Fortinet | Threat Intelligence Insider LATAM

Executive Summary

Leveraging At-Home Technology as a Gateway to the Enterprise

An unforeseeable shift in network structures and attack strategies was dropped on the cybersecurity industry in 2020. As the COVID-19 pandemic continues to take its toll on organizations and individuals in Latin America and the Caribbean, we are now dealing with a threat landscape that’s become more intense, complex, and saturated than ever before.

During the pandemic, there has been an exponential rise and a reliance on home networks and consumer grade devices, such as home routers and modems – something which cyber criminals were quick to take notice of. For attackers, this shift has presented a unique opportunity to exploit these devices and gain a foothold in enterprise.

Recent phishing tactics are far more sophisticated and have evolved to target the weak links found at the edges of business networks. The majority of these phishing attacks contain malicious payloads – including ransomware, viruses, and remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, enabling them to perform remote desktop protocol (RDP) exploits.

Ransomware Attacks Becoming More Sophisticated

Ransomware attacks have always been a significant concern for businesses. But over the past several months they’ve become more prevalent and costlier – both in terms of downtime and damages. Ransomware has been discovered hidden in messages, attachments, and documents related to COVID-19. Moreover, these threats continue to grow more sophisticated.

Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity. A vital component of this is continuous access to up-to-date threat intelligence and cybersecurity training.

Exploit Attempts Landscape

Again in the third quarter of 2020, DoublePulsar was the threat with most attempts in Latin America and the Caribbean. DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in the region. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in Latin America, affecting companies and individuals alike. DoublePulsar is mainly targeted to banks and financial service companies.

In addition, brute-force attacks continue to be very active in the region, 6 out of top 10 exploit threats were a type of

brute-force attack. With the massive transition to the home office, cybercriminals find a significant number of misconfigured Remote Desktop Protocol (RDP) servers, leading to more such attacks.

The growth of remote work has rekindled the interest of cybercriminals in brute force attacks, which are repeated and systematic attempts to guess a credential by sending different usernames and passwords to try to access a system. Brute-force attacks are commonly used to decrypt encryption algorithms or get weak passwords, email passwords, social network credentials, Wi-Fi access, etc.

Tips

As threats evolve and being more sophisticated, security teams must ensure they have access to real-time threat intelligence in order to stay up-to-date with the latest attack trends and methods. That effective cybersecurity requires constant vigilance and the ability to adapt to changing threat strategies.

Security professionals should take note: The browser has been a key delivery vector for malware thus far in 2020, and this trend will likely continue into the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the transition to a remote workforce strategy.

For this reason, organizations must not only provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network, but also provide additional resources, such as new endpoint detection and response (EDR) solutions that can detect and stop advanced threats.

select country

Dominican Republic

download PDF

FORTIGUARD AV TRENDS

Dominican Republic AV TRENDS Q3-2020

Q3-2020 Top 10

Top	Name	Count
1	Riskware/FusionCore	12,546
2	Riskware/GenericBG	10,172
3	W32/PECompact!tr	9,919
4	W32/PcClient.AHFM!tr.bdr	6,287
5	W32/FakeAlert.AB!tr	6,284
6	JS/Phish.AB38!tr	3,467
7	HTML/Phish.B2D7!tr	2,288
8	W32/Bagle.AXX!tr.dldr	2,392
9	W32/AGEN.1017881!tr	2,288
10	W32/Dx.HP!tr	1,617

Total top ten AV TRENDS:

57,485

Riskware/FusionCore

Riskware/FusionCore is classified as a type of Riskware. Riskware is any potentially unwanted application that is not classified as malware, but may utilize system resources in an undesirable or annoying manner, and/or may pose a security risk.

Riskware/GenericBG

Riskware/GenericBG is classified as a type of Riskware. Riskware is any potentially unwanted application that is not classified as malware, but may utilize system resources in an undesirable or annoying manner, and/or may pose a security risk.

W32/PECompact!tr

W32/PECompact!tr is a very generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/PECompact!tr may have varying behaviour.

FORTIGUARD IPS TRENDS

Dominican Republic IPS TRENDS Q3-2020

Q3-2020 Top 10

Top	Name	Count
1	Backdoor.DoublePulsar	7,890,792
2	OpenVAS.Web.Scanner	1,556,343
3	NTPsec.ntpd.ctl_getitem.Out.of.Bounds.Read	297,058
4	SSLv3.POODLE.Information.Disclosure	193,305
5	HTTP.URI.SQL.Injection	103,719
6	Web.Server.Password.Files.Access	74,793
7	Cross.Site.Scripting	57,768
8	Backdoor.Empire	37,781
9	SMB.Login.Brute.Force	17,827
10	ThinkPHP.Controller.Parameter.Remote.Code.Execution	16,071

Total top ten IPS TRENDS:

10,245,457

Backdoor.DoublePulsar

Backdoor.DoublePulsar This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.

OpenVAS.Web.Scanner

OpenVAS.Web.Scanner This indicates detection of an attempted scan to access various files on a server by OpenVAS Vulnerability Scanner. As access to such files are usually restricted, attempts to access the file might indicates a recon attempt by a malicious actor.

NTPsec.ntpd.ctl_getitem.Out.of.Bounds.Read

NTPsec.ntpd.ctl_getitem.Out.of.Bounds.Read This indicates an attack attempt to exploit an Out Of Bounds Read vulnerability in ntpd. A remote unauthenticated user can exploit this vulnerability by sending a crafted NTP control request to the target server. Successful exploitation could lead to disclosure of sensitive information.

FORTIGUARD BOTNET TRENDS

Dominican Republic BOTNET TRENDS Q3-2020

Q3-2020 Top 10

Top	Name	Count
1	Andromeda.Botnet	978,765
2	njRAT.Botnet	328,090
3	Emotet.Botnet	180,457
4	H-worm.Botnet	160,369
5	Emotet.Cridex.Botnet	76,125
6	Gozi.Botnet	72,469
7	Conficker.Botnet	72,045
8	Sality.Botnet	19,299
9	Mirai.Botnet	11,690
10	Jeefo.Botnet	8,134

Total top ten BOTNET TRENDS:

1,907,443

Andromeda.Botnet

Andromeda.Botnet Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.

njRAT.Botnet

njRAT.Botnet This indicates that a system might be infected by njRAT Botnet. System Compromise: Remote attackers can gain control of vulnerable systems.

Emotet.Botnet

Emotet.Cridex.Botnet This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.