The results of Fortinet Threat Intelligence Insider Latin America for the third quarter of 2019 reveal the continuous increasing of malware, exploits and botnet activity in Latin America and the Caribbean. The main activities include unwanted adds, criptojacking, IoT intrusions, exploit of vulnerabilities and malware for steal information from users.
What are the risk areas?
In regard to the most detected vulnerabilities, DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in Latin America. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in the region, affecting companies and individuals alike.
Different variations of exploits for ransomware are still very active in Latin America.
How to defend from such multi-pronged attacks?
Botnets still raising and evidence that the common problems with IoT devices continue. Default or weak passwords are the main infection vector for Mirai botnet. Millions of devices are connected and controlled for increase infections and Denial of Services attacks. Botnets are evolving and today are able to infect not only consumers but business IoT devices for use these as proxy for anonymize transactions of the dark market.
During the third quarter of 2019, a growing number of WIFICAM attempts were detected in Latin America, an attack that aims to take control of IP cameras. Another sign of the risk that IoT devices run without proper protection from the network.
What are the implications for compromised IoT devices?
The report also reveals the most common infections in Latin America and the Caribbean:
is classified as a file infector. A file infector is a type of malware that has the capability to propagate by attaching its code to other programs or files.
is classified as a type of Riskware. Riskware is any potentially unwanted application that is not classified as malware, but may utilize system resources in an undesirable or annoying manner, and/or may pose a security risk.
is a highly generic detection for a trojan and possible attacker tools. Since this is a generic detection, malware that are detected as W32/PWS.Y!tr may have varying behaviour.
This indicates detection of an attempted brute force attack on Microsoft Remote Desktop Protocol (RDP). The attack consists of multiple RDP requests intended to conduct a brute force RDP login, launched at a rate of about 200 times in 10 seconds.
It indicates detection of an NBTStat query. NBTStat can display NetBIOS statistics, name tables for both local and remote systems and the name cache. A remote attacker can use this information to prepare for further attacks.
This indicates a potential information disclosure vulnerability in various D-Link DSL routers with Simple Network Management Protocol (SNMP). There exists a vulnerability in the usage of SNMP community string that allows a remote attacker to access a target system without proper authorization.
This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.
This indicates that a system might be infected by a Sora Botnet. Sora is an IoT malware which targets embedded systems.
This indicates a possible action raised by the Mariposa botnet. Mariposa showed a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers.