Fortinet | Threat Intelligence Insider LATAM

Executive Summary

Brute Force Attack Attempts on the Rise

According to the Fortinet Threat Intelligence Insider for Latin America, brute force attacks are very active in the region and have been among the most frequent intrusion attack attempts in the second quarter of the year. Some examples are the SSH.Connection.Brute.Force, a brute force attack attempt consisting of multiple SSH requests intended to perform a brute force SSH login, launched at a rate of about 200 times in 10 seconds. Another example is the SMB.Login.Brute.Force, a detection of at least 500 failed SAMBA logins in one minute, indicating a possible brute force attack on Microsoft Windows operating systems.

With the massive transition to the home office, cybercriminals find a significant number of misconfigured Remote Desktop Protocol (RDP) servers, leading to more such attacks.

The growth of remote work has rekindled the interest of cybercriminals in brute force attacks, which are repeated and systematic attempts to guess a credential by sending different usernames and passwords to try to access a system.

Brute-force attacks are commonly used to decrypt encryption algorithms or get weak passwords, email passwords, social network credentials, Wi-Fi access, etc. The attacker tries, through many-time automatic mechanisms, multiple repeated attempts until reaching the successful result.

Malicious Phishing Campaigns

The results of Fortinet Threat Intelligence Insider Latin America for the first semester of 2020 reveal an increase in attempts to lure unsuspecting victims into going to malicious sites, clicking on malicious links, or providing personal information over the phone under the auspices of COVID-19 pandemic.

FortiGuard Labs reported a significant rise in viruses, many of which are included in these malicious phishing attachments.

April saw the highest volume of COVID-19 related email phishing campaigns with over 4,250. Largest spike was April 2 where Fortinet reported 330 COVID-19 email phishing campaigns worldwide. Numbers have been steadily declining since April, with 3,590 email phishing campaigns in May and 2,841 in June.

Most emails had malicious .DOCX and .PDF files (.DOCX being the highest) attached, ransomware attempts being the most prevalent attachment.

Tips

It is essential that organizations take measures to protect their remote workers and help them secure their devices and home networks. Here are a few critical steps to consider:

Educate your remote workers – and their families – about things like phishing and malicious websites and how to stop them. Fortinet has made a number of user training resources free of charge, including the first two levels of our NSE training program.
Perform a review of your security tools.
Make sure that remote workers have a VPN solution in place. For more advanced security, consider adding tools to detect and defuse live threats.
Ensure that your corporate headend is also protected, enabling multifactor authentication. Also consider a NAC solution to ensure that authenticated devices only have access to the network resources they require, and to automatically respond to devices that misbehave.
Given that so many attacks are phishing-based, it is critical that your secure email gateway is capable of detecting and filtering out phishing attacks and spam, and eliminating malicious attachments.

The best way to mitigate brute force attacks is to use strong passwords. Using long and complex passwords is only the first step to prevent this type of attack. It is important to use encryption mechanisms and that the organization limits the number of login attempts for a certain period, as well as enabling other robust authentication mechanisms such as multifactor, tokens, or image validation (CAPTCHA).

In addition, it is important to invest in monitoring and detection solutions capable of identifying network intrusions and anomalous behavior. The ability to respond automatically is crucial to avoid data breaches.

select country

Dominican Republic

download PDF

FORTIGUARD AV TRENDS

Dominican Republic AV TRENDS Q2-2020

Q2-2020 Top 10

Top	Name	Count
1	W32/Glupteba.B!tr	7,140
2	Riskware/GenericBG	2,024
3	W32/PECompact!tr	1,956
4	W32/FakeAlert.AB!tr	1,949
5	W32/PcClient.AHFM!tr.bdr	1,949
6	ELF/DDoS.CIA!tr	1,753
7	W32/Bancos.CFR!tr	1,336
8	MSOffice/CVE_2017_11882.C!exploit	1,400
9	HTML/ScrInject.OCKK!tr	1,336
10	ELF/Mirai.AE!tr	790

Total top ten AV TRENDS:

21,822

W32/Glupteba.B!tr

is classified as a Trojan that performs activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.

Riskware/GenericBG

is classified as a type of Riskware. Riskware is any potentially unwanted application that is not classified as malware, but may utilize system resources in an undesirable or annoying manner, and/or may pose a security risk.

W32/PECompact!tr

is a very generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/PECompact!tr may have varying behaviour.

FORTIGUARD IPS TRENDS

Dominican Republic IPS TRENDS Q2-2020

Q2-2020 Top 10

Top	Name	Count
1	Backdoor.DoublePulsar	8,825,991
2	MS.SMB.Server.Trans.Peeking.Data.Information.Disclosure	8,823,713
3	SSLv3.POODLE.Information.Disclosure	709,986
4	Web.Server.Password.Files.Access	80,225
5	HTTP.URI.SQL.Injection	69,686
6	Cross.Site.Scripting	41,168
7	PHPUnit.Eval-stdin.PHP.Remote.Code.Execution	34,996
8	SSL.Anonymous.Ciphers.Negotiation	24,418
9	SIPVicious.svcrack.Brute.Force.Login	15,319
10	HTTP.Unix.Shell.IFS.Remote.Code.Execution	11,494

Total top ten IPS TRENDS:

18,636,996

Backdoor.DoublePulsar

This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.

MS.SMB.Server.Trans.Peeking.Data.Information.Disclosure

This indicates an attack attempt against an Information Disclosure vulnerability in Microsoft Windows SMB server. A remote attacker can exploit this to gain unauthorized access to sensitive information via the crafted SMB request. This vulnerability has been incorporated into various tools and is used for scanning vulnerable targets that might be affected by the vulnerabilities related to Shadow Brokers leak.

SSLv3.POODLE.Information.Disclosure

This indicates an attack attempt to exploit an Information Disclosure vulnerability in OpenSSL. The vulnerability is due to an error in the application when it handles maliciously crafted SSLv3 messages. A remote attacker can exploit this to access sensitive information. The signature detects for 200 SSLv3 messages within a span of 10 seconds.

FORTIGUARD BOTNET TRENDS

Dominican Republic BOTNET TRENDS Q2-2020

Q2-2020 Top 10

Top	Name	Count
1	Andromeda.Botnet	498,138
2	Emotet.Botnet	239,341
3	njRAT.Botnet	215,699
4	H-worm.Botnet	128,808
5	Emotet.Cridex.Botnet	61,525
6	Gozi.Botnet	59,514
7	Conficker.Botnet	46,078
8	Sality.Botnet	24,591
9	Necurs.Botnet	16,409
10	Mirai.Botnet	15,403

Total top ten BOTNET TRENDS:

1,305,506

Andromeda.Botnet

Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.

Emotet.Botnet

This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.

njRAT.Botnet

This indicates that a system might be infected by njRAT Botnet. System Compromise: Remote attackers can gain control of vulnerable systems.