnet | 16,409 | |
10 | Mirai.Botnet | 15,403 |
Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.
This indicates that a system might be infected by njRAT Botnet. System Compromise: Remote attackers can gain control of vulnerable systems.