The results of Fortinet Threat Intelligence Insider Latin America for the third quarter of 2019 reveal the continuous increasing of malware, exploits and botnet activity in Latin America and the Caribbean. The main activities include unwanted adds, criptojacking, IoT intrusions, exploit of vulnerabilities and malware for steal information from users.
What are the risk areas?
In regard to the most detected vulnerabilities, DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in Latin America. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in the region, affecting companies and individuals alike.
Different variations of exploits for ransomware are still very active in Latin America.
How to defend from such multi-pronged attacks?
Botnets still raising and evidence that the common problems with IoT devices continue. Default or weak passwords are the main infection vector for Mirai botnet. Millions of devices are connected and controlled for increase infections and Denial of Services attacks. Botnets are evolving and today are able to infect not only consumers but business IoT devices for use these as proxy for anonymize transactions of the dark market.
During the third quarter of 2019, a growing number of WIFICAM attempts were detected in Latin America, an attack that aims to take control of IP cameras. Another sign of the risk that IoT devices run without proper protection from the network.
What are the implications for compromised IoT devices?
The report also reveals the most common infections in Latin America and the Caribbean:
It detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products.
is classified as a trojan. A trojan is a type of malware that performs activites without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
Phishing campaign to steal users personal data.
SIPVicious is a SIP scanner. The signature detects for SIP requests from the scanner at a rate of 200 per second. The rate can be adjusted in the CLI or GUI to suit your needs.
This indicates detection of an attempt scan using UPnP SSDP M-Search packets. Simple Service Discovery Protocol (SSDP) is a network protocol for advertisement and discovery of network services information. SSDP is the basis of the discovery protocol, Universal Plug and Play (UPnP). SSDP uses HTTP over UDP to announce the establishment or withdrawal of services information to the multicast group.
This indicates an attack attempt against an UDP Amplification flaw on the Memcached protocol. The vulnerability is due to an error in the vulnerable application when handling a series of maliciously crafted requests. An attacker can exploit this to cause a denial of service condition on the affected machine via maliciously crafted requests. The signature detects for 50 suspicious requests within 1 second.
This indicates that a system might be infected by a Sora Botnet. Sora is an IoT malware which targets embedded systems.
This indicates a system might be infected by ZeroAccess botnet. System Compromise: Remote attackers can gain control of vulnerable systems.
Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.