Leveraging At-Home Technology as a Gateway to the Enterprise
An unforeseeable shift in network structures and attack strategies was dropped on the cybersecurity industry in 2020. As the COVID-19 pandemic continues to take its toll on organizations and individuals in Latin America and the Caribbean, we are now dealing with a threat landscape that’s become more intense, complex, and saturated than ever before.
During the pandemic, there has been an exponential rise and a reliance on home networks and consumer grade devices, such as home routers and modems – something which cyber criminals were quick to take notice of. For attackers, this shift has presented a unique opportunity to exploit these devices and gain a foothold in enterprise.
Recent phishing tactics are far more sophisticated and have evolved to target the weak links found at the edges of business networks. The majority of these phishing attacks contain malicious payloads – including ransomware, viruses, and remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, enabling them to perform remote desktop protocol (RDP) exploits.
Ransomware Attacks Becoming More Sophisticated
Ransomware attacks have always been a significant concern for businesses. But over the past several months they’ve become more prevalent and costlier – both in terms of downtime and damages. Ransomware has been discovered hidden in messages, attachments, and documents related to COVID-19. Moreover, these threats continue to grow more sophisticated.
Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity. A vital component of this is continuous access to up-to-date threat intelligence and cybersecurity training.
Exploit Attempts Landscape
Again in the third quarter of 2020, DoublePulsar was the threat with most attempts in Latin America and the Caribbean. DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in the region. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in Latin America, affecting companies and individuals alike. DoublePulsar is mainly targeted to banks and financial service companies.
In addition, brute-force attacks continue to be very active in the region, 6 out of top 10 exploit threats were a type of
brute-force attack. With the massive transition to the home office, cybercriminals find a significant number of misconfigured Remote Desktop Protocol (RDP) servers, leading to more such attacks.
The growth of remote work has rekindled the interest of cybercriminals in brute force attacks, which are repeated and systematic attempts to guess a credential by sending different usernames and passwords to try to access a system. Brute-force attacks are commonly used to decrypt encryption algorithms or get weak passwords, email passwords, social network credentials, Wi-Fi access, etc.
As threats evolve and being more sophisticated, security teams must ensure they have access to real-time threat intelligence in order to stay up-to-date with the latest attack trends and methods. That effective cybersecurity requires constant vigilance and the ability to adapt to changing threat strategies.
Security professionals should take note: The browser has been a key delivery vector for malware thus far in 2020, and this trend will likely continue into the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the transition to a remote workforce strategy.
For this reason, organizations must not only provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network, but also provide additional resources, such as new endpoint detection and response (EDR) solutions that can detect and stop advanced threats.
MSOffice/CVE_2017_11882.B!exploit detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products.
Data/Phish.AF6A!phish When the link is clicked, a second browser window opens taking the user to a website located at an IP address different than that to what the user expects. At this site the user will be presented with an official looking form and will most likely be asked to input information such as their ATM, credit card number, bank account number and associated PINs.
W32/PECompact!tr is classified as a Trojan that has the capabilities to remote access connection handling, perform Denial of Service (DoS) or Distributed DoS (DDoS), capture keyboard inputs, delete file or object, or terminate process.
SMB.Login.Brute.Force This indicates a detection of at least 500 failed SAMBA logins in one minute which indicate a possible SAMBA logins brute force attack. Affected Microsoft Windows Operating Systems.
Backdoor.DoublePulsar This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.
WIFICAM.P2P.GoAhead.Multiple.Remote.Code.Execution This indicates an attack attempt to exploit a Command Injection vulnerability in WIFICAM. The vulnerability is due to improper validation of user supplied inputs in the application. A remote attacker can exploit this to inject malicious commands on the affected devices.
Andromeda.Botnet Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
FinFisher.Botnet This indicates that a system might be infected by FinFisher Botnet. FinFisher, also known as FINSPY is a surveillance malware that targets Windows platform.
Sora.Botnet This indicates that a system might be infected by a Sora Botnet. Sora is an IoT malware which targets embedded systems.