Leveraging At-Home Technology as a Gateway to the Enterprise
An unforeseeable shift in network structures and attack strategies was dropped on the cybersecurity industry in 2020. As the COVID-19 pandemic continues to take its toll on organizations and individuals in Latin America and the Caribbean, we are now dealing with a threat landscape that’s become more intense, complex, and saturated than ever before.
During the pandemic, there has been an exponential rise and a reliance on home networks and consumer grade devices, such as home routers and modems – something which cyber criminals were quick to take notice of. For attackers, this shift has presented a unique opportunity to exploit these devices and gain a foothold in enterprise.
Recent phishing tactics are far more sophisticated and have evolved to target the weak links found at the edges of business networks. The majority of these phishing attacks contain malicious payloads – including ransomware, viruses, and remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, enabling them to perform remote desktop protocol (RDP) exploits.
Ransomware Attacks Becoming More Sophisticated
Ransomware attacks have always been a significant concern for businesses. But over the past several months they’ve become more prevalent and costlier – both in terms of downtime and damages. Ransomware has been discovered hidden in messages, attachments, and documents related to COVID-19. Moreover, these threats continue to grow more sophisticated.
Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity. A vital component of this is continuous access to up-to-date threat intelligence and cybersecurity training.
Exploit Attempts Landscape
Again in the third quarter of 2020, DoublePulsar was the threat with most attempts in Latin America and the Caribbean. DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in the region. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in Latin America, affecting companies and individuals alike. DoublePulsar is mainly targeted to banks and financial service companies.
In addition, brute-force attacks continue to be very active in the region, 6 out of top 10 exploit threats were a type of
brute-force attack. With the massive transition to the home office, cybercriminals find a significant number of misconfigured Remote Desktop Protocol (RDP) servers, leading to more such attacks.
The growth of remote work has rekindled the interest of cybercriminals in brute force attacks, which are repeated and systematic attempts to guess a credential by sending different usernames and passwords to try to access a system. Brute-force attacks are commonly used to decrypt encryption algorithms or get weak passwords, email passwords, social network credentials, Wi-Fi access, etc.
As threats evolve and being more sophisticated, security teams must ensure they have access to real-time threat intelligence in order to stay up-to-date with the latest attack trends and methods. That effective cybersecurity requires constant vigilance and the ability to adapt to changing threat strategies.
Security professionals should take note: The browser has been a key delivery vector for malware thus far in 2020, and this trend will likely continue into the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the transition to a remote workforce strategy.
For this reason, organizations must not only provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network, but also provide additional resources, such as new endpoint detection and response (EDR) solutions that can detect and stop advanced threats.
MSOffice/CVE_2017_11882.B!exploit detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products.
Android/Clicker.MR!tr is classified as a trojan. A trojan is a type of malware that performs activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
AutoIt/Injector.FIC!tr is classified as a trojan. Its activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
Backdoor.DoublePulsar This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.
SSLv3.POODLE.Information.Disclosure This indicates an attack attempt to exploit an Information Disclosure vulnerability in OpenSSL. The vulnerability is due to an error in the application when it handles maliciously crafted SSLv3 messages. A remote attacker can exploit this to access sensitive information. The signature detects for 200 SSLv3 messages within a span of 10 seconds.
Working.Resources.Badblue.Malformed.HTTP.DoS It indicates an attacker attempted a Denial of Service attack against Working Resources BadBlueApple. Working Resources BadBlueApple is vulnerable to a Denial of Service attack if a malicious attacker sends it GET requests without specifying a document.
Andromeda.Botnet Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
Emotet.Cridex.Botnet This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.
Cidox.Botnet The Cidox botnet targets the Windows platform. The malware is injected into running processes such as explorer.exe, svchost.exe, and chrome.exe. It hooks several functions within the injected process for redirecting to unwanted links. This bot also gathers the basic information from the infected machine and communicates with its C&C server.