Executive Summary

The results of Fortinet Threat Intelligence Insider Latin America for the third quarter of 2019 reveal the continuous increasing of malware, exploits and botnet activity in Latin America and the Caribbean. The main activities include unwanted adds, criptojacking, IoT intrusions, exploit of vulnerabilities and malware for steal information from users.

What are the risk areas?

  • Network silos, sections not visible or without integrated security management
  • Unpatched software with critical vulnerabilities exposed to the Internet.
  • Infected devices or those prone to problems of more serious infections.
  • Users misusing resources, browsing dangerous sites or downloading non-legal software.
  • Misleading adds promoting malware.
  • IoT devices without control or adequate security policies.

In regard to the most detected vulnerabilities, DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in Latin America. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in the region, affecting companies and individuals alike.

Different variations of exploits for ransomware are still very active in Latin America.

How to defend from such multi-pronged attacks?

  • Inventory all devices
  • Automate patching
  • Segment the network
  • Track threats 
  • Watch for indicators of compromise
  • Harden endpoints and access points
  • Implement security controls
  • Use security automation
  • Back up critical systems
  • Create an integrated security environment

Botnets still raising and evidence that the common problems with IoT devices continue. Default or weak passwords are the main infection vector for Mirai botnet. Millions of devices are connected and controlled for increase infections and Denial of Services attacks. Botnets are evolving and today are able to infect not only consumers but business IoT devices for use these as proxy for anonymize transactions of the dark market.

During the third quarter of 2019, a growing number of WIFICAM attempts were detected in Latin America, an attack that aims to take control of IP cameras. Another sign of the risk that IoT devices run without proper protection from the network.

What are the implications for compromised IoT devices?

  • Ransomware and criptojacking infections
  • Involvement in DDoS or SPAM attacks
  • Password or business-critical information theft
  • llegal activities in the dark web

The report also reveals the most common infections in Latin America and the Caribbean:

  • Malware infections generating unwanted adds or redirection to sites infected with malware
  • Trojans or backdoors that allow the attacker to take full control of the infected devices
  • Viruses or infections of advanced malware for the exfiltration of information such as passwords and users, among others
  • Malware for the exploitation of common vulnerabilities that allow attackers’ remote access to infected devices
  • Riskware, use of free software or of unrecognized origin that offers user characteristics such as protection, but also enables the possibility of infections
Tips
  • Use strong passwords or password managers for applications and access to IoT devices, SIP devices and applications.
  • Update your applications and infrastructures in a regular basic.
  • Define your controls on each of your perimeters, including Cloud applications.
  • Monitor and analyze your data with Indicators of Compromise for gain visibility and stop commons infections.
  • Secure your SIP Server: Protect the SIP server from the Internet: be more restrictive in terms of which extensions can be reached from external IP addresses.
  • Create usernames different from extensions: most brute force attempts try usernames that match the extension numbers or common user names.
  • Protect your IoT devices with perimetral defense including access control and Intrusion prevention policies.
  • Always be prepared for an infection or exploitation, reduce the impact with recovery plans and actions for avoid damage.
  • Implement an integrated security strategy, use security controls and security automation.

 

select country