Fortinet | Threat Intelligence Insider LATAM

Executive Summary

Leveraging At-Home Technology as a Gateway to the Enterprise

An unforeseeable shift in network structures and attack strategies was dropped on the cybersecurity industry in 2020. As the COVID-19 pandemic continues to take its toll on organizations and individuals in Latin America and the Caribbean, we are now dealing with a threat landscape that’s become more intense, complex, and saturated than ever before.

During the pandemic, there has been an exponential rise and a reliance on home networks and consumer grade devices, such as home routers and modems – something which cyber criminals were quick to take notice of. For attackers, this shift has presented a unique opportunity to exploit these devices and gain a foothold in enterprise.

Recent phishing tactics are far more sophisticated and have evolved to target the weak links found at the edges of business networks. The majority of these phishing attacks contain malicious payloads – including ransomware, viruses, and remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, enabling them to perform remote desktop protocol (RDP) exploits.

Ransomware Attacks Becoming More Sophisticated

Ransomware attacks have always been a significant concern for businesses. But over the past several months they’ve become more prevalent and costlier – both in terms of downtime and damages. Ransomware has been discovered hidden in messages, attachments, and documents related to COVID-19. Moreover, these threats continue to grow more sophisticated.

Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity. A vital component of this is continuous access to up-to-date threat intelligence and cybersecurity training.

Exploit Attempts Landscape

Again in the third quarter of 2020, DoublePulsar was the threat with most attempts in Latin America and the Caribbean. DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in the region. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in Latin America, affecting companies and individuals alike. DoublePulsar is mainly targeted to banks and financial service companies.

In addition, brute-force attacks continue to be very active in the region, 6 out of top 10 exploit threats were a type of

brute-force attack. With the massive transition to the home office, cybercriminals find a significant number of misconfigured Remote Desktop Protocol (RDP) servers, leading to more such attacks.

The growth of remote work has rekindled the interest of cybercriminals in brute force attacks, which are repeated and systematic attempts to guess a credential by sending different usernames and passwords to try to access a system. Brute-force attacks are commonly used to decrypt encryption algorithms or get weak passwords, email passwords, social network credentials, Wi-Fi access, etc.

Tips

As threats evolve and being more sophisticated, security teams must ensure they have access to real-time threat intelligence in order to stay up-to-date with the latest attack trends and methods. That effective cybersecurity requires constant vigilance and the ability to adapt to changing threat strategies.

Security professionals should take note: The browser has been a key delivery vector for malware thus far in 2020, and this trend will likely continue into the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the transition to a remote workforce strategy.

For this reason, organizations must not only provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network, but also provide additional resources, such as new endpoint detection and response (EDR) solutions that can detect and stop advanced threats.

select country

Mexico

download PDF

FORTIGUARD AV TRENDS

Mexico AV TRENDS Q3-2020

Q3-2020 Top 10

Top	Name	Count
1	W32/Frauder.ALT!tr.bdr	384,302
2	W32/Cutwail!tr	187,436
3	W32/HexZone!tr	69,714
4	MSOffice/CVE_2017_11882.C!exploit	62,625
5	W32/Tibs.HI@mm	57,650
6	W32/Dx.HP!tr	51,237
7	W32/VB.CBV!tr.dldr	32,957
8	W32/Zlob.ASS!tr.bdr	37,963
9	W32/Injector.EEHO!tr	32,957
10	RTF/CVE_2017_11882.C!exploit	23,373

Total top ten AV TRENDS:

953,664

W32/Frauder.ALT!tr.bdr

W32/Frauder.ALT!tr.bdr is classified as Trojan with backdoor properties. Backdoor Trojan has the capability to receive a remote connection from a malicious hacker and perform actions against the compromised system.

W32/Cutwail!tr

W32/Cutwail!tr is classified as a trojan. Its activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.

W32/HexZone!tr

W32/HexZone!tr is classified as a trojan. Its activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.

FORTIGUARD IPS TRENDS

Mexico IPS TRENDS Q3-2020

Q3-2020 Top 10

Top	Name	Count
1	Backdoor.DoublePulsar	369,441,879
2	SMB.Login.Brute.Force	363,996,795
3	SIPVicious.svcrack.Brute.Force.Login	153,153,181
4	SSH.Connection.Brute.Force	80,090,039
5	SSLv3.POODLE.Information.Disclosure	17,517,430
6	WIFICAM.P2P.GoAhead.Multiple.Remote.Code.Execution	4,521,264
7	Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass	4,194,796
8	MS.DNS.WINS.Server.Information.Spoofing	3,785,866
9	MS.RDP.Connection.Brute.Force	1,984,457
10	SIPVicious.SIP.Scanner	1,812,075

Total top ten IPS TRENDS:

1,000,497,782

Backdoor.DoublePulsar

Backdoor.DoublePulsar This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.

SMB.Login.Brute.Force

SMB.Login.Brute.Force This indicates a detection of at least 500 failed SAMBA logins in one minute which indicate a possible SAMBA logins brute force attack. Affected Microsoft Windows Operating Systems.

SIPVicious.svcrack.Brute.Force.Login

SIPVicious.svcrack.Brute.Force.Login This indicates detection of an attempted brute force login from SIPVicious svcrack. SIPVicious is a SIP scanner. Remote attackers can gain access to the service provided by the vulnerable systems.

FORTIGUARD BOTNET TRENDS

Mexico BOTNET TRENDS Q3-2020

Q3-2020 Top 10

Top	Name	Count
1	Andromeda.Botnet	22,321,137
2	H-worm.Botnet	3,171,456
3	njRAT.Botnet	2,447,620
4	BadRabbit.Botnet	2,314,973
5	Emotet.Cridex.Botnet	2,122,109
6	Conficker.Botnet	1,759,683
7	Necurs.Botnet	1,393,520
8	XorDDOS.Botnet	1,346,049
9	Gozi.Botnet	1,004,469
10	Neurevt.Botnet	732,334

Total top ten BOTNET TRENDS:

38,613,350

Andromeda.Botnet

Andromeda.Botnet Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.

H-worm.Botnet

H-worm.Botnet This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information.

njRAT.Botnet

njRAT.Botnet This indicates that a system might be infected by njRAT Botnet. System Compromise: Remote attackers can gain control of vulnerable systems.