The results of Fortinet Threat Intelligence Insider Latin America for the third quarter of 2019 reveal the continuous increasing of malware, exploits and botnet activity in Latin America and the Caribbean. The main activities include unwanted adds, criptojacking, IoT intrusions, exploit of vulnerabilities and malware for steal information from users.
What are the risk areas?
In regard to the most detected vulnerabilities, DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in Latin America. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in the region, affecting companies and individuals alike.
Different variations of exploits for ransomware are still very active in Latin America.
How to defend from such multi-pronged attacks?
Botnets still raising and evidence that the common problems with IoT devices continue. Default or weak passwords are the main infection vector for Mirai botnet. Millions of devices are connected and controlled for increase infections and Denial of Services attacks. Botnets are evolving and today are able to infect not only consumers but business IoT devices for use these as proxy for anonymize transactions of the dark market.
During the third quarter of 2019, a growing number of WIFICAM attempts were detected in Latin America, an attack that aims to take control of IP cameras. Another sign of the risk that IoT devices run without proper protection from the network.
What are the implications for compromised IoT devices?
The report also reveals the most common infections in Latin America and the Caribbean:
is a highly generic detection for a Trojan. Since this is a generic detection, malware that are detected as W32/StartPage.NIK!tr may have varying behaviour.
is classified as a password-stealing trojan. A password-stealing trojan searches the infected system for passwords and sends them to a remote attacker.
is a generic detection for a type of trojan that drops other malware onto the compromised computer.
This indicates detection of an Insecure Remote Access to a Java Management Extensions (JMX) interface. A JMX interface without security setting is unsafe for the public Java Application Platform. Any remote user who knows (or recon) your JMX port number and host name will be able to monitor and control your Java application and platform.
This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.
This indicates an attack attempt against an Information Disclosure vulnerability in Microsoft Windows SMB server. A remote attacker can exploit this to gain unauthorized access to sensitive information via the crafted SMB request. This vulnerability has been incorporated into various tools and is used for scanning vulnerable targets that might be affected by the vulnerabilities related to Shadow Brokers leak.
Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
This indicates detection of network traffic outbound originating from a computer infected with the W32/Conficker worm, also known as W32.Downadup and W32.Conficker. To spread, this worm exploits the Server Service Vulnerability (CVE-2008-4250), as written in the Microsoft Security Bulletin MS08-067.
This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information.